HIPAA compliance for AI turns out to mean something specific and somewhat surprising: the compliance is mostly about the business agreement, not the technology itself.
HIPAA - the Health Insurance Portability and Accountability Act - requires healthcare organizations to protect patient data. Any vendor that handles PHI (Protected Health Information - things like diagnoses, prescriptions, or treatment records) must sign a Business Associate Agreement, or BAA, with the healthcare organization. The BAA is a contract that makes the vendor legally responsible for protecting that data.
When an AI company says their product is "HIPAA compliant," it typically means: they'll sign a BAA, they've implemented technical safeguards like encryption and access controls, and they won't use your patient data to train their models without consent. What it doesn't mean: the AI has been certified or audited by any government body. HIPAA has no certification process. There is no official list of HIPAA-approved AI tools. A company can credibly claim HIPAA compliance by implementing reasonable safeguards and offering to sign a BAA - and it's largely self-attested.
Which Providers Offer It
The major AI providers have moved to offer HIPAA-eligible tiers, though often at higher prices and with additional restrictions:
- OpenAI offers HIPAA-eligible API access under a BAA for enterprise customers, with model training on your data disabled
- Microsoft Azure OpenAI Service offers HIPAA compliance through Azure's established healthcare compliance framework
- Google's Vertex AI includes HIPAA support through Google Cloud's compliance programs
- Anthropic has added BAA support for Claude enterprise customers
These compliant tiers typically disable features involving the AI provider using your data to improve their models. Pricing is usually higher than standard API access.
Where the Gaps Are
HIPAA compliance covers how data is stored and transmitted. It doesn't address what the AI does with that information once it processes it. A tool can be fully HIPAA compliant in the technical sense while still generating medically inaccurate outputs. Healthcare organizations adopting AI need to evaluate clinical accuracy separately from data compliance - they are different questions.
There's also a meaningful difference between cloud AI, where patient data leaves your network, and models running locally or on private infrastructure, where it doesn't. Self-hosted deployments of open-source models like Llama offer stronger data isolation, at the cost of model quality and maintenance overhead. For use cases that receive extra HIPAA protections - psychiatric notes, HIV status, substance abuse records - some organizations are choosing local deployment even when cloud options technically comply.
For healthcare organizations evaluating AI tools: ask vendors directly whether they'll sign a BAA, whether your data is used for training, what data retention policies apply, and what happens to your data if you leave. A "HIPAA compliant" badge on the website is a starting point, not an answer.