HIPAA

HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) in the US. Any vendor that processes PHI on behalf of a covered entity (hospital, clinic, insurer) must sign a Business Associate Agreement (BAA) and implement administrative, physical, and technical safeguards. For AI, HIPAA affects any healthcare use case: clinical documentation, patient triage, medical imaging analysis, clinical decision support. Fines range from $100 to $50,000 per violation with annual caps of $1.5M.

HIPAA has two main rules: Privacy Rule (uses and disclosures of PHI) and Security Rule (administrative, physical, technical safeguards for electronic PHI). Violations are tiered by culpability from "did not know" to "willful neglect." The HIPAA Omnibus Rule extended direct liability to business associates. AI providers serving healthcare must offer a BAA · OpenAI offers one for enterprise accounts, AWS for Bedrock healthcare customers, Google Cloud Healthcare API. Logging and model training on PHI are particularly risky; providers typically opt-out of training on healthcare customer data. HIPAA does not preempt stricter state laws (California CMIA).

HIPAA 45 CFR 164 defines required and addressable implementation specifications. The 2023 HHS proposed rule would update the Security Rule with modern cryptography and MFA requirements. Breach notification (Section 164.410) requires notifying HHS within 60 days for breaches > 500 records. De-identification under Safe Harbor (§164.514(b)(2)) or Expert Determination lets PHI leave the protected zone. Synthetic data, federated learning, and differential privacy are emerging approaches for HIPAA-compliant AI training. Notable enforcement: 2023 OCR action against Solara Medical for $200K after a phishing breach exposing PHI.