US healthcare privacy law

Healthcare AI is powerful.
Make it HIPAA-compliant.

HIPAA + AI Compliance Kit — £999 one-time + £199/mo monitoring (optional)

Generative AI in healthcare must protect PHI, sign BAAs, enforce minimum necessary, and maintain audit trails. We provide the templates, workflows, and attestation to keep your AI legal.

HIPAA risks in healthcare AI

Most clinical AI is high-risk under EU AI Act and regulated under HIPAA.
PHI in prompts or outputs requires a BAA with the model provider.
Minimum necessary applies to every AI interaction.
Breach penalties reach $1.5M per category per year.

Book free readiness check Compare ISO 42001 See all protocols

Choose your tier

HIPAA Quick Scope

£9one-time

PHI flow checklist and 15-question HIPAA + AI scope test.

Get £9 Quick Scope

HIPAA + AI Kit

£999one-time

BAA templates, de-identification workflow, access controls, audit log spec, and one signed attestation.

Buy — £999

Audit-Prep Bundle

£4,950one-time

Kit + 2-day engagement + mock OCR review + 90-day support.

Buy Audit-Prep — £4,950

Enterprise

£1,499/month

Continuous PHI monitoring, quarterly BAA refresh, incident response retainers, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Business Associate Agreement (BAA) kit

BAA templates and checklists for OpenAI, Anthropic, Google Cloud, AWS Bedrock, Azure OpenAI, and specialty healthcare AI vendors.

PHI minimisation & de-identification

Safe Harbour and Expert Determination workflows, prompt sanitisation, and PHI detection guardrails before any model call.

Access controls & audit logs

Role-based access aligned to workforce clearance, immutable audit logs for every AI interaction, and automatic access reviews.

Breach notification & risk assessment

Breach risk assessment worksheet, 60-day notification timeline tracker, and OCR-style incident documentation templates.

Why this matters now

Healthcare AI is high-risk under both HIPAA and the EU AI Act (most clinical applications are high-risk). Dual compliance is essential.

Sending PHI to a generative AI model without a BAA is a HIPAA violation. The kit documents BAAs and subprocessor governance before go-live.

Prompts and outputs can contain PHI. PHI minimisation and de-identification are required safeguards, not optional best practices.

Breach penalties reach $1.5M per violation category per year. Documented compliance is the cheapest insurance.

Frequently asked questions

Can I use ChatGPT with PHI?

Only if you have a signed Business Associate Agreement (BAA) with the vendor and appropriate safeguards in place. The consumer version of ChatGPT does not offer a BAA and should not be used with PHI. Enterprise/healthcare tiers from some providers do offer BAAs.

What is the minimum necessary standard?

HIPAA requires covered entities and business associates to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. For AI, this means de-identification, prompt sanitisation, and limiting context windows.

Does HIPAA apply to AI-generated summaries of medical records?

Yes. If the input or output contains PHI, the entire workflow is subject to HIPAA. This includes summarisation, coding, prior-authorisation drafting, and clinical decision support.

What is a Business Associate Agreement?

A BAA is a contract between a covered entity and a business associate that establishes how PHI will be protected. AI vendors that process PHI on your behalf typically must sign a BAA.

How does the kit help with a breach?

The kit includes a breach risk assessment worksheet, a 60-day notification timeline, and templates for notifying affected individuals, HHS/OCR, and media where required.

Also need EU AI Act compliance for clinical AI?

See EU AI Act for healthcare →

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

CSOAI

Initializing...

Healthcare AI is powerful.
Make it HIPAA-compliant.

HIPAA + AI Compliance Kit — £999 one-time + £199/mo monitoring (optional)

Generative AI in healthcare must protect PHI, sign BAAs, enforce minimum necessary, and maintain audit trails. We provide the templates, workflows, and attestation to keep your AI legal.

HIPAA risks in healthcare AI

Most clinical AI is high-risk under EU AI Act and regulated under HIPAA.
PHI in prompts or outputs requires a BAA with the model provider.
Minimum necessary applies to every AI interaction.
Breach penalties reach $1.5M per category per year.

Choose your tier

HIPAA Quick Scope

£9one-time

PHI flow checklist and 15-question HIPAA + AI scope test.

Get £9 Quick Scope

HIPAA + AI Kit

£999one-time

BAA templates, de-identification workflow, access controls, audit log spec, and one signed attestation.

Buy — £999

Audit-Prep Bundle

£4,950one-time

Kit + 2-day engagement + mock OCR review + 90-day support.

Buy Audit-Prep — £4,950

Enterprise

£1,499/month

Continuous PHI monitoring, quarterly BAA refresh, incident response retainers, and unlimited attestations.

Talk sales — £1,499/mo

What's covered

Business Associate Agreement (BAA) kit

BAA templates and checklists for OpenAI, Anthropic, Google Cloud, AWS Bedrock, Azure OpenAI, and specialty healthcare AI vendors.

PHI minimisation & de-identification

Safe Harbour and Expert Determination workflows, prompt sanitisation, and PHI detection guardrails before any model call.

Access controls & audit logs

Role-based access aligned to workforce clearance, immutable audit logs for every AI interaction, and automatic access reviews.

Breach notification & risk assessment

Breach risk assessment worksheet, 60-day notification timeline tracker, and OCR-style incident documentation templates.

Why this matters now

Healthcare AI is high-risk under both HIPAA and the EU AI Act (most clinical applications are high-risk). Dual compliance is essential.

Sending PHI to a generative AI model without a BAA is a HIPAA violation. The kit documents BAAs and subprocessor governance before go-live.

Prompts and outputs can contain PHI. PHI minimisation and de-identification are required safeguards, not optional best practices.

Breach penalties reach $1.5M per violation category per year. Documented compliance is the cheapest insurance.

Frequently asked questions

Can I use ChatGPT with PHI?

What is the minimum necessary standard?

Does HIPAA apply to AI-generated summaries of medical records?

Yes. If the input or output contains PHI, the entire workflow is subject to HIPAA. This includes summarisation, coding, prior-authorisation drafting, and clinical decision support.

What is a Business Associate Agreement?

A BAA is a contract between a covered entity and a business associate that establishes how PHI will be protected. AI vendors that process PHI on your behalf typically must sign a BAA.

How does the kit help with a breach?

The kit includes a breach risk assessment worksheet, a 60-day notification timeline, and templates for notifying affected individuals, HHS/OCR, and media where required.

MEOK AI Labs · CSOAI LTD · UK Companies House 16939677

Healthcare AI is powerful.Make it HIPAA-compliant.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

Healthcare AI is powerful.Make it HIPAA-compliant.

Choose your tier

What's covered

Why this matters now

Frequently asked questions

Healthcare AI is powerful.
Make it HIPAA-compliant.

Healthcare AI is powerful.
Make it HIPAA-compliant.