Skip to Content
Governance & ComplianceHIPAA / PHI Handling

HIPAA in AI Governance

HIPAA’s Privacy and Security Rules apply to AI systems when those systems process, store, or transmit Protected Health Information (PHI) on behalf of Covered Entities. As AI is increasingly used in clinical decision support, patient communication, and care coordination, ensuring AI governance programmes satisfy HIPAA requirements is essential.

A Business Associate Agreement (BAA) is required before using VeriProof in any production environment where PHI may be present in AI session inputs or outputs. See HIPAA Compliance for BAA details.

How HIPAA Intersects with AI Governance

HIPAA’s Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). When an AI system processes PHI:

  • The AI system’s inputs and outputs may constitute ePHI if they contain 18 HIPAA identifiers (names, dates, geographic data, etc.)
  • The audit control requirement (§ 164.312(b)) mandates “hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information”
  • The integrity control requirement (§ 164.312(c)) requires mechanisms to authenticate that ePHI “has not been altered or destroyed in an unauthorized manner”

VeriProof directly addresses both requirements.

Audit Controls (§ 164.312(b))

Every AI session captured through VeriProof creates an immutable, timestamped record of what inputs were submitted to the AI system and what outputs it produced. This satisfies the HIPAA audit control’s requirement to record and be able to examine ePHI access in the AI system.

VeriProof’s audit trail goes beyond typical logging:

  • Blockchain anchoring: The session record is cryptographically committed to the Solana blockchain within 30 seconds of ingest. Any post-hoc alteration is detectable
  • Retention configurability: Configure session retention for at least 6 years to meet HIPAA’s record retention minimum

Integrity Controls (§ 164.312(c))

HIPAA’s integrity controls require that ePHI is not altered or destroyed without authorisation. VeriProof’s Merkle proof model satisfies this: every session record is committed to a Solana Merkle tree, and the resulting proof makes any post-ingest alteration cryptographically detectable.

To verify a session’s integrity, open the session detail view in the Customer Portal and click Verify Blockchain Proof. The portal fetches the Merkle proof from Solana and displays whether the record matches what was originally anchored.

For periodic HIPAA audit sampling, use the Compliance section in the Customer Portal: set a date range and select Run Integrity Sample Check. VeriProof randomly selects up to 100 sessions from the period, verifies each proof against the Solana ledger, and produces a signed summary report you can attach to your HIPAA audit workpapers.

PHI Minimisation in AI Governance Programmes

The most effective HIPAA control for AI systems is minimising the PHI that reaches the AI model in the first place. A robust AI governance programme includes:

  1. Input sanitisation: Strip or replace HIPAA identifiers before submitting to the AI model and before capturing to VeriProof
  2. Output review: Flag AI outputs that may have reconstructed PHI from non-PHI inputs (a governance scoring dimension)
  3. Data subject registration: Link sessions to de-identified internal patient identifiers so that erasure (if required) can be executed without affecting clinical records

HIPAA + GDPR Alignment

Many healthcare organisations serve both US and EU patients. The HIPAA record retention requirement (6 years) and GDPR’s right to erasure create a potential conflict: you’re required to retain records for 6 years but may be asked to erase them under GDPR.

VeriProof’s legal hold mechanism resolves this: when a GDPR erasure request arrives for a subject whose records are within the HIPAA retention window, place a legal hold that expires at the end of the retention period. Erasure is blocked until the hold expires, at which point it proceeds automatically.

To place a legal hold, navigate to Data Subjects in the Customer Portal, open the subject record, and select Place Legal Hold. Set the expiry to the end of the applicable HIPAA retention window (at minimum 6 years from the date the records were created) and enter the reason. The hold takes effect immediately and prevents erasure until it expires or is explicitly lifted by an administrator.

Generating HIPAA Audit Evidence

When responding to a HIPAA audit, use the Evidence Export feature in the Customer Portal:

  1. Navigate to Compliance → Evidence Export
  2. Choose Custom framework and label the package (e.g. “HIPAA Security Rule Audit 2026”)
  3. Set the date range covering the audit period
  4. Enable Include blockchain proofs
  5. Under custom sections, select Audit Controls (§ 164.312(b)), Integrity Controls (§ 164.312(c)), and Access Log (§ 164.312(d))
  6. Click Generate Package — preparation typically takes 2–5 minutes for a full year’s data
  7. Download the signed ZIP archive and retain it with your audit workpapers

The exported package includes session counts, governance score distributions, a random integrity sample report, and the TEE attestation document confirming the evidence was generated in a trusted execution environment.

Next Steps

Last updated on
Manage FunctionSOC 2 Type II