RuleSync
Enterprise

AI Rules for HIPAA Compliance

HIPAA compliance requires specific technical safeguards for Protected Health Information. AI rules must encode the Security Rule's administrative, physical, and technical safeguards into code generation patterns.

7 min read·July 5, 2025

HIPAA's Security Rule has 5 technical safeguards. AI rules must implement all 5 in every feature that touches PHI.

Access control, audit controls, integrity, authentication, transmission security, and the encryption safe harbor

The HIPAA Security Rule: Technical Safeguards

The HIPAA Security Rule (45 CFR Part 164) defines three categories of safeguards: administrative (policies and procedures), physical (facility and workstation security), and technical (technology controls). AI-generated code primarily implements technical safeguards, though it must also support administrative safeguards through audit and reporting features. The technical safeguards are: access control (164.312(a)), audit controls (164.312(b)), integrity (164.312(c)), person or entity authentication (164.312(d)), and transmission security (164.312(e)).

Required vs addressable: HIPAA technical safeguards are either Required (must be implemented) or Addressable (must be implemented if reasonable and appropriate; if not, document why an alternative is used). AI rule: 'Implement all Required safeguards without exception. For Addressable safeguards: implement them unless the project has a documented reason not to. The AI should default to implementing all safeguards — it is easier to implement than to document why you did not.'

The compliance approach: rather than retrofitting HIPAA compliance, the AI should generate HIPAA-compliant code from the start. Every feature that touches PHI (Protected Health Information) should include: access control, audit logging, encryption, and integrity checking as part of the initial implementation, not as a follow-up task.

Access Control and Audit Controls

164.312(a) Access Control — Required implementations: unique user identification (each user has a unique ID, no shared accounts), emergency access procedure (break-the-glass access for emergencies). Addressable: automatic logoff (session timeout), encryption and decryption of PHI at rest. AI rule: 'Every user in the system has a unique identifier. No shared accounts, no shared API keys for PHI access. Session timeout: configurable, default 15 minutes for PHI-accessing sessions. Emergency access: allowed but audited separately with reason codes.'

164.312(b) Audit Controls — Required: implement hardware, software, and procedural mechanisms that record and examine activity in systems that contain PHI. AI rule: 'Every PHI access event must be logged: who (user ID), what (record accessed, fields viewed), when (timestamp), where (IP address, application), and how (API call, UI view, export). Logs must be: immutable (append-only), retained for 6 years, and reviewable by compliance officers. Generate audit log entries for every database query that returns PHI.'

The practical implementation: use middleware or database hooks to automatically generate audit entries. The AI should not rely on developers manually adding audit.log() calls — it should generate architectural patterns that make audit logging automatic. Pattern: database query wrapper that logs the query context before executing, or an API middleware that logs the request/response metadata for PHI endpoints.

💡 Make Audit Logging Automatic, Not Manual

If audit logging depends on developers remembering to add audit.log() calls: it will be inconsistent. The AI should generate architectural patterns that make logging automatic: a database query wrapper that logs every PHI query, API middleware that captures request metadata, or database triggers that record every INSERT/UPDATE/DELETE on PHI tables. Automatic logging eliminates the human error factor from compliance.

Integrity Controls and Authentication

164.312(c) Integrity — Addressable: protect electronic PHI from improper alteration or destruction. Implementation: checksums or digital signatures on PHI records, database constraints that prevent invalid modifications, version history that preserves all changes (soft-delete, never hard-delete). AI rule: 'PHI records: maintain a version history (every change creates a new version, previous versions preserved). Critical fields (diagnosis, medication, lab results): include a checksum or hash for integrity verification. Deletion: soft-delete only (mark as inactive, retain for the required period).'

164.312(d) Person or Entity Authentication — Required: verify that a person or entity seeking access to PHI is who they claim to be. Implementation: strong authentication (password + MFA), certificate-based authentication for system-to-system communication, and token verification for API access. AI rule: 'PHI-accessing endpoints: require authentication that verifies identity. MFA: required for clinician and admin accounts. API access: OAuth 2.0 with short-lived access tokens. System-to-system: mutual TLS (mTLS) with verified certificates.'

164.312(e) Transmission Security — Required: guard against unauthorized access to PHI being transmitted over a network. Implementation: TLS 1.2+ for all PHI transmissions, encrypted email for PHI sharing (or use a secure messaging system instead), VPN or encrypted tunnels for inter-facility communication. AI rule: 'All PHI in transit: TLS 1.2 minimum, TLS 1.3 preferred. No PHI over unencrypted channels. Internal service communication: mTLS or encrypted service mesh. Email: never send PHI via standard email (use secure messaging portals).'

⚠️ No PHI via Standard Email — Ever

Standard email (SMTP) transmits data in plaintext between mail servers. Sending PHI via standard email violates HIPAA transmission security (164.312e). Even if the email client uses TLS to the mail server: the server-to-server transmission may not be encrypted. Use secure messaging portals (patient receives a link to view the message on a secure site) or encrypted email services specifically designed for HIPAA compliance.

Breach Notification and Incident Response

HIPAA Breach Notification Rule (164.400-414): if unsecured PHI is breached, notification is required. Notification to affected individuals within 60 days. Notification to HHS (Department of Health and Human Services). If the breach affects 500+ individuals: notification to media outlets. AI rule: 'Generate incident detection capabilities: monitor for unusual PHI access patterns, failed authentication attempts on PHI-accessing accounts, and data exfiltration indicators. Automated breach detection: faster detection = smaller breach scope = lower impact.'

Encryption as a breach safe harbor: PHI that is encrypted according to NIST standards is considered secure. If encrypted PHI is exposed (laptop stolen, database backup leaked): it is not a reportable breach because the data is unreadable. AI rule: 'Encrypt all PHI at rest using NIST-approved encryption (AES-256). This provides the breach notification safe harbor — encrypted PHI exposure is not a reportable breach. The encryption key must be stored separately from the encrypted data.'

Incident response documentation: every security incident involving PHI must be documented. AI rule: 'Generate incident tracking capabilities: incident creation (what happened, when, what PHI was involved), investigation workflow (root cause analysis, scope determination), remediation tracking (what was fixed, when), and outcome recording (breach determination, notifications sent). Retain incident records for 6 years.'

ℹ️ Encryption = Breach Notification Safe Harbor

If a laptop containing encrypted PHI (AES-256, key stored separately) is stolen: it is not a reportable breach under HIPAA. The PHI is 'secured' because it is unreadable without the key. If the same laptop had unencrypted PHI: reportable breach — notify all affected individuals within 60 days, notify HHS, and if 500+ affected, notify media. Encryption is the single most cost-effective HIPAA control. The AI should encrypt all PHI at rest by default.

HIPAA AI Rules Summary

Summary of AI rules mapped to HIPAA Security Rule technical safeguards.

  • Access control (164.312a): unique user IDs, no shared accounts, session timeout, emergency access with audit
  • Audit controls (164.312b): every PHI access logged (who/what/when/where). 6-year retention. Immutable logs
  • Integrity (164.312c): version history on PHI records, checksums on critical fields, soft-delete only
  • Authentication (164.312d): MFA for clinician/admin, OAuth 2.0 for APIs, mTLS for system-to-system
  • Transmission security (164.312e): TLS 1.2+ everywhere, mTLS internally, no PHI via standard email
  • Encryption safe harbor: AES-256 at rest = not a reportable breach if exposed. Always encrypt PHI
  • Breach notification: 60-day deadline. Detect fast, document everything, retain 6 years
  • Default to implementing all safeguards (required + addressable). Easier than documenting exceptions

Related articles

AI Governance for HealthcareAI Rules for SOC 2 ComplianceAI Rules for Audit LoggingAI Security Rules