HIPAA is where a lot of clinical AI enthusiasm quietly dies — usually later than it should, in a security review three weeks before go-live, when someone finally asks where the patient data actually goes.
It doesn't have to be a blocker. But it does have to be a real conversation early, in plain operational language, not a checkbox at the end. Having built a HIPAA-compliant clinical AI product, I can tell you the compliance work isn't glamorous and it isn't optional — and the vendors worth buying from can discuss it without flinching.
Here's what "HIPAA-aware deployment" actually means, past the acronym.
A BAA is the floor, not the finish line
Any vendor touching PHI has to sign a Business Associate Agreement. But a signed BAA doesn't tell you how the data is handled — it tells you someone is contractually on the hook. Read what it actually covers, then ask the operational questions underneath it.
Know where the data lives and who can touch it
- Where is PHI stored and processed, and in whose cloud?
- Who — human and service account — can access it, and on what basis?
- Is access least-privilege, or does everyone with a login see everything?
- Is every access logged, and can you actually review those logs?
If a vendor can't answer these crisply, the risk isn't hypothetical. It's that they haven't thought about it.
Ask the question vendors don't volunteer: are you training on our data?
Many AI products improve by learning from usage. That's fine — unless "usage" means your patients' data and nobody told you. Ask directly whether your data trains their models, whether you can opt out, and what happens to your data if you leave.
Plan for when something goes wrong
Compliance isn't only prevention; it's response. Is there an incident-response plan you can read? Who gets notified, how fast, and what's the remediation path? A vendor with a real plan has thought about failure. A vendor surprised by the question hasn't.
Retention and exit
- How long is data kept, and can you delete on request?
- Can you export your data cleanly if you switch vendors?
- What's the off-ramp, and how much does it cost you in switching pain?
The point
None of this is about being a compliance pessimist. It's about treating HIPAA as a design constraint you handle up front — the way you'd handle any other requirement — instead of a surprise you discover at the security review. The teams who do this well aren't slower. They're just not rebuilding the plane after takeoff.
If your AI initiative can't answer these questions before you buy, you don't have a deployment plan yet. You have a demo and some optimism.
Prabhat Garg, M.D. is a practicing hospitalist and clinical AI strategy advisor. He helps health systems, health-tech companies, and investors decide what clinical AI to buy, build, avoid, and deploy.