Does HIPAA Apply to AI Systems?

Why healthcare teams keep asking this question

AI vendors market their tools to clinics, hospitals, and health-tech companies every day, and most of those vendors bury the compliance question in their terms of service. A practice manager might connect an AI scheduling chatbot to their EHR without realizing they've just sent PHI to a third-party server with no BAA in place.

The confusion is understandable. HIPAA was written in 1996. It doesn't mention large language models, AI agents, or cloud inference APIs. So people assume there's a gap, a loophole where AI tools sit outside the regulation. There isn't.

How HIPAA actually applies to AI

HIPAA defines a Business Associate as any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. That definition covers AI systems cleanly. If your AI tool ingests a patient's name, date of birth, diagnosis, appointment history, or any other identifier listed in the HIPAA Safe Harbor standard, the vendor operating that tool is your Business Associate. You need a BAA before data flows to them.

The Security Rule adds a second layer. It requires administrative, physical, and technical safeguards for any electronic PHI. For AI systems, that means encryption at rest and in transit, access controls, audit logging, and documented risk assessments. A vendor claiming HIPAA compliance without SOC 2 Type II attestation or a third-party security audit should raise a flag. Compliance claims are easy. Documentation is what the Office for Civil Rights asks for when something goes wrong.

The practical failure point we see most often is public API usage. Tools built on the OpenAI API, Anthropic's Claude API, or Google Gemini's standard endpoints send data to shared cloud infrastructure. OpenAI and Anthropic do offer BAA-eligible tiers, but most SMBs aren't on those plans, and even those agreements come with conditions on data retention and model training that require careful review. Connecting patient data to a standard API account is a HIPAA violation, regardless of how good the AI output is.

When the answer gets more complicated

If your AI system never touches PHI, HIPAA doesn't apply to it. An AI tool that handles only scheduling metadata with no patient identifiers, or a billing AI fed only claim codes with names stripped out, may fall outside the regulation depending on exactly what data fields it sees. The word 'may' is doing real work in that sentence. Don't make that call without a privacy attorney reviewing the data flow.

State laws can also impose stricter requirements than HIPAA. California's CMIA, Texas Health & Safety Code Chapter 181, and similar statutes apply to health data that HIPAA doesn't always cover. If you're a Texas-based practice, state law is a parallel obligation, not a fallback.