HIPAA Compliance for Healthcare AI — Audit Controls & Decision Logs
HIPAA 45 CFR 164.312(b) requires audit controls for every AI system touching electronic protected health information. Healthcare AI agents — clinical decision support, prior authorization automation, patient routing, and care documentation — must maintain complete decision records with 6-year minimum retention. Tenet captures decision records, satisfies Security Rule Technical Safeguards, and produces audit-ready logs for OCR investigation — without changing how your agent works. On-premise VPC deployment ensures ePHI never traverses external infrastructure.
HIPAA Technical Safeguard Requirements for AI
45 CFR 164.312(b) requires covered entities and business associates to implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing electronic protected health information. For AI systems, this translates to a specific obligation: every decision that accesses, processes, or generates ePHI must be logged with sufficient detail to reconstruct the activity post-hoc. Standard application logs — server access logs, API call logs, error logs — do not satisfy this requirement because they record infrastructure events, not clinical decisions. An OCR investigator asking whether a prior authorization AI accessed a specific patient's records for a specific authorization decision cannot be answered by an infrastructure log. The 45 CFR 164.312(b) standard requires logs that capture the decision action: what ePHI was accessed, when, by which AI system, under which clinical criteria, and what the outcome was. Tenet captures all of this at the agent level via Ghost SDK instrumentation, creating the audit trail that satisfies the Security Rule Audit Controls standard.
HIPAA Business Associate Obligations for AI Vendors
If an AI vendor processes, transmits, or creates electronic protected health information on behalf of a covered entity — even transiently during inference, even without persistent storage — they are a Business Associate under HIPAA and require a Business Associate Agreement. This applies broadly to clinical AI: a prior authorization AI that receives a claims record containing diagnosis codes and processes it through an LLM, even temporarily, is processing ePHI and creating BA obligations. A clinical documentation AI that receives physician dictation containing patient information is processing ePHI. A patient routing AI that accesses scheduling records containing clinical information is processing ePHI. The HIPAA Omnibus Rule (2013) made Business Associates directly liable for Security Rule violations — BAs face the same penalty tiers as covered entities. The absence of a BAA where one is required is itself a HIPAA violation, independent of any security incident. AI vendors selling into healthcare must structure their products as HIPAA-compliant BAs with compliant infrastructure before deployment.
HIPAA Penalties for AI Audit Log Failures
HIPAA civil money penalties are structured across four tiers based on culpability. Tier 1 (no knowledge): $100 to $50,000 per violation, annual cap $25,000. Tier 2 (reasonable cause): $1,000 to $50,000 per violation, annual cap $100,000. Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation, annual cap $250,000. Tier 4 (willful neglect, not corrected): $50,000 per violation, annual cap $1.9 million. The per-violation structure is critical for AI systems: OCR may treat each decision record that should have been logged but was not as a separate violation. An AI system making 1,000 prior authorization decisions per day with no audit controls creates up to 1,000 violations per day. The absence of audit controls is systematically categorized as willful neglect by OCR — regulators consider the deliberate omission of required logging infrastructure as conscious disregard, placing all violations in Tiers 3 or 4.
HIPAA Retention and AI Decision Record Lifecycle
The HIPAA Security Rule requires a minimum 6-year retention period for all documentation required by the Security Rule, including audit logs. This 6-year minimum is calculated from the date of creation or last effective date, whichever is later. For AI decision records that remain actively relevant to ongoing patient care — a clinical recommendation that continues to influence treatment decisions — the effective date may extend the retention obligation beyond 6 years. State medical records laws frequently require longer retention periods: California requires 7 years for adult records, 3 years after a minor reaches majority; New York requires 6 years from date of service or 3 years after a minor reaches 18; Massachusetts requires 7 years. Where state law imposes stricter requirements, those apply. Litigation holds in pending or anticipated litigation can extend retention indefinitely for records that are or may be relevant. Tenet records are immutable and retention periods are configurable at deployment to satisfy the strictest applicable jurisdiction.
How Tenet AI Satisfies HIPAA §164.312(b)
Tenet instruments healthcare AI agents with a 2-line Ghost SDK integration that captures every decision, the ePHI data categories accessed, the clinical criteria applied, the reasoning chain, and the outcome. Records are stored in an append-only ledger with SHA-256 integrity verification — records cannot be altered after creation. On-premise VPC deployment means ePHI used in AI decision-making never traverses Tenet's infrastructure — the Reasoning Ledger is deployed inside the covered entity's or BA's network perimeter, satisfying both the Physical Safeguard and Technical Safeguard requirements for ePHI storage. Export functionality produces structured documentation for any investigation period, formatted for OCR examination response. BAA templates are available for covered entities deploying Tenet in HIPAA environments.
Clinical AI Use Cases Requiring HIPAA Audit Controls
HIPAA audit control obligations apply to any AI system touching ePHI in any role — not just primary decision-making AI. Clinical decision support systems that recommend diagnoses or treatments: the AI accesses patient records containing ePHI and produces recommendations affecting care — every recommendation is a logged event. Prior authorization automation that accesses patient history: PA decisions affect access to care and create adverse action obligations with separate state law requirements. AI clinical documentation assistants that process physician dictation: transcription and summarization of clinical notes containing ePHI creates BA obligations and requires audit logging of every document processed. Patient routing and triage agents that access scheduling or clinical records: routing decisions can constitute consequential decisions affecting patient access to care. Care gap identification tools that analyze claims or clinical records for intervention opportunities: population health AI accessing ePHI at scale requires particularly robust audit infrastructure. Each step where ePHI is accessed must be logged independently — it is not sufficient to log only the final patient-facing output.