HIPAA Blog

[ Tuesday, July 07, 2026 ]

 

AI Usage Generally Requires a BAA: If you are a covered entity and you use any AI product, keep one thing in mind: if that AI product touches any patient information, you better have a BAA in place with the AI vendor.

A business associate relationship exist whenever the BA provides a service to or for a covered entity and PHI is involved (used, disclosed, exchanged, etc.).  Many healthcare AI programs involve a covered entity entering PHI into the system and receiving some output (clinical recommendations, encounter notes, medical record entries, etc.).  In most commercial AI products (and any free ones, such as ChatGPT), the AI provider takes the "ingested" information and uses it for the AI system to further learn and refine its product.  That taking and using potentially exposes the ingested information to further uses or disclosures by the AI provider.

If you are using an AI product, you need to keep in mind two things: does the data include PHI, and is the AI system "learning" from your data.  If the answer to the first question is yes, then you need a BAA.

The second question adds some nuance: if the system is learning, then the data could potentially be used or exposed elsewhere.  It is hard to understand how that type of "disclosure" would be permitted under HJIPAA at all.  Disclosing to a business associate so it can help the covered entity with its business operations is OK; disclosing to the business associate so the business associate can improve its business is a little trickier. 

Something to keep in mind.


Jeff [9:50 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template