HIPAA AI Tool Vetting Checklist

A structured checklist for evaluating AI tools before allowing staff to use them in patient care or administrative contexts involving PHI. Covers BAA availability, data residency, training data policy, security certifications, subprocessor disclosure, data retention and deletion terms, and incident notification procedures. Includes scoring rubric and minimum requirements for HIPAA-eligible use.

Short answer

A structured checklist for evaluating AI tools before PHI is shared: BAA availability, data residency, training data policy, security certifications, subprocessor disclosure, retention and deletion terms, and incident notification — with a scoring rubric and minimum HIPAA-eligible use threshold.

What is inside

BAA availability section: does the vendor offer a BAA, on which pricing tier, what does the BAA cover, and what does it exclude — critical because many AI vendors offer BAAs only at enterprise pricing tiers
Training data policy evaluation: the single most important question for AI tools — whether the vendor uses customer inputs to train or improve their models, because if they do, no PHI may ever be entered
Data residency and foreign data storage: confirmation that data is stored and processed on U.S. servers, relevant for covered entities operating under U.S. law and for any state law requirements
Security certification check: SOC 2 Type II, ISO 27001, HITRUST CSF — what certifications the vendor holds and whether the certificate covers the specific product being used
Scoring rubric with a defined minimum threshold: specific criteria that must be met before any PHI may be shared with the tool, regardless of how useful the tool is in practice

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

Download the PDF

Evaluate any AI tool for HIPAA compliance before your staff uses it

Enter your email and we will send the PDF.

Questions

A staff member is already using an AI tool without clearance. What should we do?

Stop further PHI input immediately and assess whether PHI has already been entered. If PHI was entered into an unapproved tool, that is a potential breach under 45 CFR § 164.402 and requires a risk assessment using the four-factor test. Complete the vetting checklist for the tool. If the tool cannot meet minimum HIPAA requirements, it must be prohibited. Document the incident and any corrective action in your incident log regardless of whether a reportable breach occurred.

A free AI tool says it does not offer a BAA. Can we use it for non-PHI tasks?

Potentially yes, if you can guarantee that no PHI is ever entered. The practical challenge is that staff in a clinical environment often share PHI inadvertently — a patient name in a scheduling question, a diagnosis in a documentation request. If there is no BAA and no organizational guardrail that reliably prevents PHI entry, the tool should not be used on clinic devices or by clinic staff during clinical operations.

The vendor says they are HIPAA compliant. Is that enough?

No. 'HIPAA compliant' is not a certification — there is no federal certification program for HIPAA compliance. Any vendor can claim HIPAA compliance. What matters is whether the vendor will sign a BAA, what the BAA covers, whether their security program is verified by an independent auditor (SOC 2 Type II is the standard), and whether their data handling terms are compatible with your obligations as a covered entity. This checklist evaluates all of those dimensions.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.