Edwy
Healthcare AI Primer

Healthcare · Module 3

What HIPAA and BAA mean for AI evaluation

This is for executives translating privacy obligations into vendor-evaluation questions.

HIPAA and business associate agreement questions are part of the AI evaluation surface, not paperwork that happens after the product team has already chosen a tool. They determine what data can be shared, what safeguards are required, and what accountability exists when a vendor handles protected health information.

The practical starting point is classification. Is the hospital a covered entity for the workflow? Is the vendor acting as a business associate because it creates, receives, maintains, or transmits protected health information on behalf of the hospital? Does the vendor rely on subcontractors that touch the same information? These are operational questions, not abstractions.

A BAA does not make a weak system acceptable. It clarifies permitted uses and disclosures, required safeguards, reporting obligations, and subcontractor expectations. The hospital still has to evaluate whether the technical and operational controls match the proposed workflow.

The Security Rule frame is useful because it separates safeguards into administrative, physical, and technical categories. For AI review, that translates into governance, facility and environment controls, access controls, audit controls, integrity protections, transmission protections, and incident response.

AI adds pressure because some products want broad context. Summaries, prompts, embeddings, model logs, fine-tuning datasets, evaluation traces, and support tickets can all become part of the data-handling conversation. The hospital should not accept a diagram that only shows the main application and omits the supporting systems.

Retention deserves explicit attention. A vendor may need short-term logs for reliability or troubleshooting, but the hospital should understand retention duration, deletion process, secondary use, de-identification claims, and whether any data is used to improve a shared model or service.

The evaluation should also ask what happens during an incident. Who detects it, who notifies whom, what evidence is available, which systems are in scope, and how quickly the hospital can determine whether protected health information was involved?

This primer is educational, not legal advice. The useful CIO posture is to bring privacy, security, legal, clinical operations, and procurement into the AI review early enough that the workflow can still be changed.

What HIPAA and BAA mean for AI evaluation domain diagram
Draft for review: A primer on why healthcare AI review has to include contracting, data handling, and operational controls.

What HIPAA and BAA mean for AI evaluation check

0 of 1 questions completed locally.

1. This module's approved summary is: "A primer on why healthcare AI review has to include contracting, data handling, and operational controls."

Answer feedback appears here.

Reader progress is stored locally in this browser.

Scaffold source: docs/runbooks/phase-1-vertical-primers.md#e010