Artificial intelligence is showing up across the healthcare ecosystem at a remarkable pace. From clinical decision support to real-time documentation help, automated scheduling, revenue-cycle automation, and generative AI copilots, these tools are quickly becoming part of everyday workflows. Recent industry surveys indicate that a large share of healthcare organizations are either piloting or actively using AI tools today, including generative AI applications that didn’t exist in most environments just a year or two ago.
What hasn’t changed is the regulatory expectation: HIPAA still applies. And as the technology evolves, regulators and accreditors are sharpening their focus on how AI interacts with electronic protected health information (ePHI).
The proposed updates to the HIPAA Security Rule underscore a key message: healthcare organizations need a complete, accurate, and continuously updated understanding of the technology they use.
Two elements matter especially for AI:
The proposal calls for organizations to maintain a documented inventory of any technologies that create, receive, maintain, or transmit ePHI. That includes:
Organizations must understand the risks associated with each tool—especially when new technologies, like AI, are introduced into clinical or administrative workflows. A risk analysis should evaluate:
At the same time, new guidance from The Joint Commission and the Coalition for Health AI (CHAI) emphasizes governance, privacy, security, and monitoring as essential to safe and trustworthy AI adoption. The common message across these groups: AI use must be intentional, well-controlled, and transparently managed.
For many healthcare organizations—and the consultants, IT teams, and compliance partners who support them—the takeaway is clear:
AI can’t be treated as a separate experiment. It needs to be fully integrated into existing HIPAA compliance policies and procedures.
That begins with two foundational steps:
Every AI system that touches ePHI should be evaluated just like any other information system. This includes tools that:
If it handles ePHI in any way, it belongs in the risk analysis.
An accurate technology inventory is the backbone of a strong HIPAA program. As organizations adopt new AI features, sometimes bundled into existing platforms, it’s important to ensure those tools are added to the inventory and linked to the corresponding risk analysis and mitigation strategies.
As AI becomes more accessible, staff may try tools that weren’t vetted or approved, especially consumer-grade generative AI platforms. Organizations need clear, written policies defining:
For example, an organization may explicitly prohibit entering patient information into public generative AI tools, while approving use of a secure, HIPAA-aligned AI documentation assistant within the EHR.
These policies help protect patients, reduce risk, and prevent shadow IT.
Many AI tools rely on external vendors, cloud services, or model providers. When these vendors handle PHI, even temporarily, they are considered business associates under HIPAA. That means organizations must have:
Stronger vendor management not only reduces risk but also gives healthcare organizations confidence that their data is protected across the full AI ecosystem.
Healthcare organizations are eager to adopt AI because the benefits are real: reduced administrative burden, improved documentation, more efficient workflows, and the potential for better patient outcomes.
Integrating AI into the HIPAA program is not about adding friction. It’s about ensuring:
A strong, proactive compliance foundation makes AI adoption faster, because the guardrails are already in place.
Expectations around AI governance in healthcare will continue to rise. Regulators, accreditors, and patients want to know that organizations are using AI responsibly and safely.
By updating HIPAA policies now, especially around asset inventories, risk analysis, AI governance, and vendor management, healthcare organizations position themselves to innovate confidently rather than cautiously.
AI is here to stay. A thoughtful, well-documented compliance approach ensures it strengthens care instead of complicating it. Contact our team to simplify your compliance program today!
