HIPAA AI Security
HIPAA AI security: a guide for healthcare developers
This guide is for engineering teams at healthcare companies who are building AI features that handle patient data. It covers the security layer that HIPAA compliance frameworks don't address: how to build an AI stack that's not just auditable but genuinely difficult to compromise, and how to govern AI usage across a team that's actively shipping with PHI.
HIPAA regulations tell you what the law requires. This guide covers what's necessary, which is a different question. The two overlap, but the overlap isn't complete in either direction.
Aptible builds and operates HIPAA-compliant infrastructure for digital health companies. The guidance here reflects what we've implemented in platform code, what we've seen break in production, and what HITRUST auditors actually check.
Chapters in this guide
Chapter | What it covers |
|---|---|
The threat model for healthcare AI, the controls that matter most, and a tiered checklist of what to implement before PHI touches your stack | |
Why a single shared API key per provider is a governance failure, and how to organize keys by scope, environment, and use case | |
What HIPAA requires from LLM audit logs, what security operations requires beyond that, and how to know when your logging has silently stopped working | |
De-identification as defense in depth beyond BAA coverage, including NLP-based approaches for unstructured clinical text and production token mapping | |
Why developers use unsanctioned AI tools despite policies against it, what HIPAA exposure that creates, and how to make the compliant path frictionless | |
How to assess your actual prompt injection exposure by use case and what mitigations are proportionate, including indirect injection in clinical document processing | |
What changes when your LLM can take actions in clinical systems, and what HIPAA compliance requires from agent audit logging and permission architecture | |
What HIPAA, GDPR, the Australian Privacy Act, and Canadian privacy law each actually require at the LLM infrastructure level |
Start here if you're new to HIPAA compliance for AI
This guide assumes familiarity with the HIPAA compliance baseline: BAA requirements, what PHI is and isn't, and the basic audit logging standard. If you're starting from scratch, begin with HIPAA-Compliant AI: What Developers Need to Know before this guide.
The full HIPAA guide covers encryption, access controls, breach notification, and the compliance requirements across the HIPAA Security and Privacy Rules, organized around what auditors check. The AI security guide covers what's needed beyond that baseline for teams building with LLMs.
Aptible AI Gateway implements several of the controls in this guide (scoped key management, model access controls, BAA coverage, and audit logging) at the infrastructure level rather than in application code. The guide covers the DIY implementation for each; the gateway is the managed path for teams that don't want to build and maintain the infrastructure themselves.
HIPAA AI Security
HIPAA AI security: a guide for healthcare developers
This guide is for engineering teams at healthcare companies who are building AI features that handle patient data. It covers the security layer that HIPAA compliance frameworks don't address: how to build an AI stack that's not just auditable but genuinely difficult to compromise, and how to govern AI usage across a team that's actively shipping with PHI.
HIPAA regulations tell you what the law requires. This guide covers what's necessary, which is a different question. The two overlap, but the overlap isn't complete in either direction.
Aptible builds and operates HIPAA-compliant infrastructure for digital health companies. The guidance here reflects what we've implemented in platform code, what we've seen break in production, and what HITRUST auditors actually check.
Chapters in this guide
Chapter | What it covers |
|---|---|
The threat model for healthcare AI, the controls that matter most, and a tiered checklist of what to implement before PHI touches your stack | |
Why a single shared API key per provider is a governance failure, and how to organize keys by scope, environment, and use case | |
What HIPAA requires from LLM audit logs, what security operations requires beyond that, and how to know when your logging has silently stopped working | |
De-identification as defense in depth beyond BAA coverage, including NLP-based approaches for unstructured clinical text and production token mapping | |
Why developers use unsanctioned AI tools despite policies against it, what HIPAA exposure that creates, and how to make the compliant path frictionless | |
How to assess your actual prompt injection exposure by use case and what mitigations are proportionate, including indirect injection in clinical document processing | |
What changes when your LLM can take actions in clinical systems, and what HIPAA compliance requires from agent audit logging and permission architecture | |
What HIPAA, GDPR, the Australian Privacy Act, and Canadian privacy law each actually require at the LLM infrastructure level |
Start here if you're new to HIPAA compliance for AI
This guide assumes familiarity with the HIPAA compliance baseline: BAA requirements, what PHI is and isn't, and the basic audit logging standard. If you're starting from scratch, begin with HIPAA-Compliant AI: What Developers Need to Know before this guide.
The full HIPAA guide covers encryption, access controls, breach notification, and the compliance requirements across the HIPAA Security and Privacy Rules, organized around what auditors check. The AI security guide covers what's needed beyond that baseline for teams building with LLMs.
Aptible AI Gateway implements several of the controls in this guide (scoped key management, model access controls, BAA coverage, and audit logging) at the infrastructure level rather than in application code. The guide covers the DIY implementation for each; the gateway is the managed path for teams that don't want to build and maintain the infrastructure themselves.
HIPAA AI security: a guide for healthcare developers
This guide is for engineering teams at healthcare companies who are building AI features that handle patient data. It covers the security layer that HIPAA compliance frameworks don't address: how to build an AI stack that's not just auditable but genuinely difficult to compromise, and how to govern AI usage across a team that's actively shipping with PHI.
HIPAA regulations tell you what the law requires. This guide covers what's necessary, which is a different question. The two overlap, but the overlap isn't complete in either direction.
Aptible builds and operates HIPAA-compliant infrastructure for digital health companies. The guidance here reflects what we've implemented in platform code, what we've seen break in production, and what HITRUST auditors actually check.
Chapters in this guide
Chapter | What it covers |
|---|---|
The threat model for healthcare AI, the controls that matter most, and a tiered checklist of what to implement before PHI touches your stack | |
Why a single shared API key per provider is a governance failure, and how to organize keys by scope, environment, and use case | |
What HIPAA requires from LLM audit logs, what security operations requires beyond that, and how to know when your logging has silently stopped working | |
De-identification as defense in depth beyond BAA coverage, including NLP-based approaches for unstructured clinical text and production token mapping | |
Why developers use unsanctioned AI tools despite policies against it, what HIPAA exposure that creates, and how to make the compliant path frictionless | |
How to assess your actual prompt injection exposure by use case and what mitigations are proportionate, including indirect injection in clinical document processing | |
What changes when your LLM can take actions in clinical systems, and what HIPAA compliance requires from agent audit logging and permission architecture | |
What HIPAA, GDPR, the Australian Privacy Act, and Canadian privacy law each actually require at the LLM infrastructure level |
Start here if you're new to HIPAA compliance for AI
This guide assumes familiarity with the HIPAA compliance baseline: BAA requirements, what PHI is and isn't, and the basic audit logging standard. If you're starting from scratch, begin with HIPAA-Compliant AI: What Developers Need to Know before this guide.
The full HIPAA guide covers encryption, access controls, breach notification, and the compliance requirements across the HIPAA Security and Privacy Rules, organized around what auditors check. The AI security guide covers what's needed beyond that baseline for teams building with LLMs.
Aptible AI Gateway implements several of the controls in this guide (scoped key management, model access controls, BAA coverage, and audit logging) at the infrastructure level rather than in application code. The guide covers the DIY implementation for each; the gateway is the managed path for teams that don't want to build and maintain the infrastructure themselves.
548 Market St #75826 San Francisco, CA 94104
© 2026. All rights reserved. Privacy Policy
548 Market St #75826 San Francisco, CA 94104
© 2026. All rights reserved. Privacy Policy