Progress 0 / 22 questions answered

HIPAA AI Compliance Checklist

Assess your AI system's HIPAA compliance. 22 questions, 5 categories.

PHI Data Protection & Encryption

Encryption, storage, and protection of Protected Health Information (PHI) in AI systems according to the HIPAA Security Rule.

Is PHI encrypted at rest within AI training datasets, model weights, and databases?

HIPAA Security Rule 164.312(a)(2)(iv): Encryption is an addressable implementation specification. AES-256 encryption is recommended for all stored PHI.

No, no encryption Only some datasets are encrypted All PHI is protected with AES-256 encryption I don't know

Is PHI encrypted in transit when the AI system communicates via APIs and networks (e.g., using TLS 1.2+ HTTPS)?

HIPAA Security Rule 164.312(e)(1): Transmission Security. TLS 1.2 or newer is mandatory for PHI transmission over open networks.

No TLS or HTTP only TLS 1.0/1.1 (deprecated, non-compliant) TLS 1.2+ for all PHI transmission I don't know

Does the AI system follow the "minimum necessary" standard, collecting and processing only the PHI that is essential for its purpose?

HIPAA Privacy Rule 164.502(b): Minimum Necessary. AI training should only use the PHI that is necessary to accomplish its intended purpose.

No, using full medical records Some data filtering, but many unnecessary fields Strict "minimum necessary" principle implemented I don't know

Do you have a documented PHI retention and disposal policy for the AI system (e.g., 6-year HIPAA retention + secure deletion)?

HIPAA 164.530(j): A 6-year retention period is required. PHI within AI models must also be securely deleted after this retention period (e.g., secure wipe/degaussing).

No retention policy Policy exists but is not documented or followed HIPAA-compliant 6-year retention + secure disposal I don't know

Do you have a disaster recovery and backup plan for the AI system's PHI data (e.g., automated backups, tested recovery, offsite storage)?

HIPAA Security Rule 164.308(a)(7): Contingency Plan. A data backup plan, disaster recovery plan, and emergency mode operation plan are mandatory.

No backup or recovery plan Backup exists but is not tested or offsite Full DR: automated backup + tested recovery + offsite I don't know

Access Control & Authentication

Role-based access control (RBAC), user authentication, and audit logging for PHI access in AI systems.

Does every user have a unique user ID for the AI system, and are shared accounts prohibited?

HIPAA Security Rule 164.312(a)(2)(i): Unique User Identification. All access to PHI must be traceable to a unique user.

Shared or generic accounts exist Mostly unique, some shared accounts exist All access is strictly with unique user IDs I don't know

Is there an automatic session timeout (automatic logoff) implemented in the AI system for periods of inactivity (e.g., max. 15-30 minutes)?

HIPAA Security Rule 164.312(a)(2)(iii): Automatic Logoff. This is an addressable specification; a timeout of 15-30 minutes is recommended for sessions accessing PHI.

No automatic timeout Yes, but >30 min (not recommended) Max. 15-30 min automatic logout I don't know

Is role-based access control (RBAC) implemented, ensuring that data scientists and ML engineers only see the PHI necessary for their job functions?

HIPAA Security Rule 164.308(a)(4): Access authorization. Role-based access is required for workforce members based on their specific job functions.

No RBAC, everyone sees everything RBAC exists but is not finely tuned Strict RBAC based on job function I don't know

Do you have an emergency access procedure ("break-the-glass") for critical situations, and is all such access strictly logged and audited?

HIPAA Security Rule 164.312(a)(2)(ii): Emergency Access Procedure. A mechanism for emergency access to PHI is mandatory for situations like life-threatening emergencies.

No emergency access process Exists but not logged/audited Documented break-the-glass + full audit trail I don't know

Does the AI system log all access and modifications to PHI (audit controls), capturing: who, when, and what PHI was viewed or modified?

HIPAA Security Rule 164.312(b): Audit Controls. All events involving access to or modification of PHI must be recorded (including user, timestamp, action, and data identifier).

No audit logging Partial logging (missing fields) Full audit trail: user, time, action, PHI I don't know

AI Model Privacy & De-identification

PHI de-identification using Safe Harbor or Expert Determination methods, and managing the risks of re-identification.

Is the AI training data de-identified using either the HIPAA Safe Harbor (removal of 18 identifiers) or the Expert Determination method?

HIPAA Privacy Rule 164.514(b): Safe Harbor involves removing 18 specific identifiers. Expert Determination involves a statistical expert certifying that the risk of re-identification is very low.

No, using identifiable PHI Partial de-ID (not full Safe Harbor compliant) Safe Harbor (18 identifiers removed) Expert Determination (statistical certification)

Have you conducted a re-identification risk assessment on the AI model's outputs (i.e., can the AI's responses potentially identify individuals)?

During AI inference, the model must not generate outputs that enable the re-identification of individuals. Periodic testing is required.

No, no re-ID risk assessment conducted One-time assessment at launch Periodic (at least annual) re-ID testing I don't know

If you use a Limited Data Set (which is not fully de-identified), do you have a Data Use Agreement (DUA) in place with all recipients?

HIPAA 164.514(e): A Limited Data Set can retain some identifiers (like dates/zips), but a DUA is mandatory for recipients using it for research, public health, or health care operations.

Using Limited Data Set without DUA (non-compliant) DUAs exist, but not with all recipients DUAs are in place with all Limited Data Set recipients We do not use a Limited Data Set

Have you tested the AI model for PHI "memorization" (i.e., its susceptibility to training data extraction attacks)?

Large Language Models (LLMs) can memorize and regurgitate PHI from their training data. Techniques like differential privacy or testing for membership inference attacks are recommended to mitigate this.

No, no memorization testing Basic prompt testing, but not systematic Advanced testing (e.g., Membership Inference, Differential Privacy) I don't know

Business Associate Agreements & Cloud AI

Business Associate Agreements (BAAs) with third-party AI vendors, cloud provider compliance, and subcontractor management.

Do you have a signed Business Associate Agreement (BAA) with all third-party AI providers (e.g., OpenAI, Google, AWS, Azure) that access PHI?

HIPAA 164.502(e): A BAA is mandatory with all Business Associates (including vendors and cloud providers) who create, receive, maintain, or transmit PHI on your behalf.

No BAAs in place (critical non-compliance!) Some vendors have a BAA, but not all All PHI-handling vendors have a signed BAA I don't know

Do your BAA agreements include all HIPAA-required clauses (e.g., implementing safeguards, breach notification within 60 days, subcontractor flow-down, audit rights)?

HIPAA 164.504(e)(2): A BAA must include specific clauses, such as requiring safeguards, reporting breaches, ensuring subcontractors comply (flow-down), and allowing for audits.

Generic vendor BAA (not HIPAA-specific) BAA exists but is missing required HIPAA clauses Full, HIPAA-compliant BAA with all vendors I don't know

Do you know and document the physical location(s) where your cloud AI providers store PHI (e.g., ensuring US datacenters for OCR jurisdiction)?

The location of PHI can be relevant for OCR (Office for Civil Rights) enforcement. While HIPAA applies to US-based entities globally, OCR oversight is clearer for data stored within the US.

We don't know where the PHI is located Known, but not formally documented Documented datacenter locations + compliance review I don't know

Do you regularly (at least annually) audit or review your Business Associates' HIPAA compliance and overall security posture?

HIPAA 164.308(b)(1): Monitoring Business Associates is mandatory. Due diligence should include reviewing compliance attestations, security questionnaires, or SOC 2 reports.

No vendor monitoring Occasional reviews, but not systematic Annual compliance audit + SOC 2 report review I don't know

Breach Notification & Compliance Audit

HIPAA breach notification process (including 60-day OCR reporting), incident response, risk assessment, and audit readiness.

Do you have a documented breach notification procedure for a PHI breach involving the AI system (including 60-day OCR notification and patient notification)?

HIPAA Breach Notification Rule (164.404-408): Requires 60-day reporting to OCR, notification to affected individuals, and media notification (if 500+ individuals are affected).

No breach notification procedure Incident plan exists, but it is not HIPAA-specific HIPAA-compliant breach procedure (incl. 60-day OCR deadline) I don't know

Have you conducted a HIPAA Security Risk Assessment (SRA) specifically for the AI system, as required by 45 CFR 164.308(a)(1)(ii)(A)?

HIPAA Security Rule 164.308(a)(1)(ii)(A): A Security Risk Assessment is mandatory. It must identify all threats and vulnerabilities to ePHI.

No, no Security Risk Assessment has been conducted SRA exists but is outdated (>1 year old) Current (annual) SRA that includes AI-specific threats I don't know

Do all workforce members involved with the AI system (e.g., data scientists, ML engineers) receive annual HIPAA privacy and security training?

HIPAA Security Rule 164.308(a)(5): A security awareness and training program is mandatory for all workforce members. Annual refresher training, including AI-specific scenarios, is recommended.

No HIPAA training Onboarding training only, no annual refresher Annual HIPAA training with AI-specific modules I don't know

Is all documentation demonstrating the AI system's compliance (e.g., policies, procedures, risk analyses, training records, BAAs) maintained and retained for the required 6 years?

HIPAA 164.316(b): Documentation must be retained for 6 years. You must be able to produce all relevant HIPAA policies, procedures, and records (like training logs) during an OCR audit.

No documentation Partial documentation (incomplete or outdated) Comprehensive documentation with 6-year retention I don't know

Your AI Security Assessment

/100

📧 Get your results via email

We will send you the complete report with all answers and recommendations

I accept the Terms of Use.

Want a deeper analysis?

Our experts can help with a detailed AI Red Team audit

Schedule Free Consultation →

Is your AI handling Protected Health Information (PHI) securely?

Take our 3-Minute HIPAA & AI Compliance Checklist! Using AI in healthcare is revolutionary but creates massive risks for Protected Health Information (PHI). This quick security audit helps you assess if your AI systems—from training data to diagnostic models—are compliant with strict HIPAA rules. We cover key areas like data de-identification, access controls, AI vendor (BAA) management, and model privacy. Complete it in just 3 minutes to get an instant, score-based evaluation of your compliance gaps. Avoid costly breaches!

We’ll email you the detailed report and recommendations.