A conceptual image showing the divide between a clinical hospital setting and abstract digital data flow, representing the gap in patient data protection.

Your Hospital Follows HIPAA. The AI Processing Your Data Might Not.

ByLaure J

Most patients assume that anything happening inside a hospital or clinic is covered by federal privacy law. That assumption is reasonable. It’s also not always true.

HIPAA, the Health Insurance Portability and Accountability Act, protects your medical information from being used or shared without your knowledge. But HIPAA has boundaries. And right now, AI technology is slipping through the gaps in ways most patients never see coming.

How HIPAA Is Supposed to Work

HIPAA applies to what it calls “covered entities” like hospitals, clinics, doctor’s offices, health insurance companies, and similar organizations. These entities are required to protect your protected health information, or PHI. That includes your name, your diagnosis, your test results, your treatment history, and anything else that could identify you in connection with your health care.

Covered entities are also responsible for the outside companies they work with. Under HIPAA, vendors and contractors who handle your data on behalf of a hospital are called “business associates.” Think billing companies, transcription services, software providers. These business associates are required to sign a Business Associate Agreement, or BAA, which is a legal contract that spells out exactly how your data can be used, stored, and protected.

When a BAA is in place and everyone follows the rules, the system works. Your data is protected at the hospital and by anyone the hospital shares it with.

The problem is what happens when that contract doesn’t exist, or when the technology moves faster than the paperwork.

Where AI Creates a Gap

Healthcare AI tools are showing up everywhere right now: ambient documentation glasses, AI scribes that transcribe appointments, scheduling chatbots, clinical note generators. Many of these tools are provided by outside technology companies that the hospital has hired to make workflows faster or easier.

Here is where it gets complicated for patients.

If the AI vendor handling your data hasn’t signed a Business Associate Agreement with the hospital, that vendor may fall entirely outside HIPAA’s reach. Your data could be processed, stored, or even used to train AI models, with none of the legal protections HIPAA is supposed to guarantee.

In plain language: the hospital is following the law. The company receiving your data may not be required to.

This isn’t a hypothetical edge case. A 2025 legal analysis from MDRx Law found that many Business Associate Agreements still in use were written years before AI existed as a clinical tool — meaning they were never designed to address how AI systems collect, retain, and learn from patient data. An outdated BAA can be nearly as problematic as no BAA at all.

The AI Training Problem

A person in a medical setting holds a device displaying abstract document graphics, representing patient data agreements and digital health privacy.
A person in a medical setting holds a device displaying abstract document graphics, representing patient data agreements and digital health privacy.

One of the least understood risks involves how AI systems are built and improved over time.

Most AI tools get better by learning from data. In a healthcare setting, that data is often patient information. Some vendors include language in their terms of service that allows them to use patient data to train or improve their AI models, unless a contract specifically prohibits it.

According to healthcare privacy experts, a strong Business Associate Agreement should explicitly ban the use of your PHI for AI training purposes without your separate written authorization. Many agreements don’t include that language. Patients are almost never told either way.

This means your appointment, including what you said, what your provider said, what was documented, could potentially become part of a dataset used to build or refine a commercial AI product. Without your knowledge. Without your consent.

What “De-Identified” Data Actually Means

Hospitals and vendors sometimes point out that data can be “de-identified” or stripped of obvious personal details like your name and birthdate, before being shared with outside parties. Under HIPAA, de-identified data is no longer considered protected health information and can be used more freely.

The catch: de-identification is not as clean a process as it sounds.

AI systems are exceptionally good at cross-referencing datasets. A combination of your age, your zip code, your diagnosis, and your appointment date can be enough to re-identify you, even without your name attached. Research has shown that a patient’s birth date, sex, and zip code alone can uniquely identify more than half of the U.S. population.

De-identification reduces risk. It does not eliminate it.

Questions You Have the Right to Ask

You won’t find this information in the paperwork handed to you at check-in. You have to ask for it directly. These are reasonable questions every patient can raise:

  • Does this facility use any third-party AI tools that access my health information?
  • Has every AI vendor with access to my data signed a Business Associate Agreement with this facility?
  • Do any of those agreements allow my data to be used to train AI models?
  • What happens to my data if the facility stops using a particular AI vendor?
  • Can I opt out of having my information processed by AI tools?
  • Where can I read the facility’s Notice of Privacy Practices in full?

Ask these questions at the front desk, or request to speak with the facility’s HIPAA Privacy Officer. Every covered entity is required to have one, and they are required to respond to patient concerns about data privacy.

Under HIPAA, you also have the right to request an accounting of disclosures, which is a record of who your health information has been shared with and why. You can submit that request in writing at any time.

What to Do If the Answers Aren’t Good Enough

If a facility can’t tell you whether its AI vendors have signed Business Associate Agreements, or refuses to engage with your questions, you have options:

  • Request everything in writing. Ask for a copy of the facility’s Notice of Privacy Practices and their written policy on AI tool use. A facility that won’t provide these in writing is itself a red flag.
  • File a complaint with HHS. The Office for Civil Rights enforces HIPAA and investigates patient complaints. You can file online, by phone, or by mail. The OCR collected over $9.9 million in HIPAA settlements in 2024 alone, with business associate agreement failures cited as a contributing factor in multiple cases.
  • Contact your state attorney general. Some states have privacy laws that go further than federal HIPAA. If your state is one of them, the attorney general’s office may be an additional avenue for a complaint.
  • Consult a patient rights attorney. If you believe your data was shared or used in ways that violated your rights, many attorneys who specialize in health privacy offer free initial consultations.

The Bigger Picture

HIPAA was written in 1996. The AI tools now processing patient data in real time weren’t imaginable then. The law has been updated over the years, and the Department of Health and Human Services proposed new Security Rule amendments in early 2025 that specifically address AI as a risk, but proposed rules take time to become enforceable requirements.

In the meantime, the gap between what patients assume HIPAA covers and what it actually covers is real. The hospital following the law and the AI vendor operating outside it can exist inside the same exam room at the same time.

Knowing that is the first step. Asking about it is the second.

Your health information belongs to you. So does the right to know what happens to it. Browse the RYOC library for more on understanding and protecting your rights as a patient.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *