AI and HIPAA: What Medical Spas Need to Know

AI is transforming medical spa operations, but with patient data involved, HIPAA compliance isn't optional. Here's what you need to know about using AI while staying compliant.

The good news: AI and HIPAA compliance aren't mutually exclusive. The key is choosing vendors who build compliance into their systems from the ground up.

HIPAA Basics for AI Systems

When AI handles patient communications, it processes Protected Health Information (PHI):

• Patient names and contact information
• Appointment dates and times
• Services requested or received
• Health-related questions and concerns
• Payment information

Any AI system touching this data must meet HIPAA's Privacy, Security, and Breach Notification rules.

The Business Associate Agreement (BAA)

This is non-negotiable: any AI vendor handling PHI must sign a BAA with your practice.

A BAA legally obligates the vendor to:

• Implement appropriate safeguards for PHI
• Report any security incidents or breaches
• Ensure their subcontractors also comply
• Return or destroy PHI when the relationship ends

Red flag: If an AI vendor won't sign a BAA, they're not appropriate for healthcare use—period.

Security Requirements for AI

HIPAA-compliant AI systems must implement:

Technical Safeguards

• Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Access controls: Role-based permissions, unique user IDs
• Audit logs: Complete record of who accessed what and when
• Automatic logoff: Sessions timeout after inactivity

Administrative Safeguards

• Risk assessments: Regular security evaluations
• Employee training: Staff know how to handle PHI
• Incident response: Documented breach procedures
• Vendor management: Oversight of subcontractors

Physical Safeguards

• Data center security: SOC 2 certified facilities
• US-based servers: Data stays within US jurisdiction
• Workstation security: Protected access to systems

AI-Specific HIPAA Concerns

Voice Recording and Transcription

If AI records or transcribes calls:

• Recordings must be encrypted and access-controlled
• Retention policies must be defined and enforced
• Patients should be informed calls may be recorded

AI Training Data

How is the AI trained? Patient data should never be used to train AI models without explicit consent and de-identification.

Third-Party APIs

Many AI systems use external services (speech recognition, language models). Each must be HIPAA compliant and covered by BAAs.

Data Retention

Know how long the AI stores data and ensure it aligns with your retention policies. Require ability to delete data on request.

Evaluating AI Vendors for Compliance

Ask these questions before signing:

1. "Do you sign BAAs?" Must be yes, provided upfront.
2. "Where is data stored?" Should be US-based, SOC 2 certified.
3. "Who are your subprocessors?" They should disclose all third parties.
4. "What's your breach notification process?" Should be documented.
5. "Can I get audit logs?" You need visibility into data access.
6. "How do you handle data deletion?" Should comply with your policies.

Common Compliance Mistakes

• Using consumer AI tools: ChatGPT, Siri, and Alexa are NOT HIPAA compliant
• Assuming cloud = compliant: Not all cloud services meet HIPAA requirements
• Forgetting about SMS: Text messages with PHI need encryption
• No BAA on file: Using a vendor without signed BAA is a violation
• Inadequate access controls: Everyone shouldn't see everything

How Eva AI Handles Compliance

Eva AI is built for healthcare from the ground up:

• Signed BAA with every customer
• SOC 2 Type II certified infrastructure
• End-to-end encryption for all data
• US-based data centers only
• Complete audit logging
• Regular third-party security assessments
• HIPAA-compliant speech and language processing

The Bottom Line

AI can absolutely be HIPAA compliant—but not all AI is. Before implementing any AI system that touches patient data:

1. Verify they sign BAAs
2. Review their security documentation
3. Understand their data practices
4. Keep documentation for audits

The efficiency gains from AI are significant, but they're not worth risking HIPAA violations. Choose vendors who take compliance as seriously as you do.