AI HIPAA Compliance Checklist

Overview

When AI systems process Protected Health Information, HIPAA applies—but HIPAA was written before AI. How do minimum necessary requirements apply to AI training data? What de-identification standards work for AI? How do you assess security risks like model inversion attacks that HIPAA assessments never contemplated?

This checklist bridges the gap between HIPAA requirements and AI realities. It maps HIPAA requirements to AI systems, adds AI-specific security considerations, addresses Business Associate requirements for AI vendors, and prepares you for AI-related breach scenarios.

What's Inside

• AI System Classification: Framework for understanding how your AI interacts with PHI (training, input processing, output generation, storage/transmission, vendor access) to identify applicable requirements
• HIPAA Privacy Rule Requirements:
  • Minimum necessary standard for AI access to PHI
  • De-identification standards (Expert Determination, Safe Harbor) for AI training data
  • Patient rights (access, amendment, accounting) for AI-generated information
  • Uses and disclosures requirements for AI applications
• HIPAA Security Rule Requirements:
  • Administrative safeguards (risk analysis, workforce training, incident procedures, contingency planning)
  • Physical safeguards (facility security, workstation security, device/media controls)
  • Technical safeguards (access controls, audit controls, integrity, authentication, encryption)
• AI-Specific Security Considerations:
  • Model security (extraction, inversion, membership inference attacks)
  • Training data security (inventory, encryption, retention, poisoning)
  • Inference/production security (API security, prompt injection, output filtering)
• Business Associate Requirements: BAA requirements for AI vendors, AI-specific BAA provisions, vendor due diligence checklist
• Breach Notification & AI: AI-related breach scenarios (model extraction, prompt injection, vendor breach, training data access) and response readiness assessment
• Documentation Requirements: Required HIPAA documentation for AI systems
• Gap Summary & Remediation: Template for identifying and addressing compliance gaps

Who This Is For

• Healthcare Privacy Officers ensuring AI HIPAA compliance
• Healthcare Security Officers assessing AI security risks
• Health IT Leaders deploying AI systems with PHI
• Clinical Informatics Teams implementing clinical AI
• Compliance Officers managing healthcare AI oversight

Why This Resource

Standard HIPAA checklists don't address AI. They don't ask about model inversion attacks, training data security, or AI vendor BAA provisions. This checklist fills those gaps—ensuring you assess both traditional HIPAA requirements and AI-specific risks.

The AI-specific security section is particularly important: these risks (model extraction, data poisoning, prompt injection) won't appear on traditional HIPAA assessments but can lead to PHI exposure.

FAQ

Q: Does HIPAA apply to AI systems that use de-identified data?

A: If data is properly de-identified per HIPAA standards (Expert Determination or Safe Harbor), it's no longer PHI and HIPAA doesn't apply. However, the checklist includes de-identification requirements to ensure your de-identification actually meets HIPAA standards—including re-identification risk assessment for AI use cases.

Q: What about AI vendors who access our PHI?

A: AI vendors who access PHI are Business Associates requiring BAAs. The checklist includes specific BAA requirements for AI vendors—including provisions about using customer PHI for model training—and vendor due diligence items.

Q: What AI-specific security risks should we assess?

A: Key AI-specific risks include model inversion attacks (reconstructing training data from model outputs), membership inference (determining if specific data was in training set), training data poisoning, prompt injection attacks, and model extraction. These aren't covered by traditional HIPAA security assessments.