HIPAA AI Compliance: What Healthcare Teams Must Do

HIPAA doesn't mention AI by name, but its rules apply fully to any software that creates, receives, maintains or transmits protected health information (PHI). If an AI tool touches PHI — even indirectly — HIPAA's safeguard and BAA requirements apply.

The BAA requirement

Any AI vendor that processes PHI on behalf of your organisation is a Business Associate. Under HIPAA, you must have a signed Business Associate Agreement (BAA) with them before any PHI flows into their system. Without a BAA, using the tool with PHI is a HIPAA violation regardless of whether a breach occurs.

Which AI tools offer a BAA?

OpenAI (ChatGPT Enterprise), Anthropic (Claude for Enterprise, on request), Google (Vertex AI Gemini, Workspace Enterprise) and Microsoft (Azure OpenAI, Microsoft 365 Copilot E5) all offer BAAs on their enterprise tiers. Consumer and standard business tiers do not cover PHI. Verify the specific product and tier before use.

Your AI usage policy must address PHI explicitly

A generic AI usage policy is not enough for healthcare settings. Your policy should explicitly state: PHI must not enter any AI tool without a signed BAA; approved AI tools for clinical use must be listed by name and tier; any AI-assisted clinical documentation must be reviewed by a licensed clinician before entering the record.

Documenting compliance

HIPAA enforcement looks at whether you made a good-faith effort to comply. That means written policies, staff training records, BAAs on file and a process for evaluating new AI tools before deployment. Greenlightly's AI usage policy generator has a HIPAA-aware mode that adds the right clauses automatically.