Newsletter
Join the Community
Subscribe to our newsletter for the latest news and updates
A PHI risk checklist for healthcare teams evaluating AI tools, prompts, uploads, transcripts, model training, retention, and business associate terms.
This checklist is for general healthcare compliance research and is not legal advice. PHI analysis depends on facts, contracts, roles, and applicable law. Use qualified privacy and security review before deployment.
2026/06/06
Before putting AI into a healthcare workflow, identify whether the tool will receive PHI, de-identified data, operational data, or no patient data at all. The answer may change by feature. A vendor may support a safe public marketing workflow and a separate clinical workflow that requires stronger controls.
PHI can appear in prompts, uploaded files, screenshots, audio, transcripts, generated summaries, support tickets, logs, and analytics events. A procurement review should cover each of those data paths.
Ask whether the vendor offers a BAA for the exact product and feature set. Confirm subcontractors, data locations, retention, deletion, breach notification, audit logs, and whether customer data is used to train or improve models. If the answer depends on an enterprise configuration, document that configuration before a pilot.
For internal rollout, define who may use the tool, what data they may enter, where outputs may be copied, and how violations are monitored. A safe vendor can still be misused by an unclear workflow.
Begin with a narrow workflow, limited users, documented allowed data types, and a review period. Monitor whether staff paste more information than expected, whether outputs include hidden PHI, and whether the tool stores content in places the organization did not intend.
Related glossary entries include PHI, HIPAA, BAA, and HIPAA-compliant AI. HHS publishes official material on the HIPAA Privacy Rule, business associates, and the Security Rule.