If you've searched "AI and HIPAA" recently, you've probably found law firm blog posts, vendor marketing pages, and compliance-tool sales copy. Regulations are changing, so it's worth knowing which sources are primary, which are trustworthy secondary interpreters, and which add little independent value beyond restating what others have already said.

 

Start with the primary source

The Section 1557 "Dear Colleague" letter. OCR issued formal guidance titled Ensuring Nondiscrimination Through the Use of Artificial Intelligence and Other Emerging Technologies, which applies the Affordable Care Act's nondiscrimination rule to AI-based "patient care decision support tools.” It isn't itself HIPAA, but it's the clearest statement of how the federal government wants AI governed in clinical settings, and it lays out expectations such as knowing what input variables your AI tools use, get information from vendors about training data, train staff to spot discriminatory outputs, and keep a human able to override the tool's decisions.

The proposed HIPAA Security Rule update. In January 2025, OCR published a Notice of Proposed Rulemaking that would be the first overhaul of the Security Rule in about two decades. Mandatory encryption, required multi-factor authentication, a 72-hour breach reporting window, and annual penetration testing, among other changes. For AI purposes, the proposal would bring ePHI used in AI training data, prediction models, and algorithms within HIPAA's scope, and would require organizations to inventory AI software touching ePHI as part of their security risk analysis. As of mid-2026, this remains a proposed rule, not final law. A coalition of over 100 hospital and provider groups has pushed HHS to withdraw it, citing the roughly $9 billion first-year cost HHS itself projected, and OCR has not published a final rule despite an earlier target of spring 2026. Anyone writing or reading about this topic should be careful to distinguish "OCR proposed" from "OCR finalized."

HHS's AI Strategic Plan. HHS has also published a broader strategic plan for using AI to protect the health and wellbeing of Americans, which frames how OCR's more specific guidance fits into agency priorities.

 

White House AI policy documents

Alongside HHS-specific guidance, the White House has released a series of AI policy documents that shape the broader environment healthcare organizations are operating in, even though most of them don't touch HIPAA directly.

America's AI Action Plan (July 2025). Titled Winning the Race: America's AI Action Plan, this is the administration's central AI policy document, issued under Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence. It is organized around three pillars, that include, accelerating AI innovation, building AI infrastructure, and leading in international AI diplomacy and security and it names healthcare specifically as a priority sector alongside energy and agriculture. For healthcare organizations, the relevant provisions include a directive for NIST to convene sector-specific efforts to develop AI standards for healthcare, calls for regulatory sandboxes and AI testbeds where healthcare AI tools could be piloted in real-world settings, and a plan for a DHS-led AI Information Sharing and Analysis Center (AI-ISAC) to share cyber threat intelligence across critical infrastructure sectors, healthcare included. The plan is deregulatory in orientation, prioritizing rapid deployment over new rulemaking, and several commentators have noted it says relatively little about patient privacy, data governance, or consent which is where HIPAA and the still-pending Security Rule update fill the gap.

The National AI Policy Framework executive order (December 2025). This order called for a unified national AI policy framework and directed a DOJ task force to identify state AI laws that conflict with federal policy, signaling a push toward federal preemption of the state-level AI laws mentioned above.

Promoting Advanced Artificial Intelligence Innovation and Security (June 2026). The most recent executive order in this sequence directs agencies including DHS and CISA to prioritize cyber defense of federal AI systems and sets tight deadlines for specific agency deliverables. Notably, unlike some earlier orders, it contains no mention of privacy, consumer protection, algorithmic fairness, or data governance,reinforcing that any federal AI privacy framework, if one emerges, is more likely to come from HHS/OCR rulemaking or standalone legislation (such as the SECURE Data Act, introduced in April 2026) than from executive action.

Read together, these documents are useful for understanding where federal AI policy is headed, but they are not a substitute for HIPAA-specific guidance. The Action Plan and its follow-on orders describe the administration's deregulatory posture and infrastructure priorities, they don't create or modify HIPAA obligations. Organizations should treat OCR guidance as the operative compliance standard and the White House documents as context for how aggressively (or not) that standard is likely to be enforced or expanded going forward.

 

The regulatory stack is bigger than HIPAA alone

One of the more useful things to understand is that HIPAA doesn't operate alone when AI is involved. Depending on what the AI tool does, you may also be dealing with:

  • FDA clinical decision support guidance, which determines whether an AI tool counts as a regulated medical device
  • State AI laws - In 2025, 47 states introduced more than 250 health-AI bills, and 33 became law across 21 states, that pace has continued into 2026. A few examples show this:
    • Texas - the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 2026, requires providers to give patients written disclosure whenever AI is used in diagnosis or treatment.
    • California - building on SB 1120 and AB 3030 (effective 2025), newer laws AB 489 and SB 243 (effective January 2026) bar AI systems from implying they hold a healthcare license and impose safety protocols on companion chatbots, including crisis-detection requirements.
    • Illinois - HB 1806 requires patient notification (and in some cases consent) when AI is used in care, while a separate law bars AI from making independent therapeutic decisions in behavioral health settings.
  • The FTC, which has enforcement authority over deceptive claims about AI and data practices, even outside HIPAA's reach.

 

Reliable secondary sources

  • Health law firms with a regulatory practice - Firms that regularly file comments on HHS rulemaking (rather than just blogging about it) tend to produce the most accurate, citation-heavy analysis.
  • Industry associations filing formal comments - Organizations like the American Hospital Association periodically submit formal responses to HHS requests for information on AI in health care. These documents are worth reading directly because they reflect what the regulated industry is actually telling the government it needs.
  • NIST's AI Risk Management Framework - While not a HIPAA requirement, NIST's AI RMF is a widely referenced voluntary framework for evaluating AI risk (validity, reliability, safety, explainability, fairness) that many health organizations use alongside HIPAA to build a defensible AI governance program.

 

What to be skeptical of

Be cautious of any source that:

  • States the 2025 proposed Security Rule update is already in effect (it is not, as of mid-2026)
  • Implies HIPAA doesn't apply to AI vendors, business associate obligations generally still apply
  • Treats a single state's AI law as a national standard
  • Doesn't distinguish between OCR guidance (non-binding but informative) and OCR rules (binding once finalized)

 

FAQs

Does HIPAA apply if a doctor uses a public tool like ChatGPT to draft notes?

Yes, pasting PHI into a public AI tool without a signed business associate agreement is generally a HIPAA violation regardless of intent.

 

Is de-identified data used to train an AI model still covered by HIPAA?

No, but only if it meets HIPAA's Safe Harbor or Expert Determination de-identification standard.

 

Do AI vendors need to sign a business associate agreement (BAA)?

Yes, if the vendor creates, receives, maintains, or transmits PHI on a covered entity's behalf, it is a business associate under HIPAA regardless of whether its product is described as "AI."

 

Does a state AI law override HIPAA?

No. HIPAA generally preempts contrary state law, but states can and do impose additional AI-specific disclosure or consent requirements on top of HIPAA's existing laws.

 

Does the FDA regulate AI diagnostic tools separately from HIPAA?

Yes. HIPAA governs the privacy and security of the data an AI tool touches, while the FDA separately determines whether the AI tool itself qualifies as a regulated medical device.