Healthcare is one of the highest-potential and highest-risk domains for AI adoption. Clinical decision support, medical coding, patient communication — the use cases are compelling. But HIPAA’s requirements for Protected Health Information (PHI) create serious compliance challenges.
The HIPAA Problem with AI APIs
HIPAA’s Privacy Rule restricts how covered entities can use and disclose PHI. When you send data to an AI API:
Is the AI Provider a Business Associate?
Probably not — unless you have a signed Business Associate Agreement (BAA). OpenAI, Anthropic, and most AI providers do not sign BAAs for their standard API services. This means:
- You cannot send PHI to these APIs without violating HIPAA
- The provider has no contractual obligation to protect PHI
- A breach at the provider would be your liability
De-Identification: The Safe Harbor
HIPAA provides a “safe harbor” for de-identified data. If PHI is properly de-identified according to HIPAA’s standards, it is no longer subject to the Privacy Rule.
The HIPAA de-identification standard requires removal of 18 specific identifiers, including:
- Names
- Geographic subdivisions smaller than state
- Dates (except year) directly related to individual
- Phone numbers, fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- URLs
- IP addresses
- Biometric identifiers
- Full-face photos
- Any other unique identifying number, characteristic, or code
Technical Implementation
Approach: Mask Before Sending
The safest approach is to de-identify PHI before any data reaches the AI API:
- Receive clinical text containing PHI
- Detect and replace all 18 HIPAA identifiers
- Send de-identified text to the AI API
- Re-identify the AI response (if needed for clinical use)
Using AI Privacy Gateway for PHI Masking
docker run -d -p 8080:8080 ghcr.io/gunxueqiu6/ai-privacy-gateway:latest
Configure the gateway with healthcare-specific detection patterns:
- Patient names and initials
- MRN (Medical Record Numbers)
- Dates of service
- Phone numbers and emails
- SSN and insurance IDs
All detected PHI is replaced with typed placeholders before the data reaches the AI provider. The gateway runs on-premise or in your HIPAA-compliant environment.
HIPAA Compliance Checklist for AI Usage
- Conduct a risk assessment for AI API usage
- Implement PHI de-identification before transmission
- Document de-identification methodology
- Train staff on PHI and AI policies
- Log all AI API calls for audit purposes
- Establish incident response procedures for PHI exposure
- Review AI provider data handling policies
- Obtain BAA where applicable
- Implement access controls for AI API usage
- Regular compliance reviews
The Bottom Line
HIPAA doesn’t mean you can’t use AI. It means you must de-identify PHI before any data leaves your controlled environment. A privacy proxy with healthcare-specific masking rules provides that protection automatically.