Skip to main content
Legal Guide

HIPAA for AI

Health Insurance Portability and Accountability Act | Complete Legal Breakdown with Official Citations

Effective: April 14, 2003
Status: Currently Enforced
Penalties: Up to $1.5M/year

Table of Contents

Overview

HIPAA protects Protected Health Information (PHI). AI systems processing health data must comply with Privacy and Security Rules, including proper safeguards and Business Associate Agreements. Violations can result in penalties up to $1.5M per violation category per year.

Official Citation

45 CFR Parts 160, 162, 164

View Official HHS HIPAA Website

Key Facts

Privacy Rule
April 14, 2003
45 CFR Part 164, Subpart E
Security Rule
April 20, 2005
45 CFR Part 164, Subpart C
Enforcement
HHS OCR
Office for Civil Rights
Max Penalties
$1.5M per year
Per violation category

Who This Law Applies To

Covered Entities

Citation: 45 CFR § 160.103

Organizations that must comply:
  • Healthcare Providers (who transmit health info electronically) - Doctors, clinics, hospitals, dentists, pharmacies
  • Health Plans - Health insurance companies, HMOs, Medicare, Medicaid, employer health plans
  • Healthcare Clearinghouses - Entities that process health information (billing services, repricing companies)

Business Associates

Citation: 45 CFR § 160.103

Definition: Anyone who handles PHI on behalf of a Covered Entity

In Plain English: If you're an AI company processing health data for a hospital/clinic/health plan, you're a Business Associate.

Examples of Business Associates:
  • AI vendors processing patient data
  • Cloud storage providers hosting PHI
  • Analytics companies analyzing health data
  • Medical transcription services

Business Associate Agreements (BAAs)

⚠️ Critical Requirement

Citation: 45 CFR § 164.504(e)

Before any AI vendor can access PHI, you MUST have a signed Business Associate Agreement.

  • Written contract required before accessing PHI
  • Business Associate must follow all HIPAA rules
  • Subcontractors also need BAAs
  • Must report breaches within 60 days

Required Safeguards

Administrative Safeguards

Citation: 45 CFR § 164.308

  • Security Officer: Designate someone responsible for security
  • Risk Analysis: Assess potential risks to PHI
  • Workforce Training: Train employees on HIPAA rules
  • Incident Response: Have a plan for security incidents

Physical Safeguards

Citation: 45 CFR § 164.310

  • Facility Access Controls: Control who can physically access systems with PHI
  • Workstation Security: Secure computers and devices
  • Device Encryption: Encrypt laptops, phones, and portable devices

Technical Safeguards

Citation: 45 CFR § 164.312

  • Unique User IDs: Each person gets their own login
  • Encryption: Encrypt PHI in transit and at rest
  • Audit Logs: Track who accessed what and when
  • Multi-Factor Authentication: Use MFA for accessing PHI systems

De-identification for AI Training

Remove 18 Identifiers

Citation: 45 CFR § 164.514(b)

To use data for AI training without HIPAA restrictions, remove all 18 identifiers:

1.Names
2.Geographic subdivisions
3.Dates (except year)
4.Telephone numbers
5.Fax numbers
6.Email addresses
7.Social Security numbers
8.Medical record numbers
9.Health plan numbers
10.Account numbers
11.Certificate/license numbers
12.Vehicle identifiers
13.Device identifiers
14.URLs
15.IP addresses
16.Biometric identifiers
17.Full-face photos
18.Any unique identifying number

Need Help with HIPAA Compliance?

Our platform provides automated HIPAA assessments, BAA templates, and ongoing monitoring to ensure your AI systems protect patient health information.

How to Cite This Guide

HAIEC. (2026). HIPAA for AI: Complete Legal Breakdown with Citations. Retrieved from https://haiec.com/compliance/hipaa/legal-guide

This guide is maintained by HAIEC's legal compliance team and updated regularly to reflect the latest HHS guidance. Last updated: February 2026.