Skip to Content

Security: HIPAA Compliance When Using AI (PHI Rules)

Security: HIPAA Compliance When Using AI (PHI Rules)

HIPAA compliance is the single most important consideration when healthcare administrators use AI tools. Protected Health Information (PHI)—any combination of identifiers (names, dates, medical record numbers, Social Security numbers, etc.) that could identify a patient—must never be entered into public AI tools that may store, log, or use input data for model training. A single PHI exposure could constitute a reportable breach under HIPAA.

The fundamental rule is simple: no PHI in AI prompts, ever. This means you must never paste patient names, dates of birth, addresses, medical record numbers, Social Security numbers, phone numbers, email addresses, photographs, or any other identifiers into ChatGPT, Copilot, or any other AI tool that is not covered by a Business Associate Agreement (BAA). Instead, use placeholders like [Patient Name], [DOB], or [MRN] in your prompts, then fill in the actual information manually after AI generates the document structure.

For organizations that need AI tools to process PHI directly, enterprise solutions with signed BAAs are available. Microsoft Copilot for Microsoft 365, ChatGPT Enterprise/Team, and certain healthcare-specific AI platforms offer BAA-covered environments where PHI can be processed in compliance with HIPAA. However, even with a BAA in place, follow the minimum necessary standard—only include the PHI needed for the specific task, not entire medical records. Train all staff on these protocols and implement technical safeguards where possible.

Step-by-Step: HIPAA-Safe AI Usage

  1. Determine if the AI tool is covered by a BAA (most consumer tools are NOT)
  2. If no BAA: never enter any PHI—use placeholders only
  3. If BAA exists: enter only the minimum necessary PHI for the task
  4. Before pasting any data, scan for patient names, dates, MRNs, and other identifiers
  5. Anonymize survey data, denial data, and any patient feedback before analysis
  6. Train all administrative staff on HIPAA-safe AI practices
  7. Document your organization's AI usage policy and review periodically

The 18 HIPAA Identifiers — Never Enter These in Non-BAA AI Tools

  • Names, geographic data (smaller than state), dates (except year) related to individual
  • Phone numbers, fax numbers, email addresses, Social Security numbers
  • Medical record numbers, health plan beneficiary numbers, account numbers
  • Certificate/license numbers, vehicle identifiers, device identifiers
  • Web URLs, IP addresses, biometric identifiers, full-face photographs
  • Any other unique identifying number, characteristic, or code

Prompt Template: HIPAA-Safe Document Generation

I need to draft a [document type] for a patient at [facility]. I cannot
share PHI, so I will use placeholders. Here is the sanitized context:
[describe situation using generic terms, no patient identifiers].
Generate the document with [Patient Name], [DOB], [MRN], and [Date]
as placeholders that I will fill in manually afterward.

Key Takeaways

  • No PHI in AI prompts without a BAA—this is the #1 rule of healthcare AI use
  • Use placeholders for all 18 HIPAA identifiers and fill in manually after
  • Enterprise AI tools with BAAs (Copilot 365, ChatGPT Enterprise) allow PHI with safeguards
  • Even with a BAA, follow minimum necessary—don't paste entire medical records
  • Train all staff and document your organization's AI usage policy

Try It Now

Review your current AI usage against the 18 HIPAA identifiers list. Have you ever entered any of these into a public AI tool? If so, stop immediately and update your practices. Create a one-page AI usage policy for your administrative team that defines what can and cannot be entered into AI tools. Share it with your compliance officer for review.

Never input: patient names, DOB, SSN, medical records, diagnosis codes with patient identifiers. HIPAA-compliant AI usage guidelines.
Rating
0 0

There are no comments for now.

to be the first to leave a comment.