HIPAA

01What it is

HIPAA — the Health Insurance Portability and Accountability Act — sets the U.S. baseline for protecting health information. Its Privacy Rule governs how protected health information may be used and disclosed; its Security Rule requires administrative, physical, and technical safeguards for electronic PHI; and its Breach Notification Rule requires notifying affected individuals and regulators after a breach of unsecured PHI.

02Who must comply

HIPAA applies to covered entities — health plans, healthcare clearinghouses, and most providers — and, critically, to their business associates: the vendors and partners that handle PHI on their behalf. If your platform processes PHI for a healthcare client, you are very likely a business associate with direct obligations and a Business Associate Agreement to honor.

03Where AI fits in

AI used for clinical decision support, intake, coding, scheduling, or note-taking frequently touches PHI — which places those systems, and the vendors behind them, squarely within HIPAA’s safeguards. Regulators continue to sharpen expectations around the Security Rule, and AI features raise fresh questions about minimum-necessary use, logging, and third-party model providers.

04How it connects

For firms that also carry SOC 2 or operate under NYDFS, HIPAA’s safeguards overlap heavily with those control sets — and can be run from a shared evidence base rather than as a separate, parallel program.

05What RedOps delivers

RedOps builds a HIPAA security program that holds up to scrutiny, with AI-handling-PHI accounted for explicitly.