Five things your EHR’s AI assistant is quietly reading right now — and what HIPAA actually says about each.
Every AI vendor selling into healthcare says the same thing: HIPAA-ready. It’s on the homepage, the sales deck, the security questionnaire. And it’s usually true, in the narrow sense that the vendor has signed the right paperwork and encrypted the right database.
But “HIPAA-ready” describes the vendor. It says nothing about what happens once that tool is wired into your EHR, reading real patient data, in real time, across real workflows. That’s a separate question — and it’s the one most health systems haven’t answered yet.
Here are five places AI is already touching PHI inside a typical hospital, what’s actually permitted at each one, and where the gap between “compliant product” and “compliant deployment” tends to open up.
1. The Ambient Scribe Is Recording the Whole Room
Ambient AI scribes listen to the patient encounter and draft the note. That’s the value proposition — less typing, more eye contact. It also means the microphone is on for everything said in the room: the patient’s symptoms, but also the name of the family member who drove them in, the medication they admit to skipping, the offhand comment about a second opinion at another hospital.
HIPAA permits this as treatment documentation. What it doesn’t waive is consent and disclosure. In January 2026, a patient sued Sharp HealthCare alleging an ambient AI scribe recorded his visit without his knowledge. In April 2026, Sutter Health and MemorialCare were named in a similar class action — the complaint alleges the AI system auto-inserted consent language into the record claiming patients had agreed to recording when they hadn’t.
The technology wasn’t the problem. The workflow around it — who discloses what, when, and how that’s documented — was. A 2026 JAMA study found 79% of physicians offered ambient tools declined to use them, and many are quietly going back to dictating notes after the patient leaves the room.
What AI can touch: the clinical conversation, for the purpose of documentation.
What it can’t do on its own: establish consent. That’s a workflow and EHR-configuration problem, not a model problem.
2. The FHIR Agent Pulls More Than It Was Asked For
An AI agent built on FHIR can query a patient’s record the way a human user would — pull medications, problem list, recent labs, scheduling. That’s the whole point of FHIR: structured, queryable access across systems.
The catch is scope. A prior-authorization agent that needs to confirm a single diagnosis code for a single claim can technically query the entire longitudinal record — including unrelated conditions, behavioral health notes, or substance use history that carries extra protection under 42 CFR Part 2. HIPAA’s minimum necessary standard says the agent should only see what it needs for the task. Most FHIR scopes, as configured out of the box, don’t enforce that distinction.
What AI can touch: structured clinical data via standard FHIR resources, with proper authorization scopes.
What it can’t do by default: limit itself to “minimum necessary” unless someone designs the scope that way. That’s an integration decision, made once, that then governs every query after.
3. Scheduling Data Carries More PHI Than It Looks Like
A scheduling assistant seems low-risk — it’s just calendars. But a scheduling record often includes the reason for visit, the referring provider, an emergency contact, sometimes a note like “patient’s daughter will accompany — discuss prognosis privately first.” All of that is PHI, and it’s often the least access-controlled data in the EHR because nobody thinks of the scheduling module as a privacy surface.
An AI tool that automates appointment reminders, no-show prediction, or rebooking is processing this data continuously. If that tool sits outside the BAA covering the core EHR — a separate scheduling SaaS, a marketing automation platform — the PHI may be leaving the covered entity’s compliance boundary without anyone flagging it as a PHI export.
What AI can touch: scheduling and logistics data, for operational purposes.
What it can’t assume: that scheduling data is “low sensitivity” just because it lives outside the clinical chart.
4. Billing Codes — and Whatever Gets Typed Into the Free-Text Field Next to Them
Billing and coding AI is one of the most mature use cases: suggesting ICD-10 codes, flagging documentation gaps, predicting denials before submission. The structured fields — codes, modifiers, amounts — are exactly what these tools are built to read, and that’s well within HIPAA’s payment and operations carve-outs.
The risk sits in the free-text fields next to them. Billing staff routinely paste clinical notes, appeal letters, or claim correspondence into “comments” fields that were never designed to hold PHI — and those fields often aren’t excluded from what an AI coding assistant ingests. A Social Security number, a patient’s full name and diagnosis in a denial appeal, or a payer’s internal case notes can end up inside a model’s context window simply because nobody scoped the free-text fields out.
What AI can touch: structured billing and claims data for payment operations — squarely permitted.
What it can’t be assumed to handle correctly: unstructured free text adjacent to that data, unless someone has explicitly reviewed what’s actually in those fields.
5. The Prompt Itself — Where Does It Go?
This is the one most healthcare AI conversations skip entirely. Every time a clinician, biller, or AI agent sends a prompt that includes patient information, that prompt — and the model’s response — is PHI in transit and at rest, wherever it lands.
Two questions determine whether that’s a problem:
- Is the model vendor covered by a BAA? Without one, sending PHI to a third-party model is a HIPAA violation regardless of how secure the vendor’s infrastructure is.
- Is the prompt logged, and for how long? 45 CFR 164.312(b) requires an audit trail for PHI access — but “audit trail” and “indefinite retention of every prompt containing patient data” are not the same thing. The minimum necessary standard applies to logs too.
What AI can touch: PHI in a prompt, if the vendor relationship is structured correctly — BAA in place, logging scoped to what’s required, retention defined.
What it can’t do: make that structure exist by itself. That’s a contracting and architecture decision made before the first prompt is ever sent.
The Pattern Across All Five
None of these are stories about AI doing something HIPAA prohibits. In every case, the underlying access is permitted — treatment, payment, or healthcare operations cover most of it. What’s missing is the layer that decides how much, for how long, and with what disclosure — the layer that sits between “the model is allowed to see this” and “the model only sees what it needs, for as long as it needs it, and the patient knows.”
“HIPAA-ready” describes what a model is allowed to do. It says nothing about what it actually does inside your EHR.
That’s not a model problem. It’s an integration and governance problem, and it’s the same one we wrote about when Claude for Healthcare launched in January 2026.
Anthropic’s Claude for Healthcare shipped with HIPAA-ready infrastructure, FHIR agent skills, and direct connectors to the CMS Coverage Database, ICD-10 codes, and the National Provider Identifier registry — built for exactly the workflows above: prior auth, coding, claims, chart review. Elation Health’s early deployment cut chart review time by 61%.
That’s a real capability shift. It’s also, by design, a platform — not a configuration. The FHIR scopes still need to be defined. The free-text fields still need to be audited. The consent workflow for an ambient tool still needs to exist before the tool is switched on. “HIPAA-ready” describes what the model is allowed to do. What it actually does inside your EHR depends on the integration layer your team — or a technical partner — builds around it. That’s also the lens we used when we mapped what it takes to connect an AI agent to an EHR via FHIR.
That’s the layer Itirra builds: the part between a HIPAA-ready model and a compliant deployment.
FAQ
Is it a HIPAA violation for an AI tool to read patient data in the EHR?
Not by itself. Treatment, payment, and healthcare operations all permit AI access to PHI under HIPAA. The risk comes from how much data the tool can reach, how long it’s retained, and whether the patient was told — not from the access itself.
Do ambient AI scribes require patient consent?
HIPAA permits ambient documentation as part of treatment, but several 2026 lawsuits allege patients weren’t told they were being recorded. Consent and disclosure are a workflow decision, separate from whether the underlying tool is HIPAA-ready.
What is the “minimum necessary” standard for AI and FHIR access?
It’s the HIPAA requirement that any access to PHI — including by an AI agent — be limited to what’s needed for the task. Most FHIR API scopes don’t enforce this automatically; it has to be designed into the integration.
Does sending PHI to an AI model require a Business Associate Agreement (BAA)?
Yes. If a model vendor processes PHI — including PHI embedded in prompts — without a signed BAA, that's a HIPAA violation regardless of the vendor's security infrastructure.
Start the conversation
Know which of these five touchpoints exist in your environment — but not what’s actually governing them?
That’s the integration layer we build: FHIR scopes, consent workflows, audit trails, and the contracting that has to be in place before the first prompt is sent.
Sources
- Anthropic Launches Claude for Healthcare — Fierce Healthcare
- Claude connects to more healthcare data under security oversight — Help Net Security
- 18 HIPAA Identifiers for PHI De-Identification — Censinet
- De-identification of PHI: 2026 Update — HIPAA Journal
- Sutter Health, MemorialCare face class action over AI scribe use — TechTarget
- AI Scribes Recording Doctor Visits, Major Lawsuit — Medical Daily
- Patients Sue Two More Health Systems Over AI Scribe Use — Medscape