Building AI for healthcare without HIPAA expertise is the fastest way to a six-figure fine. The rules are clear. The implementations are not.
Here's what HIPAA actually requires for AI products in 2026 - written by engineers who've shipped 12+ HIPAA-aligned AI features.
- BAA with every subprocessor: If your AI feature sends PHI to OpenAI, you need a BAA with OpenAI. Same for Pinecone, Anthropic, AWS, and any LLM proxy.
- PHI minimization in prompts: Don't send full medical records to the LLM. Send the minimum necessary. De-identify where possible.
- Audit log every PHI access by AI: If the AI reads a patient record, that read is auditable. Log it. Same as a human read.
- Patient consent for AI use: Patients must be informed AI is processing their data. Get consent. Document it.
- No training on PHI: Use enterprise endpoints (OpenAI Enterprise, Anthropic Bedrock) that contractually guarantee no training on your data.
Pre-launch HIPAA AI checklist
- 1BAA signed with LLM provider (OpenAI Enterprise, Anthropic Bedrock, Azure OpenAI, etc.)
- 2BAA signed with vector database vendor (or use HIPAA-eligible Pinecone tier, or self-host pgvector)
- 3Encryption at rest and in transit verified end-to-end
- 4Per-user RBAC enforced before any LLM call
- 5Audit log on every AI invocation that touches PHI
- 6Patient consent flow updated to mention AI processing
- 7PHI minimization in prompts (only send what's needed)
- 8Output filter for PHI leakage in responses
- 9Incident response plan updated for AI-specific risks
- 10Pen test report covering AI feature surface
How we architect HIPAA AI features
- 1
Step 1: PHI tagging in your data layer
Every column in your database that contains PHI gets a tag. Queries that touch PHI go through a wrapper that enforces consent + RBAC + audit log. The LLM call layer reads from this wrapper, never from raw tables.
- 2
Step 2: Prompt construction with minimization
Build a function that takes a patient query and returns the minimum context the LLM needs. If the LLM only needs the diagnosis and current meds, don't send the full chart. Less data = less risk.
- 3
Step 3: Provider routing for compliance
All HIPAA-bound LLM calls go through Azure OpenAI, AWS Bedrock (Claude), or OpenAI Enterprise. Consumer endpoints (api.openai.com without Enterprise tier) are explicitly blocked at the gateway.
- 4
Step 4: Response filtering
Output goes through a regex + LLM-based filter that catches accidental PHI leakage (e.g., model parroting an SSN it saw). Outputs that fail get redacted or escalated.
- 5
Step 5: Audit log everything
Every LLM call logs: who, what query, what context was sent, what response came back, timestamp, IP. Immutable storage. 6-year retention.
- Free OpenAI tier: No BAA. Period. Don't even use it for testing with real-looking PHI.
- Pinecone Standard tier: Not HIPAA-eligible by default. You need Enterprise tier or self-host pgvector.
- Langchain default loggers: Some default callbacks send prompt/response data to LangSmith without your knowledge. Disable or use HIPAA-safe alternatives.
- ChatGPT for internal demos: Even internal demos with real PHI in the prompt are a HIPAA breach. Use synthetic data or de-identified samples.
"HIPAA isn't a milestone. It's the architecture."
HIPAA-eligible vs not (popular AI tools)
| Tool | HIPAA-eligible tier | Notes |
|---|---|---|
| OpenAI (consumer api.openai.com) | No | Don't use for any PHI, even testing. |
| OpenAI Enterprise | Yes | BAA available. Use for HIPAA workloads. |
| AWS Bedrock (Claude, Llama) | Yes | Default HIPAA-eligible. Sign the BAA at AWS account level. |
| Anthropic API direct | Yes (Enterprise) | BAA on Enterprise plan only. |
| Azure OpenAI | Yes | Microsoft signs BAAs. HIPAA-ready out of the box. |
| Pinecone Standard | No | Standard tier is not HIPAA-eligible. Use Enterprise or self-host pgvector. |
| Pinecone Enterprise | Yes | BAA available. |
| Langfuse self-hosted | Yes | Self-hosted = your responsibility, fully compliant. |
| LangSmith managed | Conditional | BAA required - request from LangChain. |
5 architectural patterns for HIPAA AI
PHI-tagged data layer
Every column with PHI is tagged. Queries go through a wrapper that enforces consent + RBAC + audit log.
Prompt minimisation
Send only what the LLM needs. If it needs diagnosis + meds, don't send the full chart.
Provider routing for compliance
All HIPAA-bound calls route through Bedrock / Azure / OpenAI Enterprise. Block consumer endpoints at the gateway.
Output filtering
Regex + LLM filter on outputs catches accidental PHI leakage. Failures get redacted or escalated.
Immutable audit log
Every PHI access logged: who, what query, what context, what response, timestamp, IP. 6-year retention.
Patient consent flow
Consent records explicitly mention AI processing. Without consent, AI calls don't run.
We ship HIPAA-aligned AI products end to end.
12+ healthcare AI products live. First-pass HIPAA audits. BAA + architecture + audit log all wired by week 2.
If you remember 5 things
- BAA every subprocessor. No exceptions, including for testing.
- Minimise PHI in prompts - send only what the model needs.
- Route all HIPAA-bound calls through enterprise endpoints (Bedrock, Azure, OpenAI Enterprise).
- Audit every AI access on PHI as if it were a human read.
- Patient consent must mention AI processing. Document it.
HIPAA AI is achievable, not optional
Healthcare clients aren't buying AI features that aren't HIPAA-ready. The compliance work isn't optional - it's the entry ticket.
The good news: with the right architecture, HIPAA AI is no harder than HIPAA web apps. The patterns are well-understood. We've shipped them dozens of times. Just don't try to bolt them on at the end.
The IRPR engineering team ships production software for 50+ countries. Idea → Roadmap → Product → Release. 200+ products live.
About IRPR