Since HIPAA has existed, it has managed a well-defined structure for what is considered protected health information, or PHI, thanks to the 18 identifiers of PHI.
Does HIPAA Allow PHI in AI Tools?
This happens to be guidance from the government that *GULP* ... The Terror (No way, really? Yes, way) is useful. That is until, as only the government could do, you reach the bottom of your list of 18 identifiers of PHI, and once there, you find a 19th identifier sandwiched in there.
The point ends up being a bit lost when the last of many bullet points in a long, legal list of requirements says...
"Yeah, yeah, I know. There's 18 really cleanly laid out explanations above me that many people worked hard on to structure in this efficient way, but I'm calling an audible! That's right, from here on out I'm the big kahuna around here because I take the wind out of each of your 18 identifier sails. I basically say - Drum Roll Please - 'That anything else not part of the 18 identifiers can still be reasonably used as, you guessed it, folks - An Identifier!!'"
Excuse me, I heard you but still must reply with at least a, "HUH?!" on that dumpster fire of bureaucracy. But I digress.
The 18 Identifiers of PHI Under HIPAA
The 18 identifiers of PHI, as defined under HIPAA, are:
- Names - Whether full name, or last name with initials.
- Geographic details - Any subdivision smaller than a state, including street addresses, cities, counties, and zip codes.
- Dates unique to the patient - Excluding year, like birth dates, admission or discharge dates, and dates of death.
- Persons aged over 89 years - A limited enough segment of the population that they become their own identifier.
- Telephone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometrics - Fingerprints, voiceprints, and similar data.
- Images - Full-face photos and comparable images.
These identifiers come directly from the HIPAA Privacy Rule at 45 CFR 164.514(b)(2). If any one of them appears alongside health information, it is PHI. Period.
And then there is the catch-all. Any other unique identifying number, characteristic, or code. That is identifier number 19 hiding at the bottom of the list. It means that even if you strip out all 18 identifiers above, the combination of remaining details can still qualify as PHI if it could reasonably identify a person.
This is the part that matters for AI. Staff think removing a name makes data safe. HIPAA de-identification does not work that way.
What This Looks Like in an AI Prompt
A made-up story to further the idea along in your mind's eye
You fell behind on sending in claims and plan to stay late to catch up. You know you shouldn't install software without Compliance Officer approval on your work computer, but if Claude can help with some of this work, everyone gets to go home and catch a warm dinner. So, you upload a few spreadsheets into Claude that contain PHI.
The next morning, as you sip your coffee on the way to your workstation, you notice a few police officers occupying your cubicle space. The window nearest your computer has been smashed and your work laptop was stolen before the perpetrator was apprehended.
"Did I ever fully turn my computer off last night when I left? I think I did, but I was so tired. Uh-oh," you think to yourself.
The officers inform you that, unfortunately, the computer did not ever fully power off. The light from the computer caught the burglar's attention. They swiped the laptop, and it now stands to reason that all that PHI in your Claude conversation is staring them in the face. It was the only application open besides the billing software. Oh no, that means this person just needs to scroll up in Claude to read your prompts and they will obtain all of these people's information.
See how this can go from moderately bad idea, to quite a bad idea, to possibly willful neglect that quickly?
This is exactly what a HIPAA risk assessment is supposed to catch before it happens. Devices that access PHI need disk-level encryption. Applications that touch PHI need a Business Associate Agreement. And staff need to know what counts as PHI in the first place.
What Your Staff Needs to Know
First, training is needed so the staff understands just what identifiers are. Most employees have never seen the list of 18. They assume PHI means a medical record or a lab result. It is much broader than that.
Second, it is vital to take extreme care when multi-tasking around PHI. This is how you hand someone the wrong medical record. Trust me, you don't need the headache.
Last, fess up to any mistakes that contributed to this incident immediately. This is one of those things where you're only in trouble when you don't tell us. A breach response plan only works when people report what happened.
AI Platform HIPAA Status in 2026
Not all AI platforms are equal from a HIPAA compliance perspective. Here is where the major platforms stand as of mid-2026:
| Platform | BAA Available? | HIPAA-Compliant Plan | Uses PHI for Training? | Notes |
|---|---|---|---|---|
| ChatGPT (Free/Plus/Team) | No | No | May be used | Do NOT use with PHI |
| ChatGPT Enterprise | Yes (limited) | With BAA in place | No | Verify scope of BAA before use |
| ChatGPT for Healthcare | Yes | Yes | No | Launched January 2026; built for healthcare |
| Microsoft Copilot (M365 E3/E5) | Yes (via Microsoft) | With existing M365 BAA | No | Covered under standard Microsoft BAA |
| Claude for Enterprise (Anthropic) | Yes | With BAA in place | No | Verify current BAA terms with Anthropic |
| Google Gemini for Workspace | Yes (via Google) | With existing Google HIPAA BAA | No | Must enable HIPAA-compliant workspace settings |
| Generic or free AI tools | No | No | Often yes | Never use with PHI |
This table reflects publicly available information as of mid-2026. AI platform HIPAA compliance status is changing rapidly. Verify current BAA availability and terms directly with each vendor before use.
A BAA is necessary but not sufficient. Even with a valid Business Associate Agreement, your organization must implement workforce training on which AI tools are approved for PHI use, policies specifying when AI may and may not be used with patient data, and audit logging requirements for AI-assisted workflows involving ePHI.
Can You Remove PHI and Use Public AI Tools?
One workaround healthcare organizations consider: strip the identifying information from data before using a public AI tool, thereby making it no longer PHI. This approach can work, but the bar is higher than most organizations realize.
HIPAA recognizes two methods for valid de-identification:
Expert Determination: A qualified statistical expert determines that the risk of identifying an individual is very small, and documents the analysis.
Safe Harbor: Remove all 18 identifiers listed above AND have no actual knowledge that the remaining information could identify an individual. This includes not just names and SSNs but also geographic data smaller than state level and any unique identifying codes.
Why manual de-identification is harder than it sounds:
Clinical text often contains identifiers that are easy to miss. A note that says "the 67-year-old male from rural Vermont presenting with..." may still be re-identifiable even after you remove the name and date of birth. The combination of age, gender, geography, and a rare diagnosis can narrow identification to a single person.
For simple, structured data where you can systematically verify identifier removal, de-identification before using public AI is a legitimate approach. For free-form clinical text, the risk of missed identifiers is high enough that HIPAA-compliant AI platforms with BAAs are the safer path.
Bottom Line
- AI is still lacking nuance with regard to privacy and shouldn't be handed PHI without exhaustive model training beforehand.
- Don't put PHI into an unapproved app on your work computer.
- It probably won't be long before AI is engrained in the day-to-day of every healthcare worker's routine, but wait until your Compliance Officer tells you that day has come. Until then, try to only use such tools off-campus.
- If you are not sure whether something counts as PHI, assume it does. Do not paste it into any AI tool.
Does HIPAA ban the use of AI inside of systems which contain PHI?
Not explicitly. AI is a relatively new phenomenon, so it missed the year HIPAA was passed by a good three decades. However, part of the beauty of HIPAA being so confusing is thanks to its broad wording, it kind of functions like the elastic clause. Safeguards implemented will hopefully apply to new technologies emerging. When Anthropic finally builds the Terminator, though, all bets will be off.
We have a specialized AI for medical care that gets fed PHI. Our vendor says it's compliant and passed our vendor risk analysis. Is that good enough?
Here's how to ensure health data privacy stays private in a case like this. First, ensure you have executed a BAA with this third-party. Then, send them a vendor risk questionnaire. This audit will tell you if they have basic technical protections in place.
You also have to set up the computer this AI is used on properly. The device must be encrypted at the disk level. In Windows, use BitLocker. On a Mac, use FileVault. These handle what is called "data at rest" encryption. They do not encrypt what is called "data in transit." Be sure to confirm whose responsibility it is to encrypt data in transit and that it is enabled and working properly. For more detail, see our guide on HIPAA encryption requirements.
Long story short, implement what is mentioned above and always ensure that proverbial AI company can uphold what's in a BAA, not just sign one.
What do I do if I need to download software that was previously not approved for work in my organization?
Don't take it upon yourself to download anything before speaking with your Compliance Officer, but if they see no harm in acquiring this application, getting approval shouldn't set you back more than 10 minutes.
One Guy Consulting
One Guy Consulting helps organizations of all types interpret the HIPAA rules and apply them to their business model in a safe, modern, and efficient manner. Learn more about becoming HIPAA compliant by booking a demo with Chuck.
Thanks for stopping by and reading this article. Please let us know if we can assist you in HIPAA matters of any sort and it will be our pleasure to assist.
Sources
Related Reading
- HIPAA Privacy Rule Requirements - The foundation for understanding what PHI is and how disclosure rules work
- HIPAA De-Identification Requirements - What actually makes data de-identified under HIPAA and why removing a name is not enough
- ePHI Access Control Best Practices - How to control who can reach sensitive data across your systems
- HIPAA Encryption Requirements 2026 - What the current standard looks like for data at rest and in transit
- HIPAA Risk Assessment Guide - How to identify and document exposures like AI tool use in your risk program
- Business Associate Agreement Guide - Everything you need to know about BAAs with AI vendors and other third parties
- HIPAA Fines Increased for 2026
- The Risk of Compliance Badges
- HIPAA Compliance Checklists
Frequently Asked Questions
Can I use ChatGPT for HIPAA-covered work?
It depends on the version. Free, Plus, Team, and Business ChatGPT plans are not HIPAA compliant and must not be used with PHI. ChatGPT Enterprise offers a BAA with limited scope. ChatGPT for Healthcare, launched January 2026, is designed specifically for healthcare and includes a BAA with appropriate safeguards. Always verify current BAA terms directly with OpenAI before using any version with PHI.
What happens if an employee accidentally enters PHI into ChatGPT?
If an employee enters PHI into a non-compliant AI tool, it constitutes an impermissible disclosure of PHI. You must conduct a four-factor breach risk assessment under the Breach Notification Rule. Document the incident, retrain the employee, and review whether your AI usage policies and technical controls need strengthening. A single accidental disclosure with low breach probability may be manageable, but a pattern of the same incident suggests a systemic training or policy failure.
Is de-identification enough to use public AI tools with patient data?
It can be, but the standard is higher than most people assume. HIPAA Safe Harbor de-identification requires removing all 18 specific identifiers. For free-form clinical text, complete de-identification is difficult because combinations of age, geography, and rare diagnoses can still identify individuals. For structured data with systematic identifier removal, de-identification is viable. For clinical narrative text, HIPAA-compliant AI platforms with BAAs are lower risk.
What are examples of PHI in AI prompts?
Common examples include pasting clinical notes containing a patient name or date of birth, asking AI to draft a prior authorization letter with diagnosis codes and member IDs, forwarding a patient complaint email that includes the patient email address and health complaint, or asking AI to summarize chart notes with identifiers in the header. The test is whether the prompt contains any of the 18 HIPAA identifiers combined with health, healthcare, or payment information.