HIPAA-Aligned AI

"HIPAA-compliant AI" is not a product certification — it is a property of how the system is designed, operated, and audited. An AI system handling PHI must satisfy the same requirements as any other PHI-handling system: signed BAAs with every service in the data path, encryption in transit and at rest, access controls that map to user roles, audit logs of who accessed what, and breach response procedures.

What changes with AI is the data path. A naïve LLM integration can leak PHI to a model provider that does not have a BAA, store PHI in prompt logs that are not encrypted, or persist PHI in a vector index that lacks tenant isolation. Each of those is a HIPAA violation in waiting.

The practical pattern: keep PHI inside a covered cloud (AWS or Azure with BAA), use only HIPAA-eligible model endpoints (Amazon Bedrock with a BAA, Azure OpenAI with a BAA), encrypt embeddings at rest with customer-managed keys, log every model invocation with the requesting user identity and the data accessed, and design retention policies that match the rest of your PHI lifecycle.

A HIPAA-aligned AI system is not "secure enough." It is "auditable" — meaning a Security Officer or external auditor can reconstruct, after the fact, exactly who asked what and which records the model saw.