Compliance
HIPAA Compliance for AI
Requirements for building compliant healthcare LLM applications
Healthcare organizations deploying AI must navigate HIPAA requirements carefully. Any LLM that processes patient data, medical records, or health information falls under HIPAA's Privacy and Security Rules.
Does HIPAA apply to AI and LLM applications?
Yes, HIPAA applies to AI applications that process Protected Health Information (PHI). If your LLM handles patient data, medical records, or health-related information that can identify individuals, you must comply with HIPAA Privacy and Security Rules, including having BAAs with vendors.
The 18 HIPAA Identifiers
HIPAA defines 18 types of information that constitute PHI when combined with health data:
What are the 18 HIPAA identifiers?
The 18 HIPAA identifiers are: names, geographic data (address, ZIP), dates (birth, admission, death), phone numbers, fax numbers, email addresses, SSN, medical record numbers, health plan numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, photos, and any other unique identifier.
| # | Identifier | Examples |
|---|---|---|
| 1 | Names | Full name, first/last name |
| 2 | Geographic data | Address, city, ZIP code |
| 3 | Dates | Birth, admission, discharge, death |
| 4-6 | Contact info | Phone, fax, email |
| 7 | SSN | Social Security Number |
| 8-11 | Account numbers | MRN, health plan #, account #, license # |
| 12-13 | Vehicle/device IDs | VIN, serial numbers |
| 14-15 | Digital identifiers | URLs, IP addresses |
| 16-18 | Biometric/other | Fingerprints, photos, unique IDs |
Business Associate Agreements
Do I need a BAA for using AI in healthcare?
Yes, you need a Business Associate Agreement (BAA) with any vendor that processes PHI on your behalf, including AI/LLM providers and observability platforms. Without a BAA, sending PHI to a third-party service violates HIPAA, even if the data is encrypted.
A BAA is required with:
- LLM API providers (OpenAI, Anthropic, etc.) if sending PHI
- Observability and logging platforms
- Cloud infrastructure providers
- Any vendor that may access PHI
Note: Most LLM providers do NOT offer BAAs for their standard APIs. You may need enterprise agreements or must ensure PHI is de-identified before sending to the model.
Building Compliant Healthcare AI
How do I make my healthcare AI HIPAA compliant?
To make healthcare AI HIPAA compliant: 1) Sign BAAs with all vendors processing PHI, 2) Implement PHI detection and redaction before logging, 3) Use encryption for data at rest and in transit, 4) Maintain audit logs of all PHI access, 5) Implement access controls, 6) Train staff on HIPAA requirements, 7) Conduct regular risk assessments.
PHI detection and redaction — Automatically scan all LLM inputs and outputs for the 18 HIPAA identifiers. Redact PHI before logging or sending to third parties.
Immutable audit logs — HIPAA requires tracking all access to PHI. Logs must be tamper-proof and retained for 6 years.
Access controls — Implement role-based access to ensure only authorized personnel can view PHI.
Encryption — Encrypt PHI at rest and in transit. This is a HIPAA Security Rule requirement.
DriftRail for Healthcare
DriftRail provides HIPAA-ready LLM observability:
- Automatic detection of all 18 HIPAA identifiers
- PHI auto-redaction before storage
- Immutable audit logs with database-level tamper protection
- One-click HIPAA compliance reports
- BAA available for enterprise customers
Related Reading
HIPAA-ready LLM observability
DriftRail detects PHI and generates compliance reports automatically.
Start Free