HIPAA Compliance Checklist for AI Tools
A 12-point checklist for evaluating any AI tool's HIPAA compliance before deploying it in your practice.
Isam Waqar
Coming Soon
Every AI vendor claims to be 'HIPAA compliant.' But HIPAA compliance isn't a binary state — it's a spectrum of technical safeguards, administrative procedures, and contractual obligations.
We've reviewed over 30 AI vendor BAAs and security documentation. Here's the checklist we use to evaluate whether an AI tool is safe to deploy in a clinical setting.
The 12-Point Checklist
1. BAA exists and is signed — No BAA, no deal. Period.
2. BAA covers AI/ML processing — Many BAAs were written pre-AI and don't explicitly cover model training or inference on PHI.
3. Data residency is US-only — Your patient data should not leave the country.
4. Encryption at rest and in transit — AES-256 minimum, TLS 1.2+.
5. Access controls and audit logging — Who can see what, and is it logged?
6. Data retention policy — How long is PHI stored? Can you request deletion?
7. Subprocessor disclosure — Which third parties handle your data?
8. Breach notification timeline — HIPAA requires 60 days, but faster is better.
9. SOC 2 Type II certification — The minimum security audit standard.
10. HITRUST certification — Gold standard for healthcare, but not all vendors have it.
11. AI model training opt-out — Can you prevent your data from training their models?
12. Incident response plan — What happens when things go wrong?