Are AI assistants business associates?

If hired by a covered entity and having access to protected health information (PHI), it may be considered a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). 

Understanding HIPAA basics

A covered entity is any organization or person that directly handles PHI in the course of providing healthcare services or processing healthcare transactions. On the other hand, a business associate is a person or organization (other than a healthcare provider’s workforce) that creates, receives, maintains, or transmits PHI on behalf of a covered entity or provides services that involve access to PHI.

AI systems don’t neatly fall into either category, but how they are used and deployed determines whether they qualify as business associates or not.

Where do AI assistants fit in healthcare?

According to Google Health (quoted in the study, Artificial intelligence in healthcare: transforming the practice of medicine), “AI is poised to transform medicine, delivering new, assistive technologies that will empower doctors to better serve their patients.”

Its applications in healthcare as identified in the study Revolutionizing healthcare: the role of artificial intelligence in clinical practice, include: 

• Disease diagnosis and detection
• Predictive analytics
• Clinical decision support and treatment personalization
• Laboratory and diagnostic workflow automation
• Public health and population health management
• Virtual and mental health support

Read also: The future of AI in healthcare: the HHS’ vision

When an AI assistant is a business associate

If an AI assistant processes PHI on behalf of a healthcare provider, health plan, or clearinghouse, then it falls under the definition of a business associate.

Examples:

• Clinical documentation AI: Tools that generate patient visit notes directly from physician dictation.
• Medical chatbots: AI that answers patient-specific questions about lab results or medication instructions.
• Virtual scheduling assistants: Tools that manage appointments and require access to patient names, contact information, and health records.

In these cases, the AI vendor must:

• Sign a business associate agreement (BAA) with the covered entity.
• Ensure compliance with HIPAA privacy and security requirements.
• Implement safeguards to protect PHI from unauthorized access, breaches, or misuse.

When an AI assistant is not a business associate

If the AI assistant does not access or handle PHI, then it is not considered a business associate.

Examples:

• General productivity AI: Tools that help draft non-clinical emails or manage internal schedules without referencing patient information.
• Educational assistants: AI that summarizes medical literature or provides drug reference information for clinicians.
• De-identified data analysis: AI systems that process datasets stripped of identifiers, making re-identification of patients impossible.

In these cases, no BAA is required because PHI is not being created, received, or transmitted.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Is AI replacing healthcare professionals?

No. AI is designed to augment, not replace, clinicians. It reduces administrative burden, improves accuracy, and offers decision support, but human oversight and expertise remain essential.

What are the challenges of adopting AI in healthcare?

Key challenges include ensuring patient privacy, preventing algorithmic bias, integrating with existing systems, training healthcare staff, and complying with regulations like HIPAA or GDPR.