The Health Insurance Portability and Accountability Act (HIPAA) was made in 1996 to protect people’s health information in the United States. HIPAA sets rules for how Protected Health Information (PHI) can be used, shared, and kept safe. There are two main parts that affect AI in healthcare: the Privacy Rule, which protects personal privacy, and the Security Rule, which sets security rules for electronic PHI (ePHI).
When healthcare uses AI to handle PHI, following HIPAA is required. AI tools must keep patient information safe and private. If they don’t, there can be serious problems like data breaches, fines, and loss of trust from patients.
For example, Vision Upright MRI was fined $5,000 after a breach that exposed medical images of over 21,000 patients. This happened because they did not do the Security Risk Analysis (SRA) needed and did not tell patients on time. This shows how missing compliance can cost money and harm trust.
AI companies that access PHI are called “Business Associates” under HIPAA. They have legal duties to protect patient data just like healthcare providers, called “Covered Entities.” HIPAA says healthcare providers must have Business Associate Agreements (BAAs) signed with AI vendors before sharing PHI.
A BAA is a contract that explains how the Business Associate will protect PHI. It includes rules like using encryption, controlling access, reporting breaches, and managing subcontractors. Since 2013, Business Associates can be held responsible for HIPAA violations, so these agreements are very important.
Not all AI companies sign BAAs. For example, OpenAI does not sign BAAs for ChatGPT, so healthcare providers cannot use it with ePHI without breaking rules. On the other hand, companies like Google offer HIPAA-compliant services with BAAs, giving legal protection.
Roger Shindell, CEO of Carosh Compliance Solutions, says it is not enough to just get a BAA signed. Ongoing staff training, monitoring, and risk checks are needed. Also, subcontractors must be reviewed because 33% of violations come from fourth-party vendors who may not have BAAs.
Organizations like Providence Medical Institute paid a $240,000 fine in 2024 for not having a BAA with a third-party AI vendor after a ransomware attack. This shows how costly it is to skip risk management and BAAs.
Data breaches cost a lot and damage healthcare providers. IBM Security reported that in 2023, the average cost of a healthcare breach was $10.93 million. Also, 58% of breaches involve vendors who handle PHI. This makes managing vendors with BAAs very important.
To lower risks, healthcare groups must do regular Security Risk Analyses (SRA) and vendor risk checks. These find weaknesses where PHI is stored or sent. AI helps by automating these tasks. Mass General Brigham saved 300 hours each month using AI-powered LogicGate Risk Cloud. It automates 92% of vendor risk tasks and helps with constant monitoring. This cuts human mistakes and improves oversight.
Kaiser Permanente uses a system that updates vendor risk scores weekly. It lowered high-risk vendors by 32%, showing how tech can improve risk control.
AI sometimes gives wrong or meaningless answers, called “hallucinations.” A study in JAMA Network found AI misdiagnosed up to 15% of cancer cases. That is why human review is always needed when AI is used for healthcare decisions.
Protecting data privacy also needs methods like de-identification and encryption. HIPAA lets data be de-identified by removing personal info using Safe Harbor or Expert Determination methods. This keeps data useful but safe for AI training.
AI systems must have strong security features like multi-factor authentication, role-based access, and audit logs. These help track access and changes to PHI. They also help when breaches happen and checks are needed.
When choosing AI, healthcare providers should pick vendors who:
For example, Retell AI gives HIPAA-compliant AI voice agents for healthcare. They offer flexible BAAs and support compliance with encrypted communication, risk checks, and training tools.
HIPAA Vault offers secure cloud hosting for AI in healthcare, with layers of encryption and audit logs. This helps healthcare follow regulations more easily.
AI is changing not only care and diagnosis but also office work in medical practices. AI automation helps improve efficiency and makes sure important compliance steps are not forgotten.
AI-driven automation helps with:
A report by Health IT Security Journal found that AI risk scoring and workflow automation cut compliance violations by 57% on average. These tools help healthcare control vendors and internal systems better, fixing common causes of HIPAA breaches.
Automation also helps connect old Electronic Health Record (EHR) systems with AI platforms. This is a problem for many U.S. health systems. Proper workflow integration lets AI help with scheduling, patient messages, coding, documentation, and billing, while keeping data safe.
AI technology keeps changing, and so do laws and rules from the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). The OCR has increased HIPAA enforcement, with over $6 million in fines in 2025. This shows why healthcare must have strong compliance programs.
Medical practice managers and IT staff should keep up with new rules and best practices. They need to keep BAAs updated, do Security Risk Analyses often, and review the AI tools they use.
Also, being open about how AI makes decisions and telling patients about AI use is important for trust. Patients have the right to know how their data is used and what part AI plays in their care.
By watching carefully, having proper legal agreements, and using AI to help with compliance, U.S. healthcare providers can use AI without risking patient privacy or breaking laws.
Following HIPAA rules is a basic step when using AI in healthcare in the United States. Business Associate Agreements are key contracts that explain the duties of AI vendors who handle PHI. These agreements help prevent costly data breaches and fines.
Healthcare groups, especially medical practice managers, owners, and IT people, must focus on good vendor management, regular Security Risk Analyses, and clear policies about AI use. AI workflow automation can help a lot by lowering human mistakes and making risk management easier.
Using AI in healthcare needs a careful balance: taking advantage of new technology while strictly following HIPAA rules to keep patient data safe and respect privacy rights.
AI in healthcare refers to technology that simulates human behavior and capabilities, significantly transforming how medical practices operate. AI solutions can enhance various tasks, including scheduling, patient education, and medical coding.
AI tools that access Protected Health Information (PHI) must comply with HIPAA regulations. AI companies that have access to PHI are considered Business Associates and must sign a Business Associate Agreement (BAA) to ensure shared responsibility for data protection.
A BAA is a legal document that outlines the responsibilities of a Business Associate in protecting PHI. It defines the relationship between a Covered Entity and the Business Associate.
Not all AI companies are willing to enter into BAAs. For example, OpenAI does not sign BAAs for ChatGPT, making it non-compliant for sharing ePHI.
Some tech companies, like Google, are open to signing BAAs for their healthcare AI tools, making them compliant options for handling PHI under HIPAA.
AI hallucinations refer to errors where the AI generates inaccurate or nonsensical results, often due to misinterpreting patterns in the data. It’s crucial to verify AI outputs for accuracy.
As AI evolves, more legislation is expected to emerge regarding AI use in healthcare. The OCR will likely release new guidance to address compliance and new technology risks.
The SRA is vital for identifying vulnerabilities in a healthcare practice’s safeguards regarding PHI. Regular completion helps ensure compliance and prevent breaches.
Vision Upright MRI was fined $5,000 for a significant data breach due to a lack of an SRA and failure to notify affected patients promptly.
AI-driven compliance software can simplify tasks like conducting SRAs and reporting breaches, helping practices maintain compliance, reduce risks, and avoid fines.