Are AI Tools HIPAA Compliant?

Short answer: some are, with the right enterprise tier and a signed BAA. Here is what you need to know before letting an AI tool near PHI.

What HIPAA-Compliant Actually Requires

HIPAA does not certify products. There is no "HIPAA seal." Vendors either offer a BAA and meet the safeguards or they do not.

AI Vendors Offering BAAs (Mid-2025)

What BAAs Typically Do Not Cover

Architecture for HIPAA-Safe AI in SaaS

  1. Use a cloud provider's AI (Azure OpenAI, Bedrock, Vertex) where you already have a BAA — fewer agreements to manage.
  2. De-identify data before it touches the model when possible. Less PHI in prompts means less risk surface.
  3. Disable logging at the model layer (most providers offer this for HIPAA tier).
  4. Audit-log every prompt on your side to comply with PHI access tracking.
  5. Set retention policies on prompt/response data to match your HIPAA retention rules.

Common Mistakes

What to Do Next

If you handle PHI: route AI through Azure OpenAI, AWS Bedrock, or Google Vertex with a signed BAA. Avoid consumer-tier AI products entirely. Document the data flow and the BAAs in your security review for every audit.