HIPAA & LLM Usage

Navigate healthcare compliance when using AI and large language models

Healthcare Data Requires Special Protection

If you're in healthcare and want to use LLMs with patient data, Protected Health Information (PHI), or any data covered by HIPAA, you must understand the compliance requirements. Non-compliance can result in fines up to $1.5 million per violation category, per year.

What Is HIPAA?

1

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects sensitive patient health information from being disclosed without patient consent or knowledge.

Key Components:

Privacy Rule: Sets standards for protecting health information
Security Rule: Establishes safeguards for electronic PHI (ePHI)
Breach Notification Rule: Requires notification of data breaches
2

What Is Protected Health Information (PHI)?

PHI is any health information that can be linked to a specific individual. This includes obvious identifiers and seemingly innocent data when combined.

18 HIPAA Identifiers (Examples):

• Names
• Dates (birth, admission, discharge, death)
• Phone/fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Account numbers
• IP addresses
• Geographic subdivisions smaller than state
• Biometric identifiers (fingerprints, voice)
• Photos of patients
• Any unique identifying number or code

Business Associate Agreements (BAA)

3

What Is a BAA and Why Do You Need One?

A Business Associate Agreement is a legally binding contract between a HIPAA-covered entity (or another business associate) and a vendor who will handle PHI on their behalf.

⚠️ CRITICAL REQUIREMENT

If you send PHI to an LLM provider without a signed BAA, you are in violation of HIPAA. This applies even if you're just testing or using it internally. The BAA must be in place BEFORE any PHI is transmitted.

A BAA Must Include:

  • • How PHI can be used and disclosed
  • • Safeguards to protect PHI
  • • Breach notification requirements
  • • Data return or destruction upon termination
  • • Subcontractor requirements (if applicable)
4

Which LLM Vendors Offer BAAs?

Not all LLM providers are willing or able to sign BAAs. Here's the current landscape:

✓ Vendors That Offer BAAs:

Google Cloud (Vertex AI)

Offers BAA for Vertex AI services including PaLM 2, Gemini, and other models. Must be on a paid plan.

AWS (Amazon Bedrock)

Provides BAA for Bedrock services with models from Anthropic, Meta, Cohere, and others.

Microsoft Azure (Azure OpenAI Service)

Offers BAA for Azure OpenAI Service with GPT-4, GPT-3.5, and other OpenAI models hosted on Azure.

Anthropic (Claude for Enterprise)

Offers BAA for enterprise customers. Contact their sales team for details.

❌ Generally Do NOT Offer BAAs (or limited availability):

OpenAI API (Direct)

Standard ChatGPT and OpenAI API do not offer BAAs for most users. Enterprise customers should inquire directly. Use Azure OpenAI Service instead for HIPAA compliance.

Most Free/Consumer LLM Services

ChatGPT Free, Claude.ai, Gemini web interface, etc. are NOT HIPAA-compliant and do not offer BAAs.

Note: This information is accurate as of early 2025, but vendor offerings change. Always verify current BAA availability directly with the vendor before transmitting PHI.

Technical Safeguards for HIPAA Compliance

5

Encryption in Transit and at Rest

All PHI must be encrypted both when being transmitted and when stored.

Requirements:

In Transit: Use TLS 1.2 or higher for all API calls to LLM providers
At Rest: Ensure vendor encrypts all data at rest (most major cloud providers do this by default)
Key Management: Understand who controls encryption keys and ensure they're properly managed
6

Access Controls and Audit Logs

You must be able to control who accesses PHI and maintain audit trails.

Implementation:

  • Implement role-based access control (RBAC) for who can send data to LLMs
  • Log all API calls that involve PHI (timestamp, user, data accessed)
  • Implement unique user identification and authentication
  • Automatic logoff after period of inactivity
  • Regular access reviews and revocation of unnecessary permissions
7

Data Retention and Destruction

Understand how long the LLM vendor retains your data and ensure proper deletion.

Key Questions to Ask Vendors:

  • Is there a zero-retention option? (Data not stored after processing)
  • How long are API request/response logs retained?
  • Is my data used for model training? (It should NOT be if handling PHI)
  • What happens to data upon contract termination?
  • Can I request deletion of specific data?

De-identification as an Alternative

8

When De-identified Data Is NOT PHI

If you properly de-identify health information according to HIPAA standards, it's no longer considered PHI and doesn't require a BAA. However, de-identification must be done correctly.

Two Methods for De-identification:

1. Safe Harbor Method

Remove all 18 HIPAA identifiers and have no actual knowledge that remaining information could identify the individual.

2. Expert Determination

Have a qualified statistician or expert certify that the risk of re-identification is very small.

⚠️ Warning About Partial De-identification

Simply removing names or obvious identifiers is NOT sufficient. Data that seems anonymous can often be re-identified through combination with other data. When in doubt, treat data as PHI and get a BAA.

HIPAA Compliance Best Practices

DO: Get BAA BEFORE Testing

Even pilot projects with real PHI require a signed BAA. No exceptions.

DO: Use Enterprise/Cloud Provider Services

Google Cloud, AWS, and Azure all offer HIPAA-compliant LLM services with BAAs

DO: Document Everything

Maintain records of BAAs, security assessments, and compliance procedures

DO: Train Your Staff

Ensure everyone who works with PHI understands HIPAA requirements and approved tools

DO: Conduct Risk Assessments

Regularly assess risks of using LLMs with PHI and implement appropriate safeguards

DO: Enable Zero-Retention Options

When available, configure services to not retain data after processing

DON'T: Use ChatGPT or Consumer LLMs

Free ChatGPT, Claude.ai, and similar consumer services are NOT HIPAA-compliant

DON'T: Assume "Anonymous" Is Enough

Informal de-identification rarely meets HIPAA standards. Get expert guidance.

DON'T: Allow Training on Your Data

Ensure vendor agreements explicitly prohibit using your PHI for model training

DON'T: Skip Legal Review

Have your legal team review BAAs before signing. Templates vary by vendor.

HIPAA-Compliant LLM Use Cases

Clinical Documentation

Generate draft clinical notes, summaries, or documentation from physician dictation or EHR data.

Requires: BAA, access controls, audit logging

Medical Coding Assistance

Extract ICD-10, CPT codes from clinical notes to assist billing departments.

Requires: BAA, verification process for code accuracy

Patient Communication

Draft personalized patient education materials or appointment reminders based on patient history.

Requires: BAA, review before sending to patients

Research & Analytics

Analyze de-identified patient data for population health insights or clinical research.

Requires: Proper de-identification OR BAA if using PHI

Build HIPAA-Compliant AI Solutions

We can help you navigate HIPAA requirements, select compliant vendors, and implement secure AI workflows for healthcare

Schedule a HIPAA Consultation Back to Home