HIPAA and GDPR AI compliance claims: what should buyers ask?
Last reviewed June 2, 2026
HIPAA-compliant and GDPR-safe AI claims compress privacy, security, vendor-role, and data-flow questions into single phrases. This guide turns HHS/OCR and EDPB source context into evidence needed and buyer questions for healthcare and EU-facing AI product copy.
Fastest path: copy one exact vendor sentence that matches this pattern, then open the checker. Add the public URL only if you want readable page context recorded alongside the wording. The result is an evidence-burden note you can reuse in vendor follow-up or internal review, not a verdict. Not sure what a result looks like? See a sample receipt.
What to verify before you rely on the claim
- The exact HIPAA-related claim text and the page where it appears.
- The vendor role: covered entity, business associate, subcontractor, or neither.
- A PHI or e-PHI data-flow description covering inputs, outputs, storage, model use, logs, and support access.
Sources behind HIPAA-compliant AI claims
- HHS/OCR misleading HIPAA marketing claims page HHS/OCR guidance· Content last reviewed July 26, 2013
Source for product-level HIPAA status, HHS/OCR endorsement, and required-material wording.
- HHS/OCR Guidance on Risk Analysis HHS/OCR guidance· Content last reviewed September 26, 2025
Source for e-PHI risk analysis, safeguards, and security-scope evidence.
- HHS/OCR complaint intake and review page HHS/OCR guidance· Content last reviewed November 20, 2023
Source for covered entity and business associate role boundaries.
- HHS/OCR Complete P.T. resolution page HHS/OCR enforcement· Content last reviewed February 12, 2016
Source for marketing and testimonial workflows that involve patient information.
- · Endorsed by EDPB on May 25, 2018
Source for GDPR Article 22 automated decision-making rights, required safeguards, and meaningful information obligations for AI systems.
- GDPR Articles 22 and 35 — EUR-Lex (Regulation 2016/679) EUR-Lex / EU standard· In force from May 25, 2018
Source for Article 22 right not to be subject to solely automated decisions, and Article 35 Data Protection Impact Assessment requirements.
Documented HIPAA-compliant AI claims examples
"HIPAA compliant"
Compliance / Safety- Source and date
- HHS/OCR misleading marketing claims page · Content last reviewed July 26, 2013
- Evidence signal
- Product-level HIPAA wording without role, data-flow, or safeguard scope.
- Evidence gap
- A buyer needs the vendor role, whether PHI or e-PHI is created, received, maintained, or transmitted, the BAA position, risk analysis, safeguards, and exclusions.
- Buyer question
- For the HIPAA compliant AI claim, what role does the vendor play and what PHI or e-PHI does the product handle?
"endorsed or required by HHS or OCR"
Compliance / Safety- Source and date
- HHS/OCR misleading marketing claims page · Content last reviewed July 26, 2013
- Evidence signal
- Government endorsement or requirement wording attached to private materials or systems.
- Evidence gap
- A buyer needs the exact official source, whether it applies to the product, and whether the wording only points to public OCR guidance.
- Buyer question
- For the HHS or OCR endorsement claim, what official source says this specific AI product or workflow is required?
"HIPAA-compliant authorizations"
Compliance / Safety- Source and date
- HHS/OCR Complete P.T. resolution page · Content last reviewed February 12, 2016
- Evidence signal
- Marketing or testimonial workflow tied to patient information and authorization scope.
- Evidence gap
- A buyer needs authorization workflow, PHI handling, website or social publishing controls, retention policy, and manual review boundary.
- Buyer question
- For a HIPAA-compliant authorization workflow, what patient information is used in marketing and who reviews the authorization before publication?
"GDPR-compliant AI / GDPR-safe AI processing"
Compliance / Safety- Source and date
- GDPR Articles 22 and 35 — EUR-Lex (Regulation 2016/679) · In force from May 25, 2018
- Evidence signal
- Blanket GDPR compliance claim without lawful basis, controller/processor role, or data-flow scope.
- Evidence gap
- A buyer needs the lawful basis for processing (Article 6 or Article 9 for special-category data), the controller or processor role, which personal data fields the AI processes, and whether a DPIA was required and completed.
- Buyer question
- For the GDPR-compliant AI claim, what is the lawful basis for processing personal data and which data fields does the AI handle?
"Article 22 compliant automated decisions"
Compliance / Safety- Source and date
- EDPB Guidelines on Automated Individual Decision-Making and Profiling (WP251rev.01) · Endorsed by EDPB on May 25, 2018
- Evidence signal
- Automated decision-making claim without disclosure of whether solely automated decisions apply, safeguards, or right to human review.
- Evidence gap
- A buyer needs confirmation of whether the AI makes solely automated decisions with legal or similarly significant effects, what safeguards are in place, whether meaningful information about the logic is provided, and how individuals can request human review.
- Buyer question
- For Article 22 compliance, does the AI make solely automated decisions that produce legal or similarly significant effects, and what right to human review is documented?
Evidence map for HIPAA-compliant AI claims
| Claim pattern | Evidence needed | Buyer question |
|---|---|---|
| HIPAA-compliant AI assistant or healthcare AI platform | Covered entity or business associate role, BAA position, PHI/e-PHI data flow, safeguards, and exclusions. | Does the product create, receive, maintain, or transmit PHI or e-PHI for our organization? |
| HHS, OCR, or HIPAA-required product wording | Official source URL, exact applicable language, product scope, and whether the source is guidance rather than product status. | What official source makes this product-level requirement, and does it name this product category? |
| Secure AI for patient data or clinical workflow | Risk analysis, administrative safeguards, technical safeguards, access controls, audit logs, and incident response limits. | What risk analysis covered this AI workflow and the e-PHI it processes? |
| AI testimonial, review, or marketing workflow using patient information | Authorization language, PHI review, publication controls, retention process, and removal path. | What prevents patient information from being reused in marketing without a valid authorization? |
| GDPR-compliant AI / GDPR-safe data processing | Lawful basis under Article 6 (or Article 9 for special-category data), controller or processor role, data-flow description, DPIA status for high-risk processing, and sub-processor list. | What is the lawful basis for processing personal data in this AI workflow, and has a DPIA been completed for high-risk processing activities? |
| Article 22 compliant or no solely automated decisions | Confirmation of whether the AI produces solely automated decisions with legal or similarly significant effects, available safeguards, meaningful information about the logic, and a documented right to request human review. | Does this AI make solely automated decisions that produce legal or similarly significant effects, and how can individuals request human review under Article 22? |
| BAA-backed, HIPAA-ready, or HIPAA-compliant AI chatbot claim | Business associate role, BAA scope, PHI/e-PHI data flow, prompt and output handling, support access, audit logs, safeguard documentation, and excluded configurations. | Does the BAA cover this AI chatbot workflow, including prompts, outputs, logs, support access, and model-provider paths? |
Evidence buyers need for HIPAA-compliant AI claims
- The exact HIPAA-related claim text and the page where it appears.
- The vendor role: covered entity, business associate, subcontractor, or neither.
- A PHI or e-PHI data-flow description covering inputs, outputs, storage, model use, logs, and support access.
- Risk analysis and safeguard documentation tied to the AI workflow, not only a general security page.
- A scope statement that says what the product does not determine, cover, or replace.
- For GDPR claims: lawful basis, controller/processor role, DPIA status, and Article 22 automated-decision scope.
- For GDPR Article 22 claims: whether solely automated decisions apply, safeguards, meaningful information about the logic, and human review path.
Buyer questions for HIPAA-compliant AI claims
- For this HIPAA-compliant AI claim, what PHI or e-PHI does the product create, receive, maintain, or transmit?
- Is the vendor acting as a business associate for this deployment, and what agreement or workflow evidence supports that role?
- Which safeguards apply to model prompts, outputs, logs, support access, and retained data?
- Does the claim point to an OCR source, a risk analysis, a customer-specific agreement, or only a general privacy statement?
- Which words should be narrowed if the evidence only supports one deployment, one workflow, or one customer configuration?
- For the GDPR-compliant AI claim, what is the lawful basis for processing personal data and which data fields does the AI handle?
- Has a Data Protection Impact Assessment been completed for this AI processing activity, and is the outcome available?
- Does the AI make solely automated decisions with legal or similarly significant effects on individuals, and what right to human review is available?
Safer wording for HIPAA-compliant AI claims
- Designed to support HIPAA-regulated workflows when deployed under a customer-specific agreement and documented safeguards.
- Processes specified e-PHI fields for defined tasks, with access controls, audit logs, and retention limits described separately.
- Supports authorization review for patient testimonials; publication remains subject to customer review and valid authorization.
- Uses OCR guidance as a reference point; it is not an HHS/OCR-endorsed product.
- Processes personal data under [specified lawful basis] for [defined purpose]; a DPIA was completed on [date] and is available on request.
- Supports human-reviewed decisions; AI outputs are inputs to a human decision-maker, not a solely automated determination under GDPR Article 22.
HIPAA-compliant AI claims questions
- What should a HIPAA-compliant AI chatbot claim disclose?
- Ask whether the vendor is a business associate, what PHI or e-PHI the chatbot creates, receives, maintains, or transmits, what the BAA covers, and how prompts, outputs, logs, support access, and model-provider paths are handled.
- Does a BAA make an AI product HIPAA compliant?
- No. A BAA can support one part of the evidence record, but buyers still need the AI workflow data flow, risk analysis, safeguards, audit logs, retention terms, support access, and excluded product configurations.
- What should GDPR AI processing claims show about automated decisions?
- Ask whether the AI makes solely automated decisions with legal or similarly significant effects, what Article 22 safeguards apply, how human review works, and whether a DPIA was completed for the processing activity.