Healthcare organizations are adopting AI faster than any previous technology shift in the industry. From diagnostic support tools and clinical documentation assistants to revenue cycle automation, AI is already embedded throughout healthcare operations.
As AI becomes more deeply integrated into the healthcare ecosystem, many organizations continue to treat HIPAA compliance and AI governance as separate concerns. In practice, that distinction is impossible to maintain. The moment an AI system accesses, processes, stores, or transmits Protected Health Information (PHI), it falls within the organization’s HIPAA responsibilities.
This is not a hypothetical concern. It is already occurring within organizations that believe their compliance posture is secure. The only question is whether these gaps are identified and addressed proactively or exposed through an investigation, breach, or enforcement action.
For organizations that act early, the benefits extend far beyond risk reduction. Proactive validation creates objective evidence that governance controls are keeping pace with the technologies handling patient data.
The result is tangible business value. Organizations can strengthen RFP responses, support vendor and BAA due diligence requirements, build customer trust, and provide defensible evidence during OCR reviews or investigations.
The challenge is that many organizations are operating on assumptions about how AI interacts with patient data, vendor relationships, and existing compliance controls. Those assumptions can create gaps that remain invisible until they are tested. By the time most organizations start looking, the exposure is already there.
AI Enters Through the Workflow, Not the Approval Process
That number matters because AI adoption often occurs outside formal governance processes. Shadow AI emerges through existing workflows, existing vendors, and efforts to solve everyday business challenges.
A physician wants to spend less time documenting. A coding team wants to process charts faster. A revenue cycle department wants to accelerate appeals. A vendor introduces a new AI capability into a platform that has already been approved.
The workflow changes without ever entering the organization’s governance review process.
That dynamic makes AI different from many other technology investments. Organizations do not always adopt it through a major purchasing decision.
Samsung encountered this challenge in 2023 when employees uploaded sensitive internal information into ChatGPT while attempting to improve productivity. The incident highlighted how quickly unmanaged adoption can outpace governance controls.
Healthcare organizations face the same challenge, but with significantly higher stakes. By the time privacy, security, legal, or compliance teams become involved, an AI tool may already be generating clinical documentation, supporting coding decisions, assisting patient communication, or processing operational data. The HIPAA-required risk analysis may never have been performed. The tool may not appear in the organization’s asset inventory.
And even when organizations do discover an AI tool handling PHI, the next blind spot often emerges. Many assume that a signed Business Associate Agreement is sufficient evidence that the associated privacy, security, and compliance risks have been addressed.
Signing the BAA Is Not the End of Due Diligence
A BAA establishes how a vendor may use PHI, the safeguards it must maintain, and its obligations for reporting security incidents. However, it does not provide visibility into how data moves through the product, how AI features process information, or where information may be stored, shared, or retained throughout the workflow.
Those details often become central during HIPAA reviews and investigations. A vendor’s mistake can still create liability for covered BAA entities when patient information enters a system that has not been adequately evaluated. OCR routinely examines whether organizations mapped their data flows, assessed the risks those flows created, and implemented reasonable safeguards to manage them.
HIPAA does not shift a covered entity’s Security Rule responsibilities to a vendor simply because a BAA is in place. Covered entities remain responsible for conducting risk analyses on systems that handle ePHI, verifying that appropriate technical safeguards exist, and documenting how patient information is collected, processed, stored, and transmitted. Organizations that rely solely on a signed BAA may still face scrutiny if they cannot demonstrate that these activities were performed.
That evaluation should not stop with the vendor agreement. It must also address the nature of the information entering the system, including whether data described as de-identified actually meets HIPAA’s requirements once it is used, combined, or analyzed in an AI-enabled environment.
De-Identification Is a Legal Standard, Not a Label
Once organizations believe patient information has been de-identified, they often assume the compliance risk has been resolved.
That assumption can create exposure for organizations relying on AI platform.
The HIPAA Privacy Rule treats de-identification as a legal standard with specific requirements. HHS recognizes two compliant pathways: Expert Determination and Safe Harbor.
Expert Determination requires a qualified expert to conclude and document that the risk of identifying an individual is very small, including when the information is combined with other reasonably available data.
Safe Harbor requires the removal of specified identifiers and the absence of actual knowledge that the remaining information could identify an individual.
This becomes more complex in an AI-enabled environment because AI systems are designed to find patterns across large volumes of information. These systems often connect information from multiple sources, identify relationships, and generate insights that would otherwise be difficult to detect.
HIPAA’s de-identification standard requires organizations to consider whether remaining information could be used alone or in combination with other information to identify an individual. That makes post-de-identification use, access, combination, and analysis part of the compliance analysis.
In AI systems, training data is often paired with prompts, usage logs, metadata, operational data, system logs, and information from other systems. As AI systems gain access to more context, organizations need to evaluate identification risk across the broader data environment instead of focusing only on a single dataset.
A de-identification review should address more than the removal of names or direct identifiers. It should evaluate whether the remaining information, when used in context, could reintroduce identification risk.
What Organizations Need to Have in Place
The mismatch between an existing HIPAA program and an AI-enabled environment is not a judgment on the quality of the program. It is a scoping problem. The program was built before AI was in the environment. Closing the gap means extending that program to cover what AI tools are doing to PHI.
Four areas require immediate attention.
- First, an AI tool inventory with PHI exposure mapped. Every AI system in use, sanctioned and unsanctioned, needs to be identified alongside a documented answer to whether it accesses, processes, stores, or transmits PHI.
- Second, BAAs reviewed for AI-specific provisions. Standard BAA language predates widespread AI adoption. Existing agreements should be evaluated for coverage across training data use, model updates, geographic data residency, and deletion obligations. A BAA that does not address those terms does not cover them.
- Third, a risk analysis updated to include AI systems. OCR’s current enforcement standard treats the risk analysis as a living document, not a one-time exercise. AI tools that were not in the environment when the last analysis was conducted are not covered by it. An updated analysis that documents AI-specific risks and the remediation steps taken against them is what OCR is looking for.
- Fourth, a formal pre-deployment approval process. Clinical teams and operational departments need a compliance checkpoint before any AI tool that touches PHI goes live. The process does not need to be slow. It needs to exist before deployment, not after.
The Gap Is Closeable. Drummond Helps Prove It.
Most healthcare organizations already have a HIPAA program. Whether that program still reflects how PHI is being collected, processed, stored, and shared in an AI-enabled environment remains uncertain. For many, the gap is not a failure of intent. It is a visibility problem created by technology moving faster than existing governance processes were designed to track.
Drummond helps organizations close that gap through independent assessments that evaluate whether existing HIPAA controls align with how PHI is actually handled across AI-enabled workflows, vendors, and systems. By identifying gaps, validating controls, and documenting risk, Drummond gives organizations objective evidence that AI governance and HIPAA compliance are operating together.
That evidence helps organizations move from confidence to proof. It supports customer trust, strengthens vendor and BAA due diligence, improves readiness for OCR scrutiny, and shows that innovation is not coming at the expense of patient privacy.