Build HIPAA-compliant AI without sacrificing what makes it useful.

HIPAA does not certify software, it regulates how covered entities and business associates handle Protected Health Information. An AI system is compliant when the entire pipeline (ingestion, storage, inference, logging, retention, and disposal) satisfies the Privacy Rule, the Security Rule, and the Breach Notification Rule. That means encryption in transit and at rest, least-privilege access, audit trails for every PHI touch, and a signed BAA with every vendor that sees the data. The AI model itself is just one component inside that boundary.

The safest default is to not put raw PHI in the prompt at all. We use a combination of de-identification at the edge, tokenization of identifiers before they reach the model, and tightly scoped context windows that only include the minimum necessary data for the task. When PHI must enter the prompt (for example, clinical summarization), we route it exclusively through LLM providers under a signed BAA, log every request and response, and keep the data inside the covered boundary. Prompt logs are treated as PHI themselves, with the same retention and access controls as any other clinical record.

Yes. If an AI vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, they are a business associate under HIPAA and a BAA is required. That includes the LLM provider, any vector database holding embeddings derived from PHI, the hosting infrastructure, and any third-party observability or logging tools in the path. Several major LLM providers offer BAAs on specific SKUs (not their default consumer APIs), and the SKU matters. We verify the BAA scope up front so you are not discovering gaps during an OCR audit.

Yes, but the architecture decisions matter more than the training technique. Training on raw PHI requires the compute environment, the training artifacts, the model weights, and any intermediate checkpoints to all live inside the HIPAA boundary with full BAA coverage. For most use cases we recommend training on properly de-identified data under the HIPAA Safe Harbor or Expert Determination methods, which removes the PHI designation entirely and dramatically shrinks the compliance surface. Retrieval augmented generation against a PHI-aware vector store is often a better path than fine-tuning, because it keeps patient data out of the model weights entirely.

HIPAA recognizes two de-identification methods: Safe Harbor (removal of 18 specific identifiers) and Expert Determination (a qualified statistician certifies that re-identification risk is very small). Data that meets either standard is no longer PHI and can be used more freely for AI training. Anonymization is a broader, non-HIPAA term that implies irreversibility, and in practice modern re-identification attacks have shown that simple anonymization often is not enough. For AI training on clinical data, we default to Expert Determination with a documented risk assessment, because Safe Harbor alone can strip too much signal out of the data to be useful.

HIPAA predates modern AI, so HHS has been issuing guidance that clarifies how existing rules apply to AI workflows. The Office for Civil Rights has made clear that AI systems handling PHI must meet the full Security Rule, including risk analysis, access controls, audit controls, and transmission security. The HHS AI Strategic Plan and Section 1557 nondiscrimination guidance add requirements around bias testing, transparency, and human oversight for clinical decision support. We map these obligations to specific technical controls in your architecture so compliance is not a paperwork exercise bolted on at the end.

Two differences that matter. First, we ship working systems. MEDICODAX is our own HIPAA-aware medical coding AI, running in production, handling real clinical data under a Human-AI Symbiosis model where the AI suggests and clinicians confirm. We know where healthcare AI breaks because we have broken it ourselves and fixed it. Second, every engagement is led by senior engineers with direct HIPAA experience, not pyramid-staffed with junior consultants learning on your PHI. If you need a 200-page strategy deck, we are not your firm. If you need an AI system that passes a BAA review and actually helps clinicians, we are.