top of page

Tech Caveat: HIPPA protected documents and AI servers

Updated: Jun 9

Updated 6/9/24 at 5:12 p.m.

Let's say you receive a large stack of medical records in a personal injury case. You're short on time, and you want a quick summary. AI may not be the answer, because it has HIPPA problems.

I tested Open AI GPT 4o on May 14, 2024, and asked, does it comply with the Health Insurance Portability and Accountability Act for handing protected health information (PHI). The answer: "GPT-4o does not inherently encrypt or protect data specifically according to HIPPA standards during interactions." "Conversations with AI models like GPT-4o are not private or confidential in the way required for handling PHI." "There is no built-in mechanism to log access or control data handing in a manner compliant with HIPPA."

Open AI does provide some tips to safeguard data when using PHI, including "de-identify data before processing it with AI models to reduce risk of exposure, and work with vendors and AI service providers who explicitly offer HIPPA-compliant solutions."

Also tested was Claude 3 Opus, the high-end AI large language model from Anthropic. When asked, "Is Claude HIPPA compliant," the answer was: "No, I am not HIPAA compliant. As an AI language model, I do not have the necessary safeguards and certifications in place to handle protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA)." The service added, "I cannot directly access, store, or transmit medical records or any other sensitive patient data. My purpose is to provide general information and assistance, but for any tasks involving PHI, it is crucial to use HIPAA-compliant services and tools that are specifically designed to ensure the privacy and security of sensitive medical information. If you require assistance with medical records or health-related queries, I recommend consulting with a healthcare professional or using a platform that is certified as HIPAA compliant."

Moving on to Gemini (once known as "Bard"), service, the following responses were received:

"HIPAA compliant: Gemini for Google Workspace can be HIPAA compliant if your organization has a qualifying Google Workspace edition and signs a Business Associate Agreement (BAA) with Google. This BAA ensures Google meets HIPAA requirements for protecting covered health information.

Not HIPAA compliant: Accessing Gemini through or mobile apps is currently not HIPAA compliant. This is because these versions lack the necessary security and privacy protocols for handling protected health information."

Interestingly, the Microsoft Copilot program offered the following response:

Please note that while Copilot itself meets HIPAA compliance standards, third-party tools may not. So, exercise caution when integrating external products with your workspace1."

Bottom line for now: When using any AI service (and there are many available at the consumer and business levels) be very careful. You may inadvertently be exposing HIPPA protected health information.

-Mitch Chester


bottom of page