Clinical teams are already using AI. So are coders, prior auth coordinators, documentation specialists, and care managers. The tools are fast, the efficiency case is obvious, and the pressure to adopt is real. The HIPAA question most organizations are asking is: did we get a BAA signed?
A Business Associate Agreement is required before any AI vendor may touch protected health information. Signing one establishes a contractual relationship. It does not run a compliance program. How PHI moves inside that relationship, what the vendor does with it, and whether those activities meet HIPAA’s technical and operational requirements all fall on the covered entity to verify. The BAA does not verify itself.
On December 27, 2024, the HHS Office for Civil Rights issued a Notice of Proposed Rulemaking to update the HIPAA Security Rule for the first time in 20 years, published in the Federal Register on January 6, 2025. As of publication, the final rule has not been confirmed. OCR has kept finalization on its regulatory agenda for May 2026, but OCR Director Paula Stannard acknowledged at the March 2026 HIMSS conference that the Trump administration may revise certain requirements before a final rule issues. The proposed changes sharpen existing requirements, specifically where cloud AI creates the most exposure. The core obligations around risk analysis, BAA management, and minimum necessary apply under current law regardless of whether the proposed rule is finalized as written.
A physician uses a cloud AI tool to draft a discharge summary. The prompt includes the patient’s diagnosis, medication history, and care team notes. That information transits to an external inference endpoint, processed by a model your organization does not control. Your BAA covers the transmission. It does not answer what the vendor’s model retains, what subprocessors touched the data, or whether access controls on that infrastructure meet the technical safeguards the Security Rule requires. Those questions belong to you.
What HIPAA actually requires when AI touches PHI
The HIPAA Privacy Rule governs how covered entities use and disclose protected health information. It applies to AI systems without modification. Introducing an algorithm into a clinical or administrative workflow does not change the rules on permissible use, the minimum necessary standard, or what constitutes an unauthorized disclosure. HIPAA governs the workflow.
The minimum necessary standard under 45 CFR §164.502(b) requires covered entities to limit PHI access to what is reasonably necessary for the intended purpose. Applied to AI, this means a tool processing a prior authorization request should access only the clinical data relevant to that authorization, not a full patient history. Cloud AI tools perform best with more context. That conflicts directly with a HIPAA requirement that demands less.
The Security Rule requires a documented risk analysis covering all systems that create, receive, maintain, or transmit ePHI. A cloud AI tool that processes clinical documentation falls within that scope. The risk analysis must identify threats to that system’s confidentiality, integrity, and availability, evaluate those threats, and document the controls in place to address them. If your organization has deployed a cloud AI tool without extending the risk analysis to cover it, that gap is a Security Rule violation regardless of BAA status.
The Office for Civil Rights collected more than $9.9 million in HIPAA settlements across 22 enforcement actions in 2024. Business Associate Agreement deficiencies contributed to multiple cases. The enforcement pattern reflects an OCR that treats BAA failures as evidence of systemic compliance failure, not administrative oversight.
What changed in December 2024
The proposed Security Rule update does not add entirely new obligations. It removes the flexibility that allowed organizations to treat many requirements as optional. Under the current rule, safeguards are classified as either required or addressable, with addressable safeguards subject to a reasonableness analysis that some organizations have used to defer implementation indefinitely. The proposed rule eliminates that distinction. Every safeguard becomes required.
For organizations using cloud AI, three specific proposals carry the most immediate weight.
Annual BAA verification. The proposed rule requires covered entities to verify at least once every 12 months that their business associates have deployed the technical safeguards the Security Rule mandates. The proposal requires written analysis by a subject matter expert and written certification of accuracy. A BAA signed at contract execution does not satisfy it. Active, recurring confirmation that the vendor’s controls meet the standard is what the rule demands.
Mandatory encryption. The proposed rule requires encryption of ePHI at rest and in transit without exception. Under the current rule, encryption is addressable, meaning organizations can implement an equivalent alternative or document why encryption is not reasonable. The proposed rule closes that option. Any cloud AI system that receives or stores ePHI must encrypt it. If a vendor cannot confirm encryption at both stages, it cannot receive PHI under a compliant program.
Network mapping. The proposed rule requires a technology asset inventory and a network map that documents how ePHI moves through an organization’s electronic systems, updated at least annually and in response to any operational change that affects PHI. A cloud AI deployment creates a new data flow by definition. That flow must appear on the map. If it does not, the gap is evidence of an incomplete risk analysis, which is itself a Security Rule violation.
“The proposal to modify the Security Rule helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage.”
Paula M. Stannard, OCR Director, HIMSS 2026
The model training problem most BAAs underaddress
Cloud AI vendors improve their models on data. That is how the products get better. The question for covered entities is whether your PHI contributes to that process, and whether your BAA explicitly prohibits it.
Foley & Lardner’s May 2025 analysis of AI in digital health notes that BAAs should explicitly prohibit vendors from using PHI to train, improve, or refine AI models unless the covered entity has provided explicit authorization. That clause is absent from many standard enterprise agreements. A BAA that addresses permissible use and security obligations but says nothing about model training leaves a meaningful gap, one that the minimum necessary standard and the Privacy Rule’s purpose limitation provisions directly implicate.
Generative AI models withhold their processing logic by design. When a privacy officer needs to answer an OCR examiner’s question about how PHI was accessed and processed within a vendor’s system, the model provides no answer. HIPAA requires organizations to demonstrate compliance. A system that cannot be audited makes that demonstration difficult to construct.
Where the analysis ends
Every obligation described above traces back to the same event: PHI left the covered entity’s network. Once that happens, HIPAA requires ongoing management of everything that follows. Which vendor received it. What that vendor does with it. Whether the vendor’s controls remain adequate. Whether subprocessors are properly covered. Whether model training is prohibited. Whether encryption is verified. Whether the annual certification has been obtained.
Managing it requires legal and technical resources, and it recurs annually rather than running once at contract execution.
The organizations that eliminate most of this workload share one characteristic: their AI runs inside their network. When inference happens on infrastructure the covered entity controls, PHI does not leave. There is no Business Associate relationship to verify, no third-party encryption to confirm, no model training clause to negotiate, and no external data flow to map. The Privacy and Security Rules still apply. The compliance perimeter stays where the covered entity already governs it.
For every AI tool your clinical and administrative teams use, one question determines how much HIPAA compliance work it generates: does inference happen inside your network or outside it? If outside, every obligation described in this article applies. If inside, none of them arise. Where inference runs determines the scope of everything else in an AI compliance program.