HIPAA Compliance & AI Systems

Technical Deep-Dive | What Vendors Won't Tell You

Quick Navigation: → Encryption Requirements → BAA Requirements → Audit Logging → Data Location → Vendor Claims vs Reality

⚠️ Critical Reality Check: "HIPAA Compliant" is a marketing term, not a certification. There is no official HIPAA certification for AI vendors. Compliance is a shared responsibility between covered entities (you) and business associates (vendors). This document tells you what to actually verify, not what to take on faith.

1. Encryption Requirements

HIPAA's Security Rule requires encryption of PHI (Protected Health Information), but the regulation is technology-neutral. Here's what that actually means in practice:

PHI Encryption Flow in AI Systems

Your EHR
PHI extracted

→

In Transit
TLS 1.2+ (HTTPS)

→

AI Processing
Decrypted for inference

→

At Rest
AES-256 encryption

→

Response
TLS 1.2+ back to EHR

Questions to Ask Every AI Vendor:

Question	Acceptable Answer	🚩 Red Flag
What encryption standard for data at rest?	AES-256 or equivalent	"We use encryption" (no specifics)
What encryption for data in transit?	TLS 1.2 or 1.3	TLS 1.0/1.1, or "secure connection"
Where are encryption keys stored?	AWS KMS, Azure Key Vault, or HSM	"On our servers" or unclear
Who manages encryption keys?	You (customer-managed keys) or vendor with strict access controls	Third-party with no audit trail
Is PHI encrypted during processing?	Honest: "Decrypted briefly for inference, never logged"	"Always encrypted" (technically impossible for processing)

🚩 Common Vendor Lie:
"Your data is always encrypted, even during processing."

Reality: This is technically impossible. Data must be decrypted to be processed by AI models. The honest answer is: "PHI is decrypted only in memory during inference, never written to disk unencrypted, and wiped from memory immediately after processing."

2. Business Associate Agreement (BAA)

A BAA is legally required when any vendor handles PHI. Most AI vendors will sign one, but the terms matter more than the signature. Here's what to verify:

BAA Must Include:

Explicit permission to use PHI only for specified services (not model training)
Prohibition on selling or sharing PHI with third parties
Requirement to implement HIPAA Security Rule safeguards
Breach notification within 60 days (or your stricter timeline)
Audit rights (you can request compliance documentation)
Data return/deletion upon contract termination
Subcontractor requirements (they must also sign BAAs)
Indemnification for breaches caused by vendor negligence

⚠️ Critical BAA Clause: Ensure the BAA explicitly states: "PHI will not be used to train, improve, or enhance AI models for other customers." Many standard BAAs are silent on this, allowing vendors to use your data for their commercial benefit.

✓ What to Demand: If the vendor says "our models improve from usage," get written clarification that this means anonymized usage metrics only (e.g., response time, token count), not PHI content.

3. Audit Logging Requirements

HIPAA requires audit controls to record and examine activity in systems containing PHI. For AI systems, this means comprehensive logging of who accessed what data and when.

Required Audit Log Fields:

Field	Example	Why It Matters
User ID	dr.smith@hospital.org	Who initiated the request
Timestamp	2026-05-29T14:32:17Z	When access occurred
Action Type	QUERY, EXPORT, DELETE	What operation was performed
Patient Identifier	MRN-12345678 (hashed)	Which patient's data was accessed
Request Details	Query type, parameters	What was asked (not PHI content)
Response Status	SUCCESS, ERROR, DENIED	Outcome of the request
IP Address	192.168.1.100	Where the request originated

📋 Audit Log Retention: HIPAA requires audit logs be retained for 6 years minimum. Verify the vendor can provide logs on demand for this entire period. Many SaaS platforms only keep 90 days by default.

4. Data Location & Sovereignty

Where is PHI processed and stored? This matters for HIPAA compliance and potential state laws (e.g., California, Texas have additional requirements).

🚩 Questions to Ask:
1. "Where are your data centers located?" (Should be US-only for HIPAA)
2. "Do you use any offshore support staff with PHI access?" (Should be NO)
3. "Is data ever replicated outside the US for backup/DR?" (Should be NO, or explicit BAA amendment)
4. "Which cloud provider do you use?" (AWS, Azure, GCP are standard; verify their HIPAA compliance)

✓ Acceptable Architecture: PHI processed in US regions only (e.g., AWS us-east-1, us-west-2), with encrypted backups in separate US regions. No offshore development teams with production access. Support staff sign additional confidentiality agreements.

5. Vendor Claims vs Reality

Vendor Says	What to Verify
"We're HIPAA compliant"	Ask for their latest third-party HIPAA audit report (SOC 2 Type II with HIPAA criteria)
"We'll sign a BAA"	Review the BAA before purchase. Many have unacceptable terms buried in exhibits.
"Enterprise-grade security"	Request their security whitepaper. Should detail encryption, access controls, monitoring.
"Your data is private"	Get written confirmation: PHI will NOT be used for model training or sold to third parties.
"SOC 2 certified"	SOC 2 ≠ HIPAA compliant. Ask specifically for HIPAA criteria in their audit scope.
"We don't store your data"	Clarify: Do they mean temporarily cached? Logged? Used for analytics? Get specifics in writing.

💼 Service Details: Avondale.AI offers AI Security Audits at $1,200, including comprehensive HIPAA compliance verification for AI vendors, BAA review, and gap analysis. We help you ask the right questions and verify the answers before you sign.

Key Takeaways:

"HIPAA compliant" is not a certification—it's a shared responsibility
Encryption must be AES-256 (at rest) and TLS 1.2+ (in transit)
BAA must explicitly prohibit using PHI for model training
Audit logs must be retained for 6+ years with specific fields
Data should never leave US borders without explicit agreements
Always verify claims with documentation, not marketing materials