About How It Works Showcase The Studio Insights Free Consult
Back to Insights
HIPAA-Compliant AI: Separating Myth from Reality
Jan 29, 2026

HIPAA-Compliant AI: Separating Myth from Reality

โ€” Written by Eric Richers

The Fear

Every week, I hear some version of this: "I want to use AI, but I can't because of HIPAA." HIPAA does not prohibit AI. HIPAA establishes standards for protecting health information. AI tools can absolutely comply with those standards โ€” when architected correctly.

What HIPAA Actually Requires

  • Business Associate Agreement (BAA): Any AI vendor that processes PHI must sign a BAA.
  • Data Minimization: Only send the minimum necessary information to AI systems.
  • Access Controls: Role-based permissions, audit logs, encryption.
  • No Consumer AI for PHI: Using Azure OpenAI with a BAA? Compliant. Sending notes to ChatGPT consumer? Violation.

The Three Zones

๐ŸŸข Green Zone โ€” No PHI

Marketing, social media, blogs, SEO. Use AI freely.

๐ŸŸก Yellow Zone โ€” De-Identified Data

Practice analytics, outcome trends. Use with de-identification protocols.

๐Ÿ”ด Red Zone โ€” Direct PHI

BAA-covered enterprise AI platforms only.

My Approach

At CUTI Consulting, 90% of what I build operates in the Green Zone. Let's audit your AI readiness.