HIPAA AI Compliance Checklist

Most AI vendors say they are HIPAA compliant, but that phrase is rarely specific enough to support a real purchasing decision. A useful compliance review starts with the exact workflow, not the marketing site. Is the tool transcribing a visit, summarizing a chart, drafting patient messages, or analyzing uploaded records? Each of those actions changes what data is processed, where protected health information travels, and which business associate obligations apply. This checklist is built to force that operational clarity before a physician or practice manager approves a new tool.

The first section focuses on the contract and data map. Confirm whether a signed BAA is available, whether the vendor uses any subprocessors, and whether your practice can see where data is stored and how long it is retained. If an ambient scribe keeps raw audio for model improvement, or if a chatbot provider reserves broad rights to train on prompts, that belongs in the risk discussion before anyone uploads a single note. Physicians should also document whether the workflow involves direct patient care, administrative work, or de-identified internal experimentation, because the guardrails are different.

The second section addresses day-to-day controls. Ask who can access the tool, whether role-based permissions exist, and whether audit logs are available when something goes wrong. The practical question is not only whether the product is secure in theory, but whether your own staff can use it safely under pressure. A system that allows unrestricted exports, stores transcripts indefinitely, or makes it hard to delete patient data may create more downstream risk than it removes. The checklist also prompts reviewers to note what human review is required before AI output reaches the chart.

Use the final section as an approval record. Write down the decision maker, the approved use case, the prohibited use cases, and the date for re-review. That single page becomes valuable later, especially if a physician asks why one tool was approved and another was rejected, or if a vendor changes terms after launch. The goal is not to turn a small practice into a bureaucracy. The goal is to replace vague reassurance with a repeatable process that protects patients, clinicians, and the practice when AI adoption accelerates.