The Data You Think Is Protected Isn't

This incident captures why AI is genuinely different from previous healthcare technology. It's not just a faster fax machine or a better database. AI tools can act autonomously, join meetings without invitation, record without visible indication, and transmit data to external servers in ways that bypass every traditional safeguard. The regulatory framework—HIPAA, designed in 1996 for paper charts and fax machines—wasn't built for software that learns from every input and can take actions on its own.

This module will help you understand where the real risks are. We'll cover the basics of HIPAA and PHI, but the goal isn't comprehensive compliance training—it's developing intuition for the edge cases that matter when AI enters clinical workflows. You'll learn to recognize three categories of PHI exposure that escalate in subtlety: direct PHI (the obvious identifiers), indirect PHI (data that becomes identifying when combined), and shadow AI (the untracked tools that create compliance blind spots—like that Otter bot).

What Makes AI Different

Traditional healthcare IT systems—EHRs, billing systems, scheduling software—are essentially sophisticated databases. They store what you put in, retrieve what you ask for, and follow deterministic rules. If patient data leaks, it's usually because of a configuration error, a hack, or human mistake. The system itself doesn't learn, doesn't act autonomously, and doesn't transmit data unless explicitly programmed to.

AI systems are fundamentally different in several ways that matter for privacy:

The Velocity Problem

New AI tools appear weekly. Employees adopt them because they genuinely help—who wouldn't want to cut documentation time in half? But each tool potentially creates a new data flow, a new vendor relationship, and a new compliance gap. Traditional IT governance, with its months-long procurement cycles, can't keep pace. By the time a tool is formally evaluated, half the staff may already be using it.

HIPAA Fundamentals for AI

Who HIPAA Actually Covers (and Who It Doesn't)

HIPAA is an entity-based framework, not a data-based one. This distinction is critical. The law doesn't protect "health data"—it protects health data held by specific types of organizations.

The gap this creates: When a patient enters symptoms into a consumer health app, or a clinician pastes notes into ChatGPT without a BAA, that data isn't protected by HIPAA. The FTC has stepped into some of this gap with the Health Breach Notification Rule, but enforcement is inconsistent and the protections are narrower.

The Three HIPAA Rules That Matter for AI

Privacy Rule: Governs how PHI can be used and disclosed. PHI can generally only be used for treatment, payment, and healthcare operations without explicit patient authorization. Using PHI to train commercial AI models typically requires either authorization or de-identification.

Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI. In January 2025, HHS proposed the first major update in 20 years, mandating encryption, multi-factor authentication, and 72-hour disaster recovery. AI systems processing ePHI will face these enhanced standards.

Breach Notification Rule: Requires notification within 60 days of discovering a breach of unsecured PHI. From 2018-2023, large breaches increased 102% and affected individuals increased 1,002%. An AI system that inadvertently exposes PHI triggers these requirements.

Direct PHI in AI Systems

Direct PHI includes the 18 categories of identifiers that HIPAA's Safe Harbor de-identification method requires you to remove. These are the obvious markers that link data to individuals.

The 18 Safe Harbor Identifiers

Where Direct PHI Enters AI Systems

Training Data: When AI models are trained on clinical data, PHI may be embedded in the model weights themselves. This creates a form of data persistence that's difficult to audit and impossible to fully "delete." Model inversion attacks have demonstrated the ability to extract training data from some models.

Inference-Time Inputs: When clinicians paste patient notes into AI tools, that data is transmitted to external servers. Even if the vendor promises not to use it for training, it may be logged, cached, or retained for abuse monitoring. Most consumer AI tools retain data for 30+ days.

Generated Outputs: AI-generated clinical notes, summaries, and recommendations become PHI themselves. If an ambient scribe generates a SOAP note, that output requires the same protections as a manually-written note.

The BAA Requirement

Before using any AI tool with PHI, a Business Associate Agreement must be in place. The BAA establishes the vendor as a business associate, binding them to HIPAA requirements including safeguards, use restrictions, and breach notification.

Current BAA Availability by Platform

• OpenAI API: BAA available for zero-retention endpoints (contact baa@openai.com)
• ChatGPT (consumer): No BAA available. Cannot be used with PHI.
• ChatGPT Enterprise/Edu: BAA available through sales-managed accounts
• Anthropic API: BAA available only for HIPAA-eligible services with zero data retention; does not cover Claude.ai, Workbench, or beta features
• Claude (consumer/Pro/Team): No BAA available. Cannot be used with PHI.
• Azure OpenAI: BAA included in Microsoft Product Terms by default
• Google Vertex AI: BAA available for healthcare customers
• Google Workspace (Gemini): BAA available via Admin console; requires configuration. Note: NotebookLM is NOT covered.
• AWS Bedrock: HIPAA-eligible service; BAA available through AWS Business Associate Addendum
• AWS HealthScribe: HIPAA-eligible service with BAA coverage
• OpenEvidence: HIPAA compliant; free BAA available for covered entities
• Glass Health: HIPAA-compliant enterprise offering; contact for BAA
• Purpose-built scribes (Freed, Suki, Abridge, etc.): Generally offer BAAs; verify before deployment

Indirect PHI and Re-identification Risk

This is where the regulatory framework shows its age. HIPAA's Safe Harbor method was designed before modern machine learning, before data brokers, before the explosion of auxiliary datasets that make re-identification increasingly feasible.

The Mosaic Effect

The mosaic effect describes how individually benign data points become identifying when combined. In 1997, researcher Latanya Sweeney demonstrated that 87% of Americans could be uniquely identified using just three data points: ZIP code, birth date, and gender. She famously re-identified Massachusetts Governor William Weld's medical records from "anonymized" hospital data by linking it to publicly available voter rolls.

For AI systems, this creates a fundamental tension. Machine learning thrives on rich, detailed data. De-identification that's sufficient to prevent re-identification often strips the clinical utility that makes the data valuable for training or analysis.

How Many Data Points Does It Take?

The research on re-identification is sobering. Multiple studies have consistently shown that 3-5 indirect identifiers are typically sufficient to re-identify individuals from medical records, especially when combined with publicly available datasets.

Quasi-Identifiers in Healthcare Data

Even after removing the 18 Safe Harbor identifiers, healthcare data contains numerous quasi-identifiers that can enable re-identification when combined with external data sources:

• Rare diagnoses: A unique combination of conditions may identify a patient within a population
• Treatment patterns: Specific medication sequences or surgical combinations
• Temporal patterns: Visit frequency, hospitalization duration, time between events
• Provider relationships: Combination of specialists seen
• Demographic combinations: Age range + gender + ethnicity + approximate location
• Free-text narratives: Clinical notes often contain identifying details even after NER-based scrubbing

AI-Specific Re-identification Risks

Image Reconstruction: CT and MRI scans contain sufficient geometric information to reconstruct facial features. A "de-identified" head CT can potentially be matched to a photograph using 3D reconstruction techniques. AI dramatically improves the feasibility of such attacks.

Voice Prints: Voice recordings—including those captured by ambient scribes—are explicitly listed as biometric identifiers under HIPAA. Speaker identification models can match voices across recordings, potentially linking "anonymized" research data to identified individuals.

Training Data Extraction: Model inversion and membership inference attacks can potentially extract or verify the presence of specific records in training data. This transforms the model itself into a form of data storage that may be subject to HIPAA requirements.

The Safe Harbor List Is Outdated

The 18 Safe Harbor identifiers were defined in 1996 and haven't been updated since. They don't account for:

• Social media: Platforms that didn't exist and now contain vast amounts of personally identifying information
• Commercial data brokers: Companies that aggregate consumer data from thousands of sources
• Genetic data: DNA sequences that are uniquely identifying and increasingly available through consumer testing
• Location history: Smartphone data that can uniquely identify individuals through movement patterns
• Wearable data: Health metrics from fitness trackers that create unique biometric signatures
• AI capabilities: Machine learning tools that can find patterns across datasets at scale impossible in 1996

Shadow AI and Stealth PHI Exposure

Shadow AI is the healthcare equivalent of shadow IT: employees using AI tools without organizational approval, oversight, or integration into compliance frameworks. It's the fastest-growing and least-controlled category of PHI exposure.

The Scale of the Problem

Research indicates that nearly 95% of healthcare organizations believe their staff are already using generative AI in email or content workflows. 62% of leaders have directly observed employees using unsanctioned tools. Yet a quarter of organizations have not formally approved any AI use—meaning staff are acting without oversight, outside compliance frameworks, and without BAAs in place.

Shadow AI incidents account for 20% of AI-related security breaches—7 percentage points higher than incidents involving sanctioned AI.

Anatomy of the Ontario Hospital Breach

Let's return to the Otter.ai incident, because it illustrates almost every shadow AI failure mode:

Common Shadow AI Scenarios

Clinical Documentation: A physician pastes patient notes into ChatGPT to generate a summary or draft a letter. They've just transmitted PHI to a platform without a BAA, potentially violating HIPAA.

Administrative Tasks: A clinic manager uploads patient scheduling data to an AI tool for analysis. A billing specialist uses AI to help with denial appeals. Each creates an untracked data flow to unvetted platforms.

The Productivity Trap: A physician discovers ChatGPT can generate patient summaries in seconds. They start with de-identified summaries, then gradually include more context, then patient names "just this once" when running late. By the time anyone notices, months of PHI has been transmitted.

Why Shadow AI Happens

1. Productivity pressure: Clinicians are drowning in documentation. AI tools offer genuine time savings.
2. Approval friction: Sanctioned AI tools require lengthy procurement. Free tools are available immediately.
3. Awareness gaps: Many users don't understand that pasting text into an AI tool constitutes data transmission to an external server.
4. Tool limitations: Approved tools may not meet user needs, pushing staff to seek alternatives.
5. Embedded AI: AI features are increasingly embedded in approved tools (CRM systems, email clients) without separate vetting.

Governance Approaches

Industry experts advise against blanket bans—they don't work and push usage further underground. Instead:

1. Provide alternatives: Deploy enterprise AI tools with BAAs, security controls, and logging. Make the approved path as convenient as the shadow path.
2. Create fast-track approval: Establish a streamlined process for evaluating new AI tools. Reduce the friction that drives shadow usage.
3. Educate continuously: Help staff understand why the restrictions exist and what's at stake. Focus on the "why" rather than just the "don't."
4. Monitor adaptively: Use tools that can detect AI usage. Treat detections as opportunities for guidance, not punishment.
5. Listen to shadow users: Shadow AI reveals unmet needs. Use it as free market research—what are people trying to accomplish?

What You Should Actually Do

Before Deploying Any AI System

1. Map the data flows: Where does PHI enter the system? Where is it stored? Where does it go? Who has access?
2. Verify BAA status: Is a Business Associate Agreement in place? What does it actually cover? Does it address AI-specific risks?
3. Assess minimum necessary: Does the AI need all the data being provided? Can inputs be limited to what's actually required?
4. Evaluate de-identification: If using de-identified data, which method was used? Has re-identification risk been assessed in light of AI capabilities?
5. Review data retention: How long does the vendor retain inputs? Are they used for model training? What happens to audit logs?
6. Plan for breach: If PHI is exposed through this system, what's the notification plan? Who's responsible for detection?
7. Document everything: Risk assessments, vendor evaluations, configuration decisions, training records. The documentation is your defense.

Vendor Evaluation Questions

When evaluating AI vendors for healthcare use, ask:

• Will you sign our BAA (or provide your standard BAA for review)?
• Where is data processed and stored? Which jurisdictions?
• Is any data used to train or improve your models? How can we opt out?
• What encryption is used in transit and at rest?
• How long is data retained? Can we specify retention limits?
• What audit logging is available? Who can access logs?
• What's your incident response process? What's the notification timeline?
• Have you completed SOC 2 Type II? Can we review the report?

Readings