AI Security for Healthcare: HIPAA, AI Governance, and Patient Data in LLM Systems

HIPAA's Privacy and Security Rules were not written with LLMs in mind, but their requirements apply with full force to any system that creates, receives, maintains, or transmits protected health information. An AI system that ingests clinical notes, retrieves patient records, generates discharge summaries, or processes prior authorization documents is a HIPAA-covered system. The covered entity or business associate operating that system carries the same obligations for it as for any other PHI-processing application.

The Business Associate Agreement requirement is the most immediate compliance consideration for healthcare organizations deploying third-party AI. If you are using an LLM API provider, a cloud AI platform, or an AI-enabled SaaS product to process PHI, that vendor is a business associate. A BAA must be in place before any PHI flows to that system. This requirement is frequently bypassed in rapid AI deployment scenarios — a developer integrates an API to build a prototype, PHI enters the system for testing, and the BAA is never executed. OCR has taken enforcement action for exactly this pattern, and the absence of a BAA eliminates your ability to shift liability to the vendor in the event of a breach.

The Security Rule's technical safeguard requirements apply directly to AI system architecture. Access controls must ensure that only authorized users and systems can access PHI processed by the AI. Audit controls must capture activity in the AI system sufficient to reconstruct who accessed what PHI and when. Transmission security must protect PHI in transit between the user, the AI application, the model inference endpoint, and any connected data sources. For RAG-based systems that retrieve from clinical data repositories, the retrieval layer must enforce patient-level authorization — the same user who can access a patient's record through the EHR should be the only user whose AI queries can retrieve that patient's documents. Systems that retrieve based on semantic similarity without authorization enforcement are non-compliant with the Security Rule's access control requirements by design.

Security failures in most industries produce financial loss, reputational damage, or regulatory penalties. Security failures in healthcare AI can produce patient harm. An AI system that generates incorrect clinical information — whether through hallucination, prompt injection that introduces false content into a clinical summary, or retrieval of a wrong patient's records — does not just create a compliance problem. It creates a patient safety event with potential liability consequences that dwarf the compliance exposure.

This risk is not theoretical. Clinical documentation AI that hallucinates medication dosages, prior authorization AI that incorrectly summarizes clinical criteria, diagnostic support tools that are manipulated through adversarially crafted input data — each of these failure modes has a plausible path to patient harm. The security controls that matter most in healthcare AI are therefore not just the ones that prevent data exfiltration. They are the ones that ensure the AI system produces reliable, accurate outputs and that clinicians have sufficient context to identify when the system is wrong.

Human oversight requirements in healthcare AI follow from patient safety obligations, not just compliance preferences. Any AI system whose outputs influence clinical decisions — even indirectly, through documentation that clinicians rely on — requires defined human review checkpoints, clear labeling of AI-generated content, and escalation paths when the system's confidence is low or its outputs are inconsistent with other clinical data. These requirements exist independently of whether a regulator has formally mandated them. They follow from the duty of care that healthcare organizations owe their patients.

The FDA regulates AI software that meets the definition of a Software as a Medical Device — software intended to be used for a medical purpose. The regulatory boundary is function, not technology: an AI that assists with diagnosis, treatment planning, or clinical decision support is a SaMD candidate regardless of whether it is implemented as a rules engine or an LLM. The FDA's AI/ML-based SaMD action plan and its predetermined change control plan framework establish expectations for how AI medical devices should be developed, validated, monitored, and updated.

Digital health companies deploying AI for clinical use should conduct a formal FDA regulatory assessment early in product development, not after deployment. The consequences of discovering that a deployed product requires FDA clearance or approval — after it is in clinical use — include mandatory product recall, significant remediation cost, and potential enforcement action. The assessment should address whether the software meets the definition of a device, whether any exemption applies, and whether the intended use and algorithm performance meet FDA's expectations for the relevant device classification.

Even for AI deployments that fall outside FDA jurisdiction — administrative AI, revenue cycle tools, non-clinical decision support — the FDA's validation and monitoring framework provides a useful governance model. The requirement to define algorithm performance standards before deployment, monitor performance against those standards in production, and implement change controls that trigger revalidation when the algorithm is updated applies sound engineering and risk management principles that healthcare organizations should adopt regardless of whether they are legally required to do so.

Minimum necessary access is a foundational HIPAA principle that must be implemented technically in AI systems, not just stated in policy. An AI clinical documentation assistant should retrieve only the records relevant to the encounter being documented — not the patient's complete history, not records from other providers in the network, not administrative data unrelated to the clinical task. Implementing minimum necessary access in a RAG system requires query-time filtering that combines the semantic relevance of retrieved documents with the user's authorized scope and the clinical context of the current task. This is architecturally more complex than unrestricted retrieval, and it must be designed into the system from the beginning.

De-identification and tokenization strategies can reduce the PHI exposure of AI systems that do not require access to identified data. An AI used for population health analysis, quality measure reporting, or research does not require access to identified patient records. Deploying that AI against de-identified or tokenized data eliminates the HIPAA compliance surface for that system entirely and reduces the consequences of a security compromise. Healthcare organizations should evaluate whether each AI use case actually requires identified PHI or whether a de-identified dataset would serve the same purpose.

Incident response procedures for healthcare AI must address both the security dimension and the clinical dimension. A standard security incident response playbook covers containment, eradication, recovery, and notification. For healthcare AI incidents, the playbook must also address clinical impact assessment — were any care decisions influenced by AI outputs during the incident window, and if so, does that create a patient safety review obligation — and breach notification analysis under HIPAA's 60-day notification requirement. The intersection of these two response tracks requires coordination between the security team, the compliance team, and clinical leadership that most organizations have not pre-planned.

Compliant healthcare AI deployment is not a checklist — it is an architecture. The components are: a formal inventory of AI systems with PHI access and their associated risk classifications; executed BAAs with all third-party AI providers that process PHI; technical access controls that enforce minimum necessary access at the retrieval and inference layers; audit logging that captures AI interactions involving PHI with sufficient detail for breach investigation and regulatory review; human oversight mechanisms calibrated to the clinical risk of the AI's outputs; validation records that document performance standards and testing methodology; and incident response procedures that integrate security and clinical response tracks.

Healthcare organizations that are early in their AI governance journey should prioritize BAA execution and PHI flow mapping before anything else. You need to know exactly where PHI flows in relation to your AI systems — which providers it reaches, which storage systems it passes through, and which logs capture it — before you can assess whether your current controls are adequate. The mapping exercise frequently surfaces unauthorized PHI flows that were created without security review and that require immediate remediation regardless of any broader AI governance program.

The healthcare organizations that will deploy AI most successfully over the next several years are not the ones that deploy fastest. They are the ones that build the compliance and security infrastructure to deploy sustainably — without the operational disruption of an OCR investigation, a breach notification event, or a patient safety review triggered by an AI failure that could have been anticipated and prevented.