Ayliea — AI Security Assessment & Compliance Consulting
Back to Blog
HealthcareHIPAAAI Risk Assessment

HIPAA AI Risk Analysis: What the Security Rule Requires

Daviyon DanielsDaviyon Daniels4 min read

Healthcare practices adopting AI keep asking the same question: do the HIPAA rules even apply to this? The answer is yes — and one requirement in particular tends to get skipped. The HIPAA Security Rule requires a risk analysis, and adding AI tools that touch patient data does not change that obligation. It widens its scope.

This is not new regulation reacting to AI. It is existing regulation that AI now falls squarely inside.

What the Security Rule actually covers

The HIPAA Security Rule is codified at 45 CFR Part 164, Subpart C, titled "Security Standards for the Protection of Electronic Protected Health Information." The scope matters: the Security Rule applies to electronic protected health information (ePHI) specifically. Under 45 CFR §164.306(a), covered entities and business associates must "[e]nsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits."

Read that list of verbs again — creates, receives, maintains, or transmits. An AI transcription tool that receives a clinical encounter, an LLM that a billing team transmits claims data to, a model that maintains a copy of what it was shown: each is a new place ePHI lives or moves. The Security Rule reaches all of it.

The requirement that gets skipped: risk analysis

Within the Security Rule's administrative safeguards, the risk analysis is a Required implementation specification — not an optional or "addressable" one. 45 CFR §164.308(a)(1)(ii)(A) states it directly:

"Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

Two words in that text carry weight when AI is involved: accurate and thorough. A risk analysis that does not account for the AI tools your staff are actually using is, by definition, neither. If a practice adopted an ambient documentation tool eighteen months ago and the last risk analysis predates it, the analysis no longer reflects where ePHI flows — and the requirement is not satisfied by a document that is merely on file.

The HHS Office for Civil Rights (OCR) enforces the Security Rule. In practice, an incomplete or stale risk analysis is one of the most common gaps — and it is the foundation everything else in the Security Rule builds on. You cannot implement reasonable and appropriate safeguards for risks you have not identified.

What an AI-aware risk analysis has to find

In our methodology, an AI-aware HIPAA risk analysis starts by answering a question most practices cannot answer cleanly: where, exactly, does AI touch ePHI? That means inventorying not just the AI tools you bought, but the AI features embedded in software you already use, and the unsanctioned tools staff reach for under time pressure. Until that map exists, the "accurate and thorough" standard is out of reach.

From there, the analysis examines the same dimensions the Security Rule has always cared about, now at the model layer: who can access the AI systems and how that access is controlled; what data is sent to them and whether it exceeds what the task requires; whether the vendor relationship is governed by an agreement that actually covers AI processing; and how an exposure would be detected and handled.

None of that is exotic. It is the existing risk-analysis obligation, applied honestly to a surface that has grown.

The practical takeaway

If your practice has adopted AI and your risk analysis has not been refreshed to reflect it, the gap is not theoretical. It is the exact requirement OCR looks for first, and the one a cyber-insurer or hospital-partner vendor review will ask you to evidence.

An independent assessment maps your AI surface, evaluates it against the HIPAA Security Rule and the NIST AI Risk Management Framework, and delivers a signed report you can put on file. If you want to know where you actually stand before someone else asks, book a scoping call — or start with our free AI readiness quiz.

This article is general information, not legal advice. Verify specific requirements against the current regulatory text and consult counsel for your situation.

Learn more about our AI Security Assessment methodology, or book a free scoping call to discuss your organization's needs.

Book a scoping call

Related Articles

Does Your BAA Cover Your AI Vendors?

A Business Associate Agreement written for a SaaS vendor may not address how an AI vendor uses prompts and training data. Where the gap is, in HIPAA's own terms.

HealthcareHIPAAVendor Risk

NIST AI RMF in Healthcare: A Practical Map to HIPAA

The NIST AI Risk Management Framework and HIPAA aren't competing checklists. How the AI RMF's four functions support a defensible HIPAA risk analysis.

HealthcareNIST AI RMFHIPAA

AI in Healthcare: Navigating HIPAA Compliance with AI Tools

AI in healthcare is accelerating, but most organizations skip the HIPAA implications. What you need to know before your next AI deployment.

HealthcareHIPAACompliance