HIPAA Compliance

What Compliable checks for when validating AI-generated content against the Health Insurance Portability and Accountability Act (HIPAA).

Overview

HIPAA (Health Insurance Portability and Accountability Act) regulates how Protected Health Information (PHI) is handled in the United States. It applies to:

  • Covered entities — Healthcare providers, health plans, healthcare clearinghouses
  • Business associates — Third-party vendors that handle PHI on behalf of covered entities

If your AI generates content that includes PHI (patient records, discharge summaries, billing notices, etc.), you must ensure it complies with HIPAA's Privacy Rule and Security Rule.

Jurisdiction: Set jurisdiction: "US_HIPAA" to enable HIPAA checks.

Common Violations Compliable Detects

Unnecessary PHI Disclosure

CRITICAL

HIPAA Privacy Rule § 164.502(b) — Minimum Necessary Standard

The Issue: AI-generated content includes more PHI than necessary for the stated purpose.

❌ "Your appointment is confirmed for John Doe, DOB 05/12/1980, SSN 123-45-6789, diagnosed with diabetes."

Why It Fails: HIPAA's "minimum necessary" rule requires limiting PHI to what's needed. Appointment confirmations don't need SSN or diagnosis.

✓ "Your appointment is confirmed for Thursday, May 12 at 2:00 PM."

Missing Patient Rights Notice

HIGH

HIPAA Privacy Rule § 164.520 — Notice of Privacy Practices

The Issue: AI-generated privacy notices omit required patient rights (access, amendment, accounting of disclosures).

❌ "We protect your health information and share it only as necessary."

Why It Fails: HIPAA requires a Notice of Privacy Practices that explicitly lists patient rights: right to access PHI, request amendments, receive accounting of disclosures, and request restrictions.

✓ "Your Rights: You have the right to access your health information, request amendments, receive an accounting of disclosures, and request restrictions on use."

No Safeguard Disclosure

MEDIUM

HIPAA Security Rule § 164.308(a)(1)(ii)(B) — Risk Management

The Issue: Privacy policies don't mention technical or administrative safeguards used to protect PHI.

❌ "We take reasonable steps to protect your data."

Why It Fails: HIPAA requires disclosure of specific safeguards (encryption, access controls, audit logs).

✓ "We protect PHI using encryption (AES-256), role-based access controls, and audit logging."

Missing Breach Notification Process

HIGH

HIPAA Breach Notification Rule § 164.404

The Issue: Privacy policies don't explain how patients will be notified in case of a PHI breach.

❌ "We will handle security incidents appropriately."

Why It Fails: HIPAA's Breach Notification Rule requires notification within 60 days of discovery. Policies must state this.

✓ "In the event of a breach affecting your PHI, we will notify you within 60 days via mail or email."

What is Protected Health Information (PHI)?

PHI includes any health information that can be used to identify an individual, such as:

  • Names, addresses, phone numbers, email addresses
  • Medical record numbers, health plan beneficiary numbers
  • Social Security numbers, driver's license numbers
  • Biometric identifiers (fingerprints, voiceprints)
  • Photos of patients
  • Dates (birth, admission, discharge, death)
  • Any health-related data (diagnoses, treatment plans, prescriptions, billing records)
Important: De-identified data (with all 18 HIPAA identifiers removed) is not considered PHI and can be used more freely.

Example Check

Request
curl -X POST https://api.compliable.dev/v1/check \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Your appointment is confirmed for John Doe, DOB 05/12/1980.",
    "context": "email",
    "jurisdiction": "US_HIPAA"
  }'

Further Reading