HIPAA
HIPAA — the Health Insurance Portability and Accountability Act (HIPAA) — sets US rules for protecting health data. Learn its Privacy and Security Rules and AI implications.
What HIPAA covers
HIPAA was enacted to improve the portability of health insurance and to standardize the handling of health data across the US healthcare system. Over time, HHS issued a set of implementing rules that together define what organizations must do to protect health information.
The information HIPAA protects is Protected Health Information (PHI) — individually identifiable health information held or transmitted by a regulated organization, in any form. When that information is created, stored, or transmitted electronically, it is referred to as electronic PHI (ePHI), which carries additional technical safeguard requirements.
HIPAA applies to two categories of organization:
- Covered entities — health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with covered transactions.
- Business associates — vendors and service providers that create, receive, maintain, or transmit PHI on behalf of a covered entity.
The core HIPAA rules
HIPAA compliance is built from several distinct rules, each addressing a different aspect of how health information must be handled.
The Privacy Rule
The Privacy Rule sets national standards for the use and disclosure of PHI. It defines the permitted and required uses of health information — for example, for treatment, payment, and healthcare operations — and establishes individual rights, including the right to access one's own records. A central concept is minimum necessary: organizations should limit PHI use and disclosure to the least amount of information required to accomplish the intended purpose.
The Security Rule
The Security Rule applies specifically to ePHI and requires regulated organizations to implement safeguards across three categories:
- Administrative safeguards — policies, procedures, workforce training, access management, and risk analysis that govern how ePHI is handled.
- Physical safeguards — controls over facilities, workstations, and devices that store or access ePHI.
- Technical safeguards — technology controls such as access control, audit controls, integrity protection, and transmission security.
The Security Rule is intentionally flexible and scalable: organizations select reasonable and appropriate measures based on their size, complexity, and risk profile, supported by an ongoing risk analysis.
The Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to notify affected individuals — and, depending on scope, HHS and the media — when unsecured PHI is breached. It turns a protection failure into a defined reporting obligation, which makes visibility into where PHI travels a practical necessity rather than a formality.
Covered entity vs. business associate
The distinction between a covered entity and a business associate determines who is directly regulated, who must sign a Business Associate Agreement (BAA), and where compliance responsibility sits. This matters directly for AI: a vendor that processes PHI on a covered entity's behalf is generally a business associate and must be bound by a BAA before PHI is shared.
| Covered entity | Business associate | |
|---|---|---|
| Who it is | Health plans, clearinghouses, healthcare providers | Vendors that handle PHI on a covered entity's behalf |
| Relationship to PHI | Originates and holds PHI to deliver care or coverage | Creates, receives, maintains, or transmits PHI as a service |
| Contractual basis | Bound directly by HIPAA rules | Bound by HIPAA plus a Business Associate Agreement (BAA) |
| Typical examples | Hospital, clinic, insurer | Billing service, cloud host, analytics or AI vendor |
| Direct liability | Yes | Yes, for applicable Privacy and Security Rule provisions |
A Business Associate Agreement (BAA) is the contract that establishes a business associate's obligations to protect PHI, restricts how the PHI may be used, and requires the associate to report breaches. Without a signed BAA, sharing PHI with a vendor is generally not permitted under HIPAA.
HIPAA in the age of AI
AI tools introduce a fast-growing channel through which PHI can move outside controlled systems — often without anyone treating it as a disclosure. Three issues stand out.
First, PHI pasted into AI tools. Clinicians and staff increasingly use general-purpose AI assistants to draft notes, summarize records, or answer questions. When a name, diagnosis, or record is pasted into a consumer chatbot, PHI has left the covered entity's controlled environment, frequently with no audit trail and no BAA in place.
Second, AI vendors as business associates. If an AI provider creates, receives, maintains, or transmits PHI on a covered entity's behalf, it generally meets the definition of a business associate and requires a BAA. Many consumer AI services are not offered under a BAA, which means routing PHI through them can fall outside HIPAA's permitted disclosures.
Third, controlling and auditing AI access to PHI. The Security Rule's technical safeguards — access control, audit controls, transmission security — assume the organization can see and govern where ePHI flows. AI prompts, model completions, and autonomous agent tool calls are exactly the surfaces traditional controls do not inspect, leaving a gap between policy on paper and what actually happens at the keyboard.
Questions a HIPAA-aware AI control answers
- Is PHI being pasted into external AI tools? — Prompt-level detection with redaction or block before submission.
- Did an AI tool surface PHI from a connected system? — Completion inspection before the output reaches the user.
- What PHI did an AI agent send to an external service? — Tool-call inspection and a tamper-evident audit record.
- Which AI tools are approved to handle PHI, and for whom? — Role-based access control mapped to BAA-covered services.
