Covered entities + business associates · OCR enforcement · Safe Harbor identifiers

Veladon for HIPAA + AI: Preventing PHI Exfiltration to Public LLMs

HIPAA's Privacy Rule and Security Rule govern Protected Health Information (PHI). When a clinical, administrative, or revenue-cycle employee pastes a patient note into ChatGPT or Claude, that is a HIPAA event — likely an unauthorized disclosure unless the LLM provider has signed a Business Associate Agreement (BAA), which OpenAI, Anthropic, and Google do not sign for consumer or most standard business tiers. OCR has signaled increasing focus on AI-related breaches for 2026 enforcement.

Full name
HIPAA Privacy and Security Rules as applied to employee AI use
Effective
HIPAA Privacy Rule (2003); Security Rule (2005); HITECH (2009); OCR guidance on AI ongoing
Jurisdiction
United States (covered entities + business associates)
Primary regulator
HHS Office for Civil Rights (OCR)
Get the HIPAA + AI evidence mapHow Veladon works

Executive summary · for CISOs + Compliance Officers

Why this matters for 500–2,500 employee mid-market.

HIPAA's Privacy Rule and Security Rule govern Protected Health Information (PHI). When a clinical, administrative, or revenue-cycle employee pastes a patient note into ChatGPT or Claude, that is almost always a HIPAA event — an unauthorized disclosure unless the LLM provider has signed a Business Associate Agreement (BAA), which OpenAI, Anthropic, and Google do not sign for consumer or most standard business tiers. The OCR has signaled increasing focus on AI-related breaches for 2026 enforcement, with Corrective Action Plans and Civil Monetary Penalties available for willful neglect (Tier 4, up to $1.9M per violation category per year).

Veladon redacts all 18 HIPAA Safe Harbor identifiers from outbound prompts and logs every event under 164.312(b) audit controls. The detection is AI-narrative-aware — it catches PHI embedded in unstructured clinical prose, not just pattern-matched SSN and MRN. For a 500–2,500 employee healthtech or hospital system, the tool closes the primary AI-related HIPAA failure mode (PHI exfiltration via prompt narrative) while producing the audit artifacts the HIPAA Security Officer owes regardless of LLM-provider BAA status.

Which HIPAA + AI controls matter for employees using public LLMs?

These are the specific articles, controls, or sections that govern the moment an employee pastes data into ChatGPT, Claude, or Gemini. A general-DLP retrofit rarely maps to these by default — Veladon's evidence pack carries the references inline on every log line.

  • 164.308(a)(1)(ii)(A) — risk analysis extended to AI-related PHI handling
  • 164.308(a)(1)(ii)(B) — risk management applied to AI use cases
  • 164.308(a)(3) — workforce training on PHI handling in AI interactions
  • 164.308(a)(5) — audit controls extended to AI activity logging
  • 164.312(b) — audit controls technical safeguard for AI systems
  • 164.502(a) — minimum necessary standard applied to AI prompts
  • Safe Harbor identifiers (164.514(b)(2)) — 18 identifier categories Veladon redacts

Control-by-control mapping · 8 controls

What Veladon evidences for each HIPAA + AI control.

The concrete control-ID to evidence mapping auditors request during fieldwork. Every HIPAA + AI control below is indexed inline on every log line Veladon generates — so the quarterly evidence pack ships pre-sampled for each control.

Control IDRequirementVeladon evidence
HIPAA 164.308(a)(1)(ii)(A)Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.AI-system inventory with PHI-exposure classification per system — ChatGPT (no BAA at consumer/Plus/Team tiers), Claude (BAA available at Enterprise only), Gemini (no BAA at Workspace Business, available at select Enterprise tiers). Feeds the risk analysis directly.
HIPAA 164.308(a)(1)(ii)(B)Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.Redaction evidence — all 18 HIPAA Safe Harbor identifiers redacted from outbound prompts; security measure application log per prompt.
HIPAA 164.308(a)(5)Implement a security awareness and training program for all members of the workforce.Workforce training notice log — per-employee first-use notice delivery with acknowledgment timestamp; policy-refresh notice delivery on dictionary updates.
HIPAA 164.312(b)Audit controls — implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.Prompt-level audit log — employee, timestamp, AI system, redaction categories, policy version. Hash-based event replay. 12+ month retention.
HIPAA 164.502(a)Minimum necessary standard — a covered entity must make reasonable efforts to limit protected health information to the minimum necessary.Minimum-necessary evidence per prompt — raw-vs-redacted delta showing only necessary content crossed the browser boundary, context tag for use-case justification.
HIPAA 164.514(b)(2)Safe Harbor de-identification — 18 identifier categories must be removed for information to be de-identified.Per-prompt redaction evidence across all 18 Safe Harbor categories: names, geographic subdivisions smaller than state, dates, telephone, fax, email, SSN, MRN, health plan account, account numbers, certificate/license, VIN/license plate, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, any other unique ID.
HITECH Breach Notification RuleNotify individuals and HHS in the event of a breach of unsecured PHI.Incident-record template pre-populated with event metadata, unsecured-PHI assessment, notification-clock evidence for 60-day individual notification and 60-day HHS notification (for breaches affecting 500+ individuals) or annual batch (under 500).
HIPAA 164.308(a)(7)Contingency plan — establish policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI.Incident-response playbook for AI-related PHI events with tabletop exercise evidence; partial evidence — covers the AI-specific surface, broader contingency planning is customer-authored.

What lands in your quarterly evidence pack for HIPAA + AI.

Veladon's quarterly evidence pack is structured around the exact artifacts a Big 4 auditor or regulator asks for. The list below is what lands in your /quarterly-exports/ folder 30 days after deployment.

  1. 01Safe Harbor identifier redaction — all 18 HIPAA Safe Harbor identifiers redacted from outbound prompts (names, dates, addresses, phone, fax, email, SSN, MRN, account, license, vehicle, device, URL, IP, biometric, photo, geo-ZIP-3, any other unique ID)
  2. 02Per-prompt audit log under 164.312(b) — employee, timestamp, AI system, redaction categories, policy version
  3. 03Workforce training evidence under 164.308(a)(5) — policy notices displayed to employee on first detection of a new PHI category, with acknowledgment logging
  4. 04Risk analysis artifact under 164.308(a)(1)(ii)(A) — AI system inventory with PHI-exposure classification per system
  5. 05Incident response evidence — if PHI reached an LLM before redaction (e.g., employee paste occurred before extension was updated for a novel format), the event is logged with remediation steps
  6. 06Quarterly HIPAA-aligned evidence pack — supplements the EU AI Act / ISO 42001 pack with HIPAA-specific cross-reference

Implementation playbook · 5 phases · 500 employees in 5–10 business days

How to deploy Veladon for HIPAA + AI in a compressed timeline.

  1. Phase 01

    Risk analysis update

    Month 1 · Weeks 1–2

    Activities

    • Update 164.308(a)(1)(ii)(A) risk analysis to include AI use cases
    • Add AI systems to risk analysis inventory with PHI-exposure classification
    • Deploy Veladon to pilot clinical cohort for discovery
    • Draft AI-specific sections of HIPAA risk analysis

    Artifacts produced

    • Updated risk analysis with AI-specific sections
    • AI-system inventory with PHI-exposure tags
    • Pilot deployment evidence

  2. Phase 02

    Policy + workforce training

    Month 1 · Weeks 3–4

    Activities

    • Author AI Acceptable Use Policy with HIPAA-specific provisions
    • Update workforce training curriculum to cover AI use
    • Configure Veladon for all 18 Safe Harbor identifiers
    • Enable workforce-training-notice delivery under 164.308(a)(5)

    Artifacts produced

    • AI Acceptable Use Policy (HIPAA variant)
    • Updated training curriculum
    • Veladon Safe Harbor policy configuration

  3. Phase 03

    Production rollout

    Month 2

    Activities

    • Full MDM rollout across clinical, administrative, revenue-cycle staff
    • Activate 164.312(b) audit logging
    • Workforce training completion verification
    • Transparency notice to workforce under 164.308(a)(5)

    Artifacts produced

    • 100% deployment evidence
    • Training completion log
    • Notice acknowledgment log

  4. Phase 04

    Operational evidence

    Months 3–5

    Activities

    • Continuous 164.312(b) audit log capture
    • Monthly PHI-handling incident review
    • Quarterly HIPAA-aligned evidence pack generation
    • Tabletop exercise for AI-related breach scenario

    Artifacts produced

    • 3 months operational evidence
    • Monthly incident review log
    • First quarterly pack
    • Tabletop exercise documentation

  5. Phase 05

    OCR-readiness baseline

    Month 6

    Activities

    • Full evidence review against OCR audit-protocol checklist
    • Policy refresh based on operational learning
    • Annual risk-analysis update
    • Executive review of HIPAA + AI governance maturity

    Artifacts produced

    • OCR audit-readiness memo
    • Refreshed policy set
    • Executive governance deck

Concrete use cases · how HIPAA + AI obligations show up in practice

The specific scenarios Veladon covers for HIPAA + AI.

Clinical narrative paste into consumer ChatGPT

A nurse pastes a 200-word discharge summary into consumer ChatGPT to get a plain-language patient-handoff draft. The narrative includes the patient's full name, admission date, MRN, and diagnosis description. Without intervention, this is an unauthorized disclosure to OpenAI (no BAA at consumer tier). Veladon's narrative-aware detector identifies the PHI patterns (name as a pronoun-referent, date within a structured phrase, MRN by regex, diagnosis by clinical-term dictionary) and redacts them before the prompt leaves the browser. The 164.312(b) audit log captures the event; the 164.502(a) minimum-necessary evidence shows the redaction.

Revenue-cycle employee + payer denial review

A revenue-cycle specialist pastes a payer denial letter into Claude Pro (no BAA at Pro tier) to draft an appeal. The letter contains patient name, MRN, payer account number, DOB. Veladon redacts all four fields (names, MRN, account, DOB — 4 of 18 Safe Harbor categories), logs the redaction with hash-based replay capability, and the specialist gets a usable appeal draft from the redacted version. The 164.308(a)(1)(ii)(A) risk analysis artifact shows Claude Pro as a non-BAA tier with PHI-exposure categorized; the 164.312(b) log shows the event.

BAA-covered ChatGPT Enterprise still requires minimum-necessary

A covered entity enrolls in ChatGPT Enterprise with BAA coverage. An employee assumes the BAA eliminates all HIPAA concerns and pastes a full 50-page patient record to get a 1-paragraph summary. The BAA protects OpenAI's handling of PHI but does not relieve the minimum-necessary obligation (164.502(a)). Veladon's minimum-necessary evidence shows what the employee sent vs what was actually needed for the task; the 164.312(b) audit log captures the disproportion. The HIPAA Security Officer can refresh workforce training on the specific incident without naming the employee.

Incident response — PHI reached LLM before redaction

An employee uses a novel PHI format (handwritten note photographed, OCRed, pasted as text) that Veladon's detection did not cover in the current dictionary version. PHI reaches the LLM before redaction. Veladon detects the miss post-hoc via OCR pattern recognition in the prompt buffer, opens an incident record with unsecured-PHI assessment, and starts the HITECH breach-notification clock. The GRC + Security + Privacy Officer team runs the breach-assessment workflow; if the incident is determined to be reportable, 60-day notification to affected individuals plus HHS notification proceeds with full evidence chain.

OCR compliance investigation

OCR opens a compliance investigation after a consumer complaint. OCR requests the risk analysis under 164.308(a)(1)(ii)(A), workforce training records under 164.308(a)(5), audit controls evidence under 164.312(b), and minimum-necessary evidence under 164.502(a). Veladon's evidence set covers all four — the updated risk analysis includes AI-specific sections, training records include AI-specific modules with acknowledgments, audit logs show 12+ months of prompt-level evidence, minimum-necessary delta is per-prompt. The investigation typically closes with procedural documentation updates rather than enforcement action.

Healthtech vendor BAA coverage for LLM integrations

A healthtech vendor integrates Claude into its product for clinician-facing summarization. Anthropic provides a BAA at the Enterprise tier. The vendor's own patient data flows through Claude under BAA; employee personal use of Claude Pro (non-BAA) is prohibited by policy. Veladon enforces the policy: employee prompts to non-BAA tiers are blocked (not just redacted); in-product API calls to Claude Enterprise route through the vendor's API gateway with BAA coverage. Evidence bifurcates cleanly between employee-use (Veladon-logged) and product-use (API-gateway-logged).

Deadline calendar

HIPAA + AI deadlines + audit milestones.

Framework deadline

Rolling (continuous OCR enforcement)

  1. Annual

    Annual risk analysis update

    Update 164.308(a)(1)(ii)(A) risk analysis. Include new AI use cases, new LLM providers, new PHI-exposure surfaces.

  2. Annual

    Annual workforce training

    Refresh workforce training under 164.308(a)(5). Include AI-specific modules with acknowledgment records.

  3. Rolling

    OCR compliance investigations

    Responding to OCR investigations — typical 30–60 day response window for evidence requests.

  4. 60 days from discovery

    HITECH breach notification clock

    Individual notification within 60 days; HHS notification within 60 days (for 500+ individual breaches) or annual batch (under 500).

Why a general DLP retrofit is insufficient for HIPAA + AI evidence.

General DLP tools detect PHI patterns (SSN, MRN) but often miss the AI-specific failure mode: an employee pasting narrative clinical text or a patient's description into a chat prompt — content that contains PHI semantically but not in a classic PII pattern. A classic DLP tuned to SOC 2 / GDPR does not redact 'patient John Doe from Springfield started complaining about chest pain after the Metformin dose' at the narrative level. Veladon's detection is AI-narrative-aware and recognizes the Safe Harbor identifiers embedded in unstructured clinical prose — which is the PHI failure mode in a public LLM prompt.

Questions CISOs ask about HIPAA + AI

Common questions about HIPAA + AI and employee AI use.

Does a clinician pasting a patient note into ChatGPT violate HIPAA?

Yes, almost always. A covered entity employee disclosing PHI to ChatGPT or Claude without a Business Associate Agreement (BAA) in place is an unauthorized disclosure under the Privacy Rule. OpenAI, Anthropic, and Google do not offer BAAs for their consumer or standard business tiers — only specific enterprise tiers with signed HIPAA-scope contracts. Most employees pasting patient notes are using tiers that do not include BAA coverage, making those disclosures HIPAA breaches. Veladon's role is to prevent the disclosure by redacting PHI before the prompt leaves the browser.

What are the 18 HIPAA Safe Harbor identifiers and does Veladon redact all of them?

The 18 Safe Harbor identifiers under 164.514(b)(2) are: names, geographic subdivisions smaller than state (including ZIP codes of 3 digits or fewer), dates more granular than year, telephone numbers, fax numbers, email addresses, SSNs, MRNs, health plan account numbers, account numbers, certificate/license numbers, vehicle identifiers including VIN and license plate, device identifiers and serial numbers, URLs, IP addresses, biometric identifiers, full-face photos and comparable images, and any other unique identifying number or code. Veladon redacts all 18 categories by default, configurable per policy for clinical contexts where narrow disclosure is authorized.

Does ChatGPT Enterprise or Claude Team with BAA make Veladon unnecessary for HIPAA?

No. A BAA from the LLM provider protects the provider's use of PHI — they agree to handle it under HIPAA obligations. It does not cover the employee's decision to disclose PHI beyond the minimum necessary (164.502(a)), nor does it create the audit controls technical safeguard (164.312(b)) within your environment. Veladon evidences the minimum necessary compliance (what the employee sent vs. what reached the LLM), workforce training (164.308(a)(5)), and audit controls — all of which your HIPAA Security Officer owes evidence for regardless of provider BAA status.

What is OCR's current enforcement posture on AI-related HIPAA breaches?

OCR issued guidance in 2024 indicating that PHI disclosures to AI systems without BAA coverage are enforcement targets. In 2025–2026 OCR prioritized risk-analysis findings for organizations that had not updated their HIPAA risk analyses to include AI-related use cases. Enforcement actions typically start with Corrective Action Plans; Civil Monetary Penalties apply for willful neglect (Tier 4, up to $1.9M per violation category per year). A 500–2,500 employee healthcare org with employees using public LLMs without risk-analysis coverage is an OCR-priority target.

How should a hospital or healthtech mid-market stage HIPAA + AI governance?

Pragmatic staging: (1) Risk analysis update — add AI use cases to existing 164.308(a)(1)(ii)(A) risk analysis in month 1; (2) Browser-extension deployment to redact Safe Harbor identifiers from outbound prompts in month 1–2; (3) Workforce training update with AI-specific modules in month 2; (4) Audit control artifacts (164.312(b)) automated via Veladon logs from month 2 onward; (5) Incident response playbook with AI-specific scenarios in month 3; (6) First quarterly HIPAA + AI evidence pack at month 4. This maps to the same 12-week rollout used for EU AI Act with HIPAA-specific overlays.

Tailored FAQ · HIPAA + AI-specific

Additional HIPAA + AI questions Veladon buyers ask.

Does a clinician pasting a patient note into consumer ChatGPT violate HIPAA?

Yes, almost always. A covered entity employee disclosing PHI to ChatGPT or Claude without a Business Associate Agreement (BAA) in place is an unauthorized disclosure under the Privacy Rule. OpenAI, Anthropic, and Google do not offer BAAs for their consumer or standard business tiers — only specific enterprise tiers with signed HIPAA-scope contracts. Most employees pasting patient notes are using tiers without BAA coverage, making those disclosures HIPAA breaches. Veladon prevents the disclosure by redacting PHI before the prompt leaves the browser.

Does ChatGPT Enterprise with BAA make Veladon unnecessary for HIPAA compliance?

No. A BAA from the LLM provider protects the provider's use of PHI — they agree to handle it under HIPAA obligations. It does not cover the employee's decision to disclose PHI beyond the minimum necessary (164.502(a)), nor does it create the audit controls technical safeguard (164.312(b)) within your environment. Veladon evidences minimum-necessary (what employee sent vs what reached the LLM), workforce training under 164.308(a)(5), and 164.312(b) audit controls regardless of provider BAA status.

Does Veladon redact all 18 HIPAA Safe Harbor identifiers?

Yes, by default. All 18 identifier categories under 164.514(b)(2): names, geographic subdivisions smaller than state (ZIP of 3 digits or fewer), dates more granular than year, telephone, fax, email, SSN, MRN, health plan account numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifying number or code. Configurable per policy for clinical contexts where narrow disclosure is authorized with explicit patient consent.

What is OCR's current enforcement posture on AI-related HIPAA breaches?

OCR issued guidance in 2024 indicating that PHI disclosures to AI systems without BAA coverage are enforcement targets. In 2025–2026, OCR prioritized risk-analysis findings for organizations that had not updated their HIPAA risk analyses to include AI-related use cases. Enforcement actions typically start with Corrective Action Plans; Civil Monetary Penalties apply for willful neglect (Tier 4, up to $1.9M per violation category per year). A 500–2,500 employee healthcare organization with employees using public LLMs without risk-analysis coverage is an OCR-priority target.

How does Veladon handle AI-narrative PHI that general DLPs miss?

Classic DLPs tuned for SOC 2 and GDPR match PII patterns (SSN regex, MRN format, etc.) but miss the AI-specific failure mode: PHI embedded in unstructured clinical prose. 'Patient John Doe from Springfield started complaining about chest pain after the Metformin dose' contains name, geography, clinical narrative, drug mention — classic DLP does not redact the narrative. Veladon's detection combines pattern matching, named-entity recognition tuned for clinical text, and context-aware phrase detection to catch PHI in narrative form at the AI-surface level.

Can Veladon support a HIPAA-Security-Officer-led annual risk analysis cycle?

Yes. Veladon's AI-system inventory artifact feeds the risk analysis with PHI-exposure classification per system, tenant, and BAA status. The quarterly evidence pack summarizes redaction rates, incidents, workforce training acknowledgments, and audit-control evidence — directly usable as risk-analysis inputs. Most covered entities doing annual HIPAA risk analysis incorporate the Veladon pack as an appendix, substantially reducing the manual assembly work.

Pricing context · 500–2,500 employee deployments

What Veladon typically costs for HIPAA + AI coverage.

For HIPAA + AI coverage at 500–2,500 employees, Veladon lands at $22–32k ACV (mid-market tier) or $45–90k (enterprise tier) with HIPAA-aligned quarterly packs supplementing the core EU AI Act / ISO 42001 / NIST AI RMF pack. For healthcare organizations, the cost of a single OCR Corrective Action Plan (investigation response + remediation + external counsel) typically exceeds multiple years of Veladon at this tier. Civil Monetary Penalties for Tier 4 willful neglect (up to $1.9M per violation category per year) can exceed decades of Veladon cost. The ROI math is asymmetric: the tool pays for itself by preventing a single enforcement event.

Related on Veladon

Need HIPAA + AI evidence on a compressed timeline?

Veladon deploys via MDM in 30 minutes and generates the first evidence pack at day 30. Get the Veladon early-access brief — detailed architecture, detection taxonomy, and HIPAA + AI crosswalk.

Get the HIPAA + AI evidence map