Healthcare AI adoption is accelerating faster than compliance frameworks are evolving. HIPAA was written before large language models existed. The result: a compliance landscape where most AI vendors are making it up as they go, and most healthcare CTOs don't know the right questions to ask.
After working with healthcare systems on AI deployments ranging from prior authorization automation to clinical documentation, we've identified three questions that reveal whether a vendor is genuinely HIPAA-ready or just HIPAA-adjacent.
Question 1: Where Does PHI Live During Inference?
The most important question is also the one most healthcare CTOs don't ask. When a large language model processes a clinical note, insurance claim, or patient communication, that data has to live somewhere during inference — in the model's context window, in temporary storage, in a processing queue.
Ask the vendor: 'Walk me through exactly where protected health information exists at each step of your inference pipeline.' A vendor who is genuinely HIPAA-ready can answer this specifically. Vague answers about 'enterprise security' and 'data encryption' are not answers.
The key thing to listen for: is PHI retained for model improvement? Many AI vendors — even enterprise ones — have terms buried in their agreements allowing them to use customer data to improve their models. For PHI, this is not acceptable without explicit patient authorization.
Question 2: What Is Your BAA Coverage, Specifically?
A Business Associate Agreement is required for any vendor who processes PHI on your behalf. Most large AI vendors will sign a BAA. But BAA coverage varies dramatically in what it actually covers.
Ask the vendor to specify exactly which services and data flows are covered under their BAA. 'The BAA covers our platform' is not a specific answer. You need to know: Does the BAA cover model training data? Inference logs? Support tickets that might contain PHI? Monitoring and observability data?
Question 3: What Is Your Breach Notification Timeline?
HIPAA requires notification of a breach within 60 days of discovery. Most enterprise AI vendors have contractual breach notification timelines of 30-72 hours for internal discovery, plus a process for notifying affected covered entities.
Ask the vendor: 'What is your breach notification process, and what is your contractual commitment on notification timeline to us?' Then read the actual contract language. 'We take security seriously' is not a contractual commitment.
These three questions won't catch every compliance risk in an AI deployment — healthcare AI compliance is genuinely complex, and you need legal counsel involved in any significant deployment. But they will quickly identify vendors who are HIPAA-ready from those who are hoping you won't ask.