HIPAA already answers most "can we use AI for this?" questions — if you read it as an architecture specification instead of a legal obstacle.


An eligibility agent is a business associate before it is an architecture

The fastest-growing category of healthcare AI is not clinical — it's administrative. More than 50% of health plans and 25% of provider organizations now use AI tools in administrative workflows [1], and the workflow drawing the most agent attention is the largest one in US healthcare: the 31.5 billion insurance eligibility verifications providers run every year [2]. We've covered what those agents can and cannot automate separately. This article covers the question that decides whether any of it is deployable at a clinic: what does HIPAA actually require of the architecture?

Start with vendor classification, because it happens automatically. The minimum data an eligibility check needs — patient name, date of birth, member ID — is protected health information, and under HIPAA, determining insurance eligibility and coverage is a payment activity. The moment that data flows to a vendor's system so the vendor can run checks or call payers on the clinic's behalf, that vendor is performing a payment function with PHI and becomes a business associate under 45 CFR 164.502(e) and 164.504(e). No contract negotiation creates this status and no marketing language avoids it; the function creates it, and the law then requires a signed business associate agreement before the first record moves [3].

The part teams miss is that BA status propagates down the stack. An eligibility agent is never one system. It is an orchestration layer plus an LLM API, often a speech-to-text service, a clearinghouse connection, and a hosting provider — and every subcontractor that touches PHI on the vendor's behalf needs its own downstream BAA or equivalent subcontractor agreement. This is not hypothetical: Infinitus, the a16z-backed category leader in payer-call automation, discloses that its extraction pipeline uses OpenAI and Google APIs [4]. Each of those is a link in the chain, and the chain is only as compliant as its weakest signed agreement.

If you want a measure of what concentrated business-associate risk looks like when it fails, the February 2024 Change Healthcare ransomware attack is the reference case: roughly 192.7 million individuals affected — the largest healthcare breach on record — and about $2.457 billion in costs per UnitedHealth Group's own earnings disclosures [5]. HHS published a dedicated FAQ just to walk covered entities through their notification duties when a business associate of that scale fails [6]. The architectural lesson for agent deployments is blunt: know every entity in your PHI chain, on paper, before the pilot starts.

Minimum necessary in the age of prompts

HIPAA's minimum necessary standard — 45 CFR 164.502(b) — requires covered entities and business associates to limit PHI uses and disclosures to the minimum needed to accomplish the purpose. It applies squarely to payment and operations activities, which is exactly what eligibility verification is. Read as an engineering requirement, it says something specific about LLM systems: the context window is a disclosure surface [3].

An eligibility check needs a handful of fields — identifiers, payer, plan, date of service, the benefit categories in question. It does not need the patient's problem list, medication history, or the free-text notes that ride along when an integration dumps a whole record object into a prompt for convenience. "Select * into the context window" is the pattern minimum necessary prohibits. The compliant shape is field-level scoping at the boundary: the agent's tools request named fields, a filter strips everything else before the model sees it, and PII detection runs on outputs as well as inputs, because a model can echo identifiers into places they don't belong.

The second half of the standard is contractual. Legal analyses of AI business associate agreements converge on the same clause: explicit language barring the use of PHI for model training, fine-tuning, or product improvement, absent separate written authorization or de-identification [7]. Without that language, "we may use customer data to improve our services" boilerplate quietly turns a payment disclosure into an unauthorized secondary use [8]. The same discipline applies to retention — stored prompts and completions containing PHI are PHI stores, subject to the same safeguards and the same retention policy as any other ePHI system.

Two prompt-layer controls fall out of this that are worth naming precisely, because they show up later in the control map:

  • Input scoping. The set of fields an agent may place in a prompt is an allowlist defined per task, not whatever the upstream API returned. Scope changes are policy changes and should be reviewed like them.
  • Output filtering. PII/DLP detection on model outputs, not just inputs — covering the agent's chat surface, its logs, and anything it writes back into downstream systems.

The audit trail is the product

I spend most of my working time on observability, and healthcare is the vertical where that discipline stops being an operational nicety and becomes a legal requirement. HIPAA's audit-control standard — 45 CFR 164.312(b) — requires mechanisms that record and examine activity in systems containing ePHI [9]. Translated for agent systems, the standard's practical expectation looks like this [10]:

  • Per-tool-call logging. Every action the agent takes against a PHI-bearing system is a logged event: which agent, which tool, which record, what was requested, what came back.
  • Propagated end-user identity. The human on whose behalf the agent acted — the front-desk coordinator, the billing specialist — flows from the point of invocation through every downstream tool call into the log. "The service account did it" is not an audit trail.
  • Artifact retention. For voice workflows, call recordings and transcripts; for data workflows, per-field provenance — which answer came from which source system at which time.
  • Retention horizon. Practical guidance aligns log retention with HIPAA's six-year documentation requirement [10].

The reason to treat this as product architecture rather than compliance overhead is that the audit trail is what makes an agent's work usable. An eligibility answer without provenance is a rumor; the same answer with a logged tool call, a source, and a timestamp is evidence a biller can act on and a compliance officer can defend. This is the healthcare-grade version of agent observability — the same traces and spans the reliability world uses, held to an evidentiary standard.

It also changes how you evaluate vendors and platforms. A system that cannot reconstruct, after the fact, exactly what its agent did and why, is not auditable — and in this domain, not auditable means not deployable. When we say human-in-the-loop is a design feature and not an apology, this is the section that proves it: the escalation queue, the review checkpoint, and the logged override are the mechanisms that make the audit trail mean something. A fully hands-off agent with no review path doesn't just carry more risk; it produces a log nobody ever checks, which is the failure mode 164.312(b) exists to prevent.

The 2025–2026 regulatory floor

Here is the current state of the rules, which most coverage gets subtly wrong in both directions.

First, what does not exist: as of mid-2026, OCR has issued no HIPAA guidance specifically addressing AI use of PHI [3]. Teams waiting for an "AI rule" before deploying are waiting for a document that isn't coming on any announced schedule; teams claiming AI is unregulated are misreading the same fact. Compliance runs on the general rules — which is precisely why the architecture patterns in this article matter more than any AI-specific checklist.

Second, the floor is rising anyway. OCR's proposed Security Rule update — announced December 27, 2024, the first major overhaul since 2003 — would make technical safeguards mandatory rather than "addressable," requiring multi-factor authentication, encryption at rest and in transit, formal asset inventories, and stricter risk analysis [11]. It is a proposal, not a final rule, but procurement floors move ahead of final rules: a clinic buying agent infrastructure in 2026 should assume the NPRM's requirements as the baseline, because retrofitting encryption and MFA across an agent stack after a final rule lands is far more expensive than specifying them now.

Third, AI-specific duties do exist — they just live outside HIPAA. Under ACA Section 1557's 2024 final rule, enforcement of nondiscrimination requirements for patient care decision support tools began July 5, 2024, and by May 1, 2025 covered entities must make reasonable efforts to identify and mitigate discrimination risk from AI tools they use. OCR's implementation guidance prescribes vendor due diligence, written policies, staff training, real-scenario audits, and human-in-the-loop override [12]. An eligibility agent is administrative rather than clinical decision support, so 1557's core duty may not reach it directly — but the prescribed governance pattern is the template regulators reached for first, and note what sits at its center: a mandated human override path. The regulator and the architect agree on this one. The broader compliance program these duties slot into is the subject of our AI governance pillar.

Certifications buyers will ask for — and what each one proves

The first thing to know about HIPAA certification is that it does not exist. HHS certifies no one; "HIPAA certified" on a vendor website is a marketing phrase describing a self-assessment or a third-party gap review [9]. What exists instead is a small set of attestations and certifications that serve as evidence of a control environment — each proving something narrower than the logo suggests.

CredentialWhat it actually provesWhat it does not prove
"HIPAA compliant" (self-claim)The vendor asserts its controls map to HIPAA; at best, a third party reviewed the mappingNothing independently — there is no official HIPAA certification
SOC 2 Type IINamed controls operated effectively over an audit window, per an independent auditorHIPAA compliance per se; scope varies — read which systems and criteria were covered
SOC 2 Type II with AI-specific evidenceThe 2026 procurement norm: model versioning and lineage, training-data provenance, inference logging with PHI redaction policy, drift thresholds, prompt/completion retention controls, and BAA coverage of every upstream model provider [13]Model accuracy or fitness for your workflow
HITRUST AI Security AssessmentThe first AI-specific security certification (GA December 2024): up to 44 harmonized controls mapped to NIST, ISO, and OWASP LLM guidance, standalone or bundled with e1/i1/r2 assessments [14]Bias, clinical safety, or the vendor's contractual terms

Two buying rules follow. Ask for the SOC 2 report itself, not the badge — the scope section tells you whether the agent pipeline and its model subprocessors were actually audited, and auditors now expect AI-specific evidence in that scope [13]. And treat certifications as necessary-not-sufficient: they attest to the control environment, while the BAA chain and the training-use bar from the previous sections live in contracts that no certification substitutes for. We maintain a separate procurement-focused checklist for regulated industries in our guide to AI platforms for healthcare, finance, and government; this article stays on the architecture the checklist should verify.

A control map for clinic agent deployments

Everything above compresses into a map from regulatory requirement to platform primitive. This is the artifact worth putting in front of a compliance officer, because it converts "is AI allowed?" into a column of checkboxes with named owners.

RequirementWhat it demands of an eligibility agentPlatform primitive
BA chain — 164.502(e), 164.504(e)Signed BAA with the agent vendor; downstream agreements for every LLM, speech, and hosting subprocessorContract inventory; documented subprocessor list
Minimum necessary — 164.502(b)Field-level scoping of what enters prompts; no PHI in training or fine-tuning absent authorizationPII detection and DLP on inputs and outputs; per-task field allowlists
Access control — Security Rule (164.312)Staff act through named identities; the agent's reach varies by roleRBAC tied to the clinic's identity provider via SSO/SAML/OAuth
Audit controls — 164.312(b)Per-tool-call logs with propagated end-user identity; ~6-year retentionCentralized audit log spanning chat, agents, and tool calls
Least privilege for toolsThe agent can invoke only allowlisted tools with scoped credentialsGateway-enforced tool policy; per-tool credential scoping
Security floor (NPRM trajectory)MFA, encryption at rest and in transit, asset inventory; data stays inside a contractual boundaryPrivate VPC deployment; encrypted transport and storage

As a worked example of what these primitives look like packaged in one platform, consider Jarvis AI — with the disclosure stated plainly: Jarvis is built by ASCENDING, which publishes this site, and this page carries the standard banner. The relevant design choice is that its Governed AI Layer treats PII detection and DLP, role-based access control, SSO/SAML/OAuth, and audit logs as platform primitives rather than add-ons, with the same governance applied to chat, agents, and MCP tool calls — one policy surface and one log rather than per-integration bolt-ons, which is precisely the shape the audit-controls and minimum-necessary rows require. For the deployment row, ASCENDING offers private VPC deployment for regulated workloads and describes it as the path for healthcare and any account where data leaving your boundary is a contracting blocker; our private-AI data sovereignty case study shows that pattern in practice.

And the honesty boundary, because it is the point of this section: ASCENDING does not claim that Jarvis holds HIPAA, SOC 2, or FedRAMP certification. A clinic evaluating it must verify attestations, BAA terms, and subprocessor coverage itself — exactly as this article prescribes for every other vendor. A control map that exempts the author's own product is not a control map; the same rows, the same evidence requests, the same contracts.

Note what the map does not contain: a row that eliminates human review. Escalation checkpoints — which answers auto-complete, which queue for a human, who can override — are controls in their own right, and they belong in the deployment design from day one, not as a temporary concession to model quality. For how this control map extends into an organization-wide program — policies, review boards, and rollout sequencing — see our guide to enterprise AI governance.

Shadow AI: the risk you already have

The last piece of the architecture argument is the counterfactual, and it is the strongest card a compliance-minded champion holds. The realistic alternative to a governed eligibility agent is not "no AI at a clinic." It is a front-desk coordinator pasting a patient's name, date of birth, and member ID into a free consumer chatbot to draft an appeal letter or decode a benefits summary — because the tool is one browser tab away and the eligibility backlog is not getting shorter.

That act, multiplied across a staff, is shadow AI, and in HIPAA terms it is close to a worst case: a disclosure of PHI to a vendor with no BAA, no minimum-necessary filter, no enterprise controls, terms that may permit training on the input, and no audit trail that the disclosure ever happened. Every section of this article fails at once — the chain, the scoping, the log. A breach you cannot see is still a breach; it is just one you discover late.

This reframes the governance conversation. The controls in this article are not the price of adopting AI; they are the mechanism that makes the AI use already happening in your building visible, scoped, and defensible. A governed deployment with PII filtering, role-based access, and a per-call audit trail is the risk-reducing move relative to the status quo — which is why the honest architecture, human checkpoints and all, tends to win the compliance meeting that a "fully autonomous" pitch loses.

FAQ

Do AI vendors need a BAA to run eligibility checks?

Yes, without exception. Eligibility verification is a payment activity under HIPAA, so a vendor that receives patient name, date of birth, or member ID to run checks or call payers is performing a payment function with PHI and becomes a business associate automatically — the function creates the status, not the contract. HIPAA then requires a signed BAA before PHI flows, and every subcontractor in the vendor's pipeline that touches PHI (LLM APIs, speech-to-text services, hosting) needs downstream agreements of its own. Ask vendors for their subprocessor list in writing; a vendor that cannot produce one does not know its own chain.

Can PHI be used to train AI models?

Not without explicit permission that almost no clinic has granted. The minimum necessary standard limits PHI use to the purpose of the disclosure — running the eligibility check — and legal analyses of AI BAAs converge on requiring explicit language that bars the use of PHI for model training, fine-tuning, or product improvement absent separate written authorization or proper de-identification. If a vendor's terms say customer data "may be used to improve services" and the BAA does not override it, that is a gap to close before signing, not after.

Is there AI-specific HIPAA guidance from OCR?

No. As of mid-2026, OCR has issued no HIPAA guidance specifically addressing AI use of PHI — compliance runs on the general Privacy and Security Rules applied to AI systems. The floor is rising through general mechanisms instead: the proposed Security Rule update announced in December 2024 would make safeguards like MFA and encryption mandatory rather than "addressable," and ACA Section 1557 already imposes duties to identify and mitigate discrimination risk from AI tools, with human-in-the-loop override among the prescribed controls. Architect to that trajectory, not to the current minimum.

What audit logs does HIPAA require for AI agents?

The audit-control standard, 45 CFR 164.312(b), requires mechanisms to record and examine activity in systems containing ePHI. For agent systems, the practical translation is per-tool-call logging — which agent, acting for which authenticated human, touched which record through which tool, and what came back — plus retained artifacts like call recordings, transcripts, and per-field data provenance, with retention aligned to HIPAA's six-year documentation horizon. The design test is reconstruction: if you cannot rebuild exactly what the agent did from the log alone, the log does not meet the standard's intent.

References

  1. CAQH — 2025 CAQH Index findings: $258B avoided in admin costs; >50% of health plans and 25% of provider organizations using AI in administrative workflows (summary via DataSpring, 2026): https://www.dataspring.com/blog/2025-caqh-index-shows-u.s.-healthcare-avoided-258-billion-and-accelerated-automation-interoperability-and-ai-adoption
  2. CAQH — 2024 CAQH Index Report: 31.5 billion annual medical eligibility verifications; transaction volumes and costs (2025): https://www.caqh.org/hubfs/Index/2024%20Index%20Report/CAQH_IndexReport_2024_FINAL.pdf
  3. Foley & Lardner — HIPAA Compliance and AI: What Privacy Officers Need to Know — business associate status, minimum necessary applied to AI, absence of AI-specific OCR guidance (2025): https://www.foley.com/insights/publications/2025/05/hipaa-compliance-ai-digital-health-privacy-officers-need-know/
  4. Infinitus — AI Review in Action — engineering account of the seven-layer review pipeline, disclosing OpenAI and Google APIs as pipeline components with human escalation (2024): https://www.infinitus.ai/blog/guardians-of-healthcare-calls-ai-review-in-action/
  5. The HIPAA Guide — Change Healthcare data breach: ~192.7M individuals affected, ~$2.457B in costs per UHG earnings (2025): https://www.hipaaguide.net/change-healthcare-data-breach/
  6. HHS — Change Healthcare Cybersecurity Incident: FAQ for HIPAA-covered entities and business associates (2024): https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
  7. MDRX Law — Business Associate Agreements in 2025: Are Patient Data Protections Keeping Up? — BAA language barring PHI use in training and fine-tuning (2025): https://www.mdrxlaw.com/news-and-alerts/business-associate-agreements-in-2025-are-patient-data-protections-keeping/
  8. Promise Legal — HIPAA, AI/ML Training Data, and BAAs: PHI compliance analysis (2025): https://blog.promise.legal/hipaa-ai-ml-training-baa-phi-compliance/
  9. Kiteworks — AI Compliance in Healthcare: HIPAA requirements for AI systems, including audit controls under 45 CFR 164.312(b) (2025): https://www.kiteworks.com/hipaa-compliance/ai-compliance-healthcare-requirements/
  10. Agentic Control Plane — SOC 2 + HIPAA Compliance Playbook for AI Agents — per-tool-call audit trails, propagated end-user identity, ~6-year retention (2026): https://agenticcontrolplane.com/blog/soc2-hipaa-ai-agent-compliance-playbook
  11. HHS Office for Civil Rights — proposed HIPAA Security Rule update: mandatory safeguards, MFA, encryption, asset inventories (December 27, 2024): https://www.hhs.gov/about/news/2024/12/27/hhs-office-civil-rights-proposes-measures-strengthen-cybersecurity-health-care-under-hipaa.html
  12. Reed Smith — HHS guidance on AI use in health care: ACA Section 1557 timelines and OCR's prescribed mitigation measures, including human-in-the-loop override (2025): https://www.reedsmith.com/our-insights/blogs/health-industry-washington-watch/102k29k/hhs-recent-guidance-on-ai-use-in-health-care/
  13. CallSphere — SOC 2 Type II for AI Vendors: the AI-specific evidence auditors expect in 2026 — model lineage, training-data provenance, inference logging, prompt retention, upstream BAA coverage (2026): https://callsphere.ai/blog/vw5f-soc-2-type-ii-ai-vendors-evidence-2026
  14. HITRUST — AI Security Assessment with Certification launch: up to 44 harmonized controls mapped to NIST, ISO, and OWASP LLM guidance (2024): https://hitrustalliance.net/press-releases/hitrust_launches_ai_security_assessment_and_certification