HIPAA Technical Requirements for AI Systems
Duration: 55 min · Level: Advanced · Module: 6. HIPAA-Compliant AI Agent Deployment · Focus: HIPAA, security, BAA, audit-trail, compliance
By the end of this lesson you will be able to explain and apply:
- BAA chain
- PHI minimization in AI
- Audit trail requirements
- Encryption at rest and in transit
- Agent identity management
Why this matters
HIPAA's Security Rule was written in 2003 — before large language models, cloud computing, and AI agents existed.
Overview
HIPAA's Security Rule was written in 2003 — before large language models, cloud computing, and AI agents existed. Applying its principles to modern AI agent architectures requires careful interpretation. The core requirement is unchanged: protect ePHI with administrative, physical, and technical safeguards appropriate to the risk.
Key concepts
BAA chain: every vendor in the data flow that receives PHI must sign a BAA; this includes: cloud infrastructure (AWS BAA, Azure BAA, Google Cloud BAA), LLM provider (Anthropic Claude Enterprise BAA), database vendor, clearinghouse, and any subcontractors
- PHI minimization in AI: the least PHI in AI model inputs, the lower the risk; design agents to use patient IDs and retrieve PHI only when the specific task requires it; do not batch-send full patient records to LLM for general processing
- Audit trail requirements: all PHI access, creation, modification, and disclosure must be logged with user ID (or agent ID), timestamp, action, and the specific PHI involved; logs must be retained per retention policy and protected from modification
- Encryption at rest and in transit: all ePHI must be encrypted at rest (AES-256) and in transit (TLS 1.3); LLM API calls containing PHI must be over TLS; log files containing PHI must be encrypted
- Agent identity management: each agent must have a distinct identity (service account), not use human credentials; least-privilege access (agent can only access the APIs it needs for its role); credentials rotated regularly
- Risk analysis for AI: HIPAA requires documented risk analysis; for AI systems, this includes: risk of LLM model hallucination leading to PHI disclosure, risk of prompt injection attacks, risk of training data memorization, risk of model API breach
Check your understanding
Try to recall each answer before expanding it.
Q1. What do you know about BAA chain?
every vendor in the data flow that receives PHI must sign a BAA; this includes: cloud infrastructure (AWS BAA, Azure BAA, Google Cloud BAA), LLM provider (Anthropic Claude Enterprise BAA), database vendor, clearinghouse, and any subcontractors
Q2. What do you know about PHI minimization in AI?
the least PHI in AI model inputs, the lower the risk; design agents to use patient IDs and retrieve PHI only when the specific task requires it; do not batch-send full patient records to LLM for general processing
Q3. What do you know about Audit trail requirements?
all PHI access, creation, modification, and disclosure must be logged with user ID (or agent ID), timestamp, action, and the specific PHI involved; logs must be retained per retention policy and protected from modification
Q4. What do you know about Encryption at rest and in transit?
all ePHI must be encrypted at rest (AES-256) and in transit (TLS 1.3); LLM API calls containing PHI must be over TLS; log files containing PHI must be encrypted
Q5. What do you know about Agent identity management?
each agent must have a distinct identity (service account), not use human credentials; least-privilege access (agent can only access the APIs it needs for its role); credentials rotated regularly
Next: H6.2 PHI Detection, Masking & the Unworldly Pattern →
Part of Module 6: HIPAA-Compliant AI Agent Deployment.