AI and HIPAA: Healthcare Compliance Guide

AI and HIPAA can work together, but only when healthcare organizations protect PHI with the right privacy, security, vendor, consent, and oversight controls. Before using AI with patient data, leaders should confirm whether the tool handles PHI, whether a business associate agreement is required, how data is stored, and whether audit logs and safeguards exist.

This guide explains what AI and HIPAA means for healthcare practices, what risks to check before adopting AI, and how to evaluate vendors, workflows, and safeguards before launch.

Note: This article is not legal advice. While we are the best healthcare marketing agency, healthcare organizations should still consult legal and compliance counsel before using AI with protected health information.

What You’ll Learn

What AI and HIPAA means for healthcare organizations
What counts as PHI when using AI
Why AI creates new HIPAA risk
What safeguards healthcare AI tools should have
How to evaluate AI vendors before adoption
What Dr. Justin Burkholder says about AI and HIPAA
How PYRA approaches governed healthcare AI agents
Common mistakes healthcare practices make
FAQs on AI and HIPAA compliance

Who This Guide Is For

This guide is for healthcare CEOs, founders, CFOs, practice administrators, VP Marketing, VP Sales, and technical buyers who are evaluating AI tools, AI scribes, AI voice agents, or AI-powered workflows for their organization.

If you are asking questions like:

Can we use ChatGPT with patient information?
Do we need a business associate agreement for AI?
Is our AI scribe safe?
Can marketing use AI?
What happens if AI stores PHI?

This guide will help you answer them.

Definition

AI and HIPAA

The legal and operational question of how healthcare organizations can use artificial intelligence while protecting protected health information under HIPAA’s Privacy Rule, Security Rule, business associate requirements, and breach notification obligations.

Can Healthcare Providers Use AI Under HIPAA?

Diagram of the AI HIPAA safeguard stack illustrating technical, physical, and administrative security measures for healthcare AI.

Yes. Healthcare providers can use AI under HIPAA, but only when the right safeguards are in place.

The U.S. Department of Health and Human Services (HHS) explains that the HIPAA Privacy Rule protects individually identifiable health information and governs how covered entities and business associates use or disclose protected health information (PHI).

The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

AI tools that create, receive, maintain, or transmit PHI must meet these requirements. That means healthcare leaders need to ask:

Does this AI tool touch PHI or ePHI?
Is the AI vendor acting as a business associate?
Is a business associate agreement (BAA) in place?
Are access controls, encryption, audit logs, and retention rules defined?
Is there consent, approval, escalation, and human review?
Does the team know what not to enter into AI?
Are logs, incident response, and breach workflows defined?

If the answer to any of these is unclear, the AI workflow may create compliance risk.

Not sure if your AI workflows are HIPAA-ready?

Request an AI + HIPAA Readiness Review to map your data scope, vendor risk, and safeguard gaps before you launch.

Request an AI + HIPAA Readiness Review

What Counts as PHI When Using AI?

PHI is any health information that can identify a patient. This includes:

Name, address, phone number, email
Social Security number, medical record number
Dates (birth, admission, discharge, death)
Diagnoses, treatments, prescriptions
Lab results, imaging, clinical notes
Insurance information, billing records

ePHI is PHI that is created, stored, or sent electronically.

When AI tools process, store, or transmit any of this information, HIPAA rules apply. That includes AI scribes, AI voice agents, AI chatbots, AI intake forms, and AI-powered EHR features.

Why AI Creates New HIPAA Risk

AI introduces new risk vectors that traditional software may not:

Data leakage: AI tools may send data to external servers, cloud providers, or model training pipelines.
Model training: Some AI vendors use customer data to train models, which could expose PHI.
Access control gaps: AI agents may access more data than necessary if permissions are not scoped.
Audit trail gaps: Some AI tools do not log what data was accessed, by whom, or when.
Human oversight gaps: Autonomous AI may act without human review, creating liability.
Staff misuse: Employees may paste PHI into generic AI tools like ChatGPT without realizing the risk.

HHS guidance on cloud computing and HIPAA explains that cloud service providers that create, receive, maintain, or transmit ePHI for covered entities or business associates may be business associates, even if the data is encrypted and they cannot view it.

This logic applies to AI vendors as well. If an AI tool handles ePHI, the vendor may need a BAA.

What Dr. Burkholder Says About AI and HIPAA

Dr. Justin Burkholder is a board-certified emergency medicine physician and medical director of Olympic Concierge Medicine in Tampa, Florida. He has firsthand experience using AI in clinical practice.

“AI has definitely changed how I practice medicine. There are AI agents that help me access information that would have taken me hours to find previously. Now I can find that out in literally five seconds or thirty seconds. It is really a game changer.”

But Dr. Burkholder is clear about the limits:

“If the AI doesn’t have proper privacy and security and confidentiality safeguards, that could stop our use of AI as physicians and healthcare organizations.”

He explains the patient trust dimension:

“Patients feel violated if their medical information gets out there. It is a very private thing.”

And he offers practical advice for healthcare leaders:

“If you’re a healthcare provider and you’re looking for AI to help your business, one of the main things you should focus on is this: the AI can help us do X, Y, and Z, but does it have strict guidelines and vetted practices to prevent HIPAA violations?”

Dr. Burkholder also shares how he uses AI safely today:

“I have an EHR, an electronic health record, that has an AI scribe. It listens to my conversations with my patients. Of course, I tell my patients before I turn it on, and I get their consent. That AI is all within the EHR. They have different mechanical and information technology guardrails to prevent leakage of our conversation.”

This is the model: AI inside a protected environment, with consent, safeguards, and human oversight.

The AI + HIPAA Safeguard Stack

The AI + HIPAA Safeguard Stack is Percepture’s framework for helping healthcare leaders decide whether an AI workflow can be used safely, what controls are required, and when human review, vendor agreements, or legal input are needed.

Layer	Question to Answer
1. Data Scope	Does the AI tool touch PHI or ePHI?
2. Vendor Status	Is the AI vendor acting as a business associate?
3. Contract Controls	Is a BAA needed and in place?
4. Technical Safeguards	Are access controls, encryption, audit logs, and retention rules defined?
5. Workflow Controls	Is there consent, approval, escalation, and human review?
6. Staff Training	Does the team know what not to enter into AI?
7. Monitoring	Are logs, incident response, and breach workflows defined?

Use this framework to evaluate any AI tool, workflow, or vendor before adoption.

Business Associate Agreements and AI Vendors

Decision flowchart for healthcare providers determining when an AI software vendor requires a HIPAA Business Associate Agreement.

A business associate is a vendor or partner that handles PHI for a covered entity. If an AI vendor creates, receives, maintains, or transmits PHI on behalf of a healthcare organization, that vendor may be a business associate.

A business associate agreement (BAA) is a contract that sets safeguards for how the business associate handles PHI. It defines:

What PHI the vendor can access
How the vendor must protect PHI
What happens in case of a breach
How data is returned or destroyed at the end of the relationship

Before using any AI tool with patient data, healthcare leaders should ask:

Does this vendor sign a BAA?
What does the BAA cover?
Where is data stored?
Is data used for model training?
What audit logs are available?

If the vendor cannot answer these questions clearly, the tool may not be safe for PHI.

AI Scribes, EHRs, and Patient Consent

Guidelines for securing patient consent and maintaining HIPAA compliance when integrating AI medical scribes with EHR systems.

AI scribes are AI tools that help document medical visits or conversations. They are increasingly common inside EHR platforms.

Dr. Burkholder’s approach is a good model:

The AI scribe is inside the EHR, not a separate tool.
The EHR has safeguards to prevent data leakage.
The physician tells the patient before turning on the scribe.
The physician gets patient consent.
The physician reviews the AI-generated notes before finalizing.

This workflow keeps AI inside a protected environment, with consent and human oversight.

If your AI scribe is outside the EHR, or if it sends data to external servers, you need to evaluate vendor risk, BAA status, and data handling practices carefully.

AI Voice Agents, Intake, and Patient Communication

AI voice agents in healthcare can help with scheduling, intake, follow-up, and patient communication. But they also create HIPAA risk if they collect or transmit PHI.

Before deploying an AI voice agent, healthcare leaders should ask:

What information does the agent collect?
Where is that information stored?
Is the vendor a business associate?
Is a BAA in place?
Are calls recorded? If so, where are recordings stored?
Are transcripts generated? If so, how are they protected?
What happens if the agent cannot answer a question?
Is there a human handoff process?

AI voice agents should be scoped narrowly at first. Start with low-risk workflows like appointment reminders or general FAQs before expanding to intake or clinical communication.

Ready to map your first HIPAA-conscious AI workflow?

Percepture helps healthcare organizations scope, evaluate, and launch AI workflows with the right safeguards in place.

Map Your First HIPAA-Conscious AI Workflow See PYRA Healthcare AI Agents

What AI Tools Should Not Do With Patient Data

Healthcare AI tools should not:

Send PHI to external servers without a BAA
Use PHI for model training without explicit consent
Store PHI without encryption
Allow access without role-based controls
Operate without audit logs
Act autonomously on clinical decisions without physician oversight
Collect more data than necessary for the task

If an AI tool does any of these things, it may create HIPAA risk.

How PYRA Approaches Governed Healthcare AI Agents

Comparison chart highlighting the HIPAA compliance risks of unmanaged AI versus the security benefits of governed AI in healthcare.

PYRA is the AI agent platform that powers Percepture’s healthcare AI workflows. PYRA is designed for regulated industries, including healthcare, life sciences, and pharma.

PYRA’s healthcare page lists:

Healthcare workflows: policy, RCM, intake, docs
Audit logs and approval gates
Role-based access control
Client-instanced architecture
SOC 2 Type II
HIPAA Compliant (as stated on PYRA’s healthcare page)

PYRA’s approach is: start with one workflow, prove control, then scale.

This means healthcare organizations can pilot AI in a narrow, low-risk workflow, validate safeguards, and expand only after controls are proven.

“In healthcare AI, the architecture matters as much as the answer. You need controlled context, access rules, approval gates, and audit logs before the workflow touches sensitive data.” — Alex Mannine, CTO, PYRA

AI and HIPAA Vendor Evaluation Checklist

Before adopting any AI tool that may touch PHI, healthcare leaders should ask:

Question	Why It Matters
Does this tool touch PHI or ePHI?	Determines if HIPAA applies
Is the vendor a business associate?	Determines if a BAA is required
Will the vendor sign a BAA?	Required for PHI handling
Where is data stored?	Cloud, on-premise, or hybrid
Is data encrypted at rest and in transit?	Technical safeguard
Is data used for model training?	Risk of PHI exposure
Are audit logs available?	Required for compliance
Are access controls role-based?	Limits exposure
What is the data retention policy?	Determines how long PHI is stored
What happens in case of a breach?	Incident response process
Is there a human review process?	Oversight and accountability
What is the escalation path?	When AI cannot answer

Use this checklist before signing any AI vendor contract.

AI Workflow Risk Matrix

AI Use Case	HIPAA Risk	Safeguards Needed	Best First Step
Public blog/content drafting with no PHI	Low	No patient data, editorial review	Safe pilot
Marketing research with no patient data	Low	No PHI, source review, staff rules	Safe pilot
Internal admin summary	Medium	Access controls, no PHI unless approved	Test with synthetic data
AI scribe inside EHR	Medium to high	Consent, BAA, EHR safeguards, audit logs	Vendor review
AI voice agent intake	High	Scope limits, BAA, escalation, logs	Narrow workflow pilot
Diagnosis or clinical decision support	Highest	Physician oversight, validation, legal review	Do not deploy casually

How AI and HIPAA Connect to SEO, GEO, and Trust

Healthcare organizations that explain AI and HIPAA clearly can build trust with patients, providers, and search engines.

Google’s guidance on helpful, reliable, people-first content emphasizes E-E-A-T: experience, expertise, authoritativeness, and trustworthiness. For healthcare topics, Google gives even more weight to content that aligns with strong E-E-A-T.

This article is designed to:

Answer the questions healthcare leaders are asking
Cite official HHS sources
Include physician commentary from Dr. Burkholder
Provide a practical vendor checklist
Explain PYRA’s governed-agent approach
Link to related healthcare AI resources

This is how Percepture helps healthcare brands build visibility in Google Search, AI Overviews, ChatGPT search, Perplexity, and other AI answer engines. Learn more about generative engine optimization services and healthcare SEO agency strategy.

Common Mistakes Healthcare Practices Make

Using generic AI tools with PHI. Staff paste patient data into ChatGPT or other tools without realizing the risk.
Assuming “HIPAA compliant” means safe. Vendors may claim compliance without a BAA or clear safeguards.
Skipping vendor review. Practices adopt AI tools without asking where data goes or how it is protected.
No staff training. Employees do not know what they can and cannot enter into AI.
No consent process. AI scribes or voice agents are used without patient consent.
No human oversight. AI acts autonomously without physician review.
No audit logs. There is no record of what AI accessed or did.
No incident response plan. If a breach occurs, there is no process to respond.

Avoid these mistakes by using the AI + HIPAA Safeguard Stack and vendor checklist above.

Full Transcript: Dr. Justin Burkholder

Full transcript: Dr. Justin Burkholder on AI, HIPAA, and patient privacy Board-certified emergency medicine physician and medical director of Olympic Concierge Medicine in Tampa, Florida.

The transcript below has been lightly cleaned for readability and spelling. It should be reviewed before publication.

Key quote: “If the AI doesn’t have proper privacy and security and confidentiality safeguards, that could stop our use of AI as physicians and healthcare organizations.”

0:01 Hi, I’m Dr. Burkholder with Olympic Concierge Medicine here in Tampa, Florida. I’m the medical director of the company, and I help patients who are young and old live healthier, longer, stronger, and more fulfilling lives.

0:17 I’m a board-certified ER physician, and I transitioned to concierge medicine. I love it. It’s a great way to practice medicine.

0:27 There have been a lot of questions for me among my peers and people outside of medicine: “Hey doc, how are you using AI?” That is a very valid question. It has definitely changed how I practice medicine.

0:41 There are AI agents that help me access information that would have taken me hours to find previously, with a lot of stress in the process of reading through hundreds of pages of research. Now I can find that out in literally five seconds or thirty seconds. It is really a game changer.

1:11 My notes are done via AI now. But there was this law passed back in the 90s called HIPAA, the Health Insurance Portability and Accountability Act. It protected patients’ medical information, but it also made life as doctors and healthcare organizations very strict in the sense that there are rules we must follow to keep patient information private and confidential.

1:43 There are all sorts of fines if we go against that and divulge patient information without asking for permission.

2:05 AI can help us do so much in so many areas, especially in healthcare. We’re already seeing it. It’s already changing my practice. But the question is, what would be an area that could be a problem? HIPAA issues come to mind.

2:34 When you’re using AI to implement into your practice, the question is what would stop our use of AI as physicians and healthcare organizations. It is if the AI doesn’t have proper privacy and security and confidentiality safeguards.

2:59 If all of a sudden our AI is taking all of our practice information and disseminating that across the globe, that could be a massive breach of privacy and a massive lawsuit. We do not want that at all.

3:16 Patients feel violated if their medical information gets out there. It is a very private thing.

3:53 If you’re a healthcare provider and you’re looking for AI to help your business, one of the main things you should focus on is this: the AI can help us do X, Y, and Z, but does it have strict guidelines and vetted practices to prevent HIPAA violations?

4:22 HIPAA violations can cause not only a significant fine from the U.S. government, but also a lawsuit by patients. That is the big thing.

4:33 I think we should, as physicians, be very keenly researching those types of things before we get too excited about how AI can help our practice.

4:50 Once you get past that, and once certain guardrails, backstops, and redundancy are implemented to prevent any leakage of private information, I think AI is great. We’re already seeing this right now.

5:09 For example, I have an EHR, an electronic health record, that has an AI scribe. It listens to my conversations with my patients. Of course, I tell my patients before I turn it on, and I get their consent.

5:26 That AI is all within the EHR. They have different mechanical and information technology guardrails to prevent leakage of our conversation or faxes that come into the patient’s record.

5:59 For an electronic health record, having those protections is like the ABCs. As EHRs start to implement AI tools, their first question is: is this HIPAA protected? Does this have the proper requirements in place?

6:21 I know this is not the sexy latest and greatest treatment in medicine, but it is something we think about as physicians because it is pretty important.

Frequently Asked Questions

What does AI and HIPAA mean?

AI and HIPAA refers to the legal and operational question of how healthcare organizations can use artificial intelligence while protecting protected health information under HIPAA’s Privacy Rule, Security Rule, business associate requirements, and breach notification obligations.

Can healthcare providers use AI under HIPAA?

Yes. Healthcare providers can use AI under HIPAA when the right safeguards are in place, including data scope limits, vendor agreements, technical controls, consent, and human oversight.

Can doctors use ChatGPT with patient information?

No. Generic AI tools like ChatGPT are not designed for PHI and do not have BAAs or HIPAA safeguards. Doctors should not paste patient information into these tools.

What counts as PHI when using AI?

PHI includes any health information that can identify a patient, such as name, address, Social Security number, medical record number, diagnoses, treatments, lab results, and insurance information.

Do AI vendors need a business associate agreement?

If an AI vendor creates, receives, maintains, or transmits PHI on behalf of a healthcare organization, that vendor may be a business associate and may need a BAA.

Are AI scribes HIPAA compliant?

Some AI scribes are designed for HIPAA compliance and operate inside EHR platforms with safeguards. Others are not. Healthcare leaders should evaluate vendor status, BAA availability, data handling, and audit logs before adoption.

Can an AI voice agent collect patient information?

AI voice agents can collect patient information, but only when the right safeguards are in place, including BAAs, scope limits, escalation paths, and audit logs.

What safeguards should healthcare AI tools have?

Healthcare AI tools should have access controls, encryption, audit logs, data retention limits, consent workflows, human review, and incident response processes.

What should healthcare leaders ask before adopting AI?

Healthcare leaders should ask: Does this tool touch PHI? Is the vendor a business associate? Will they sign a BAA? Where is data stored? Is data used for model training? Are audit logs available? Is there a human review process?

How does AI and HIPAA affect healthcare marketing?

Healthcare marketing teams can use AI safely when they know what not to enter, what must be reviewed, and when a vendor agreement is required. AI should not be used with PHI in marketing workflows unless safeguards are in place.

Talk to Percepture About Healthcare AI and HIPAA

Percepture helps healthcare organizations evaluate AI risk, build HIPAA-conscious workflows, and grow visibility in Google Search and AI answer engines.

Talk to Percepture See AI Search SEO Pricing

Related Healthcare AI Resources

About the Author

Bob Generale is the President and Partner of Percepture, a search visibility agency that helps healthcare, life sciences, and enterprise brands grow in Google Search and AI answer engines. Bob is known to be the “navy seals of marketing” and has led SEO, GEO, and content strategy for Fortune 500 companies, healthcare systems, and high-growth startups. He works with physicians, compliance teams, and marketing leaders to build AI-ready content that ranks, converts, and earns trust.

Bob Generale in front of a SEO, AI Search and GEO strategy board

Connect with Bob on LinkedIn | Best AI Search SEO Expert

AI and HIPAA: What Healthcare Leaders Must Get Right Before Adopting AI