Term

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is the 1996 US federal law that sets privacy and security standards for protected health information (PHI). Two rules under it carry the practical weight: the Privacy Rule, which limits how PHI can be used and disclosed, and the Security Rule, which mandates administrative, physical, and technical safeguards for electronic PHI (ePHI). The law defines covered entities (providers, health plans, clearinghouses) and business associates, meaning anyone handling PHI on their behalf. AI vendors sit squarely in the business-associate bucket.

Updated today Reviewed by 7wData

Why it matters

Any model trained on or producing PHI is in HIPAA scope, and the covered-entity versus business-associate distinction determines who signs the Business Associate Agreement (BAA). Most healthcare AI deals stall on BAA negotiation because vendors underestimate what the technical safeguards mean for cloud deployments: encryption at rest and in transit, audit logging, access controls, breach notification timelines. ePHI under HIPAA also intersects with the EU AI Act’s high-risk classification, so one deployment can sit in both regimes at once.

Where you’ll encounter it

Three concrete contexts. A healthcare customer’s procurement team requires a signed BAA before any data flows. A security audit checks that the AI inference endpoint logs are PHI-scrubbed, not just the customer-facing output. An incident-response review traces a breach back to a model that memorised training PHI. The pitfall I keep seeing: teams treat “we don’t store data” as a HIPAA defense, but training memorisation and retrieval logs are themselves storage events.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.