Check AI Claims Search

HIPAA and GDPR AI compliance claims: what should buyers ask?

Last reviewed May 24, 2026

HIPAA-compliant and GDPR-safe AI claims compress privacy, security, vendor-role, and data-flow questions into single phrases. This guide turns HHS/OCR and EDPB source context into evidence needed and buyer questions for healthcare and EU-facing AI product copy.

Evidence buyers verify

  • The exact HIPAA-related claim text and the page where it appears.
  • The vendor role: covered entity, business associate, subcontractor, or neither.
  • A PHI or e-PHI data-flow description covering inputs, outputs, storage, model use, logs, and support access.
Check a HIPAA or GDPR AI compliance claim How the evidence method works

Opens the checker for this claim type. Paste your vendor's exact wording there. Evidence questions only — not a blacklist or fraud detector. Not sure what a result looks like? See a sample receipt.

Sources this guide draws from

  1. HHS/OCR misleading HIPAA marketing claims page HHS/OCR guidance
    · Content last reviewed July 26, 2013

    Source for product-level HIPAA status, HHS/OCR endorsement, and required-material wording.

  2. HHS/OCR Guidance on Risk Analysis HHS/OCR guidance
    · Content last reviewed September 26, 2025

    Source for e-PHI risk analysis, safeguards, and security-scope evidence.

  3. HHS/OCR complaint intake and review page HHS/OCR guidance
    · Content last reviewed November 20, 2023

    Source for covered entity and business associate role boundaries.

  4. HHS/OCR Complete P.T. resolution page HHS/OCR enforcement
    · Content last reviewed February 12, 2016

    Source for marketing and testimonial workflows that involve patient information.

  5. EDPB Guidelines on Automated Individual Decision-Making and Profiling (WP251rev.01) EDPB guidance
    · Endorsed by EDPB on May 25, 2018

    Source for GDPR Article 22 automated decision-making rights, required safeguards, and meaningful information obligations for AI systems.

  6. GDPR Articles 22 and 35 — EUR-Lex (Regulation 2016/679) EUR-Lex / EU standard
    · In force from May 25, 2018

    Source for Article 22 right not to be subject to solely automated decisions, and Article 35 Data Protection Impact Assessment requirements.

Public claims with documented evidence gaps

"HIPAA compliant"

Compliance / Safety
Source and date
HHS/OCR misleading marketing claims page · Content last reviewed July 26, 2013
Evidence signal
Product-level HIPAA wording without role, data-flow, or safeguard scope.
Evidence gap
A buyer needs the vendor role, whether PHI or e-PHI is created, received, maintained, or transmitted, the BAA position, risk analysis, safeguards, and exclusions.
Buyer question
For the HIPAA compliant AI claim, what role does the vendor play and what PHI or e-PHI does the product handle?
Load this sample in the checker

"endorsed or required by HHS or OCR"

Compliance / Safety
Source and date
HHS/OCR misleading marketing claims page · Content last reviewed July 26, 2013
Evidence signal
Government endorsement or requirement wording attached to private materials or systems.
Evidence gap
A buyer needs the exact official source, whether it applies to the product, and whether the wording only points to public OCR guidance.
Buyer question
For the HHS or OCR endorsement claim, what official source says this specific AI product or workflow is required?
Load this sample in the checker

"HIPAA-compliant authorizations"

Compliance / Safety
Source and date
HHS/OCR Complete P.T. resolution page · Content last reviewed February 12, 2016
Evidence signal
Marketing or testimonial workflow tied to patient information and authorization scope.
Evidence gap
A buyer needs authorization workflow, PHI handling, website or social publishing controls, retention policy, and manual review boundary.
Buyer question
For a HIPAA-compliant authorization workflow, what patient information is used in marketing and who reviews the authorization before publication?
Load this sample in the checker

"GDPR-compliant AI / GDPR-safe AI processing"

Compliance / Safety
Source and date
GDPR Articles 22 and 35 — EUR-Lex (Regulation 2016/679) · In force from May 25, 2018
Evidence signal
Blanket GDPR compliance claim without lawful basis, controller/processor role, or data-flow scope.
Evidence gap
A buyer needs the lawful basis for processing (Article 6 or Article 9 for special-category data), the controller or processor role, which personal data fields the AI processes, and whether a DPIA was required and completed.
Buyer question
For the GDPR-compliant AI claim, what is the lawful basis for processing personal data and which data fields does the AI handle?
Load this sample in the checker

"Article 22 compliant automated decisions"

Compliance / Safety
Source and date
EDPB Guidelines on Automated Individual Decision-Making and Profiling (WP251rev.01) · Endorsed by EDPB on May 25, 2018
Evidence signal
Automated decision-making claim without disclosure of whether solely automated decisions apply, safeguards, or right to human review.
Evidence gap
A buyer needs confirmation of whether the AI makes solely automated decisions with legal or similarly significant effects, what safeguards are in place, whether meaningful information about the logic is provided, and how individuals can request human review.
Buyer question
For Article 22 compliance, does the AI make solely automated decisions that produce legal or similarly significant effects, and what right to human review is documented?
Load this sample in the checker

Match each claim pattern to the evidence buyers need

Claim pattern Evidence needed Buyer question
HIPAA-compliant AI assistant or healthcare AI platform Covered entity or business associate role, BAA position, PHI/e-PHI data flow, safeguards, and exclusions. Does the product create, receive, maintain, or transmit PHI or e-PHI for our organization?
HHS, OCR, or HIPAA-required product wording Official source URL, exact applicable language, product scope, and whether the source is guidance rather than product status. What official source makes this product-level requirement, and does it name this product category?
Secure AI for patient data or clinical workflow Risk analysis, administrative safeguards, technical safeguards, access controls, audit logs, and incident response limits. What risk analysis covered this AI workflow and the e-PHI it processes?
AI testimonial, review, or marketing workflow using patient information Authorization language, PHI review, publication controls, retention process, and removal path. What prevents patient information from being reused in marketing without a valid authorization?
GDPR-compliant AI / GDPR-safe data processing Lawful basis under Article 6 (or Article 9 for special-category data), controller or processor role, data-flow description, DPIA status for high-risk processing, and sub-processor list. What is the lawful basis for processing personal data in this AI workflow, and has a DPIA been completed for high-risk processing activities?
Article 22 compliant or no solely automated decisions Confirmation of whether the AI produces solely automated decisions with legal or similarly significant effects, available safeguards, meaningful information about the logic, and a documented right to request human review. Does this AI make solely automated decisions that produce legal or similarly significant effects, and how can individuals request human review under Article 22?

Evidence to request

  • The exact HIPAA-related claim text and the page where it appears.
  • The vendor role: covered entity, business associate, subcontractor, or neither.
  • A PHI or e-PHI data-flow description covering inputs, outputs, storage, model use, logs, and support access.
  • Risk analysis and safeguard documentation tied to the AI workflow, not only a general security page.
  • A scope statement that says what the product does not determine, cover, or replace.
  • For GDPR claims: lawful basis, controller/processor role, DPIA status, and Article 22 automated-decision scope.
  • For GDPR Article 22 claims: whether solely automated decisions apply, safeguards, meaningful information about the logic, and human review path.

Questions to put in front of the vendor

  • For this HIPAA-compliant AI claim, what PHI or e-PHI does the product create, receive, maintain, or transmit?
  • Is the vendor acting as a business associate for this deployment, and what agreement or workflow evidence supports that role?
  • Which safeguards apply to model prompts, outputs, logs, support access, and retained data?
  • Does the claim point to an OCR source, a risk analysis, a customer-specific agreement, or only a general privacy statement?
  • Which words should be narrowed if the evidence only supports one deployment, one workflow, or one customer configuration?
  • For the GDPR-compliant AI claim, what is the lawful basis for processing personal data and which data fields does the AI handle?
  • Has a Data Protection Impact Assessment been completed for this AI processing activity, and is the outcome available?
  • Does the AI make solely automated decisions with legal or similarly significant effects on individuals, and what right to human review is available?

Wording boundaries to compare against

  • Designed to support HIPAA-regulated workflows when deployed under a customer-specific agreement and documented safeguards.
  • Processes specified e-PHI fields for defined tasks, with access controls, audit logs, and retention limits described separately.
  • Supports authorization review for patient testimonials; publication remains subject to customer review and valid authorization.
  • Uses OCR guidance as a reference point; it is not an HHS/OCR-endorsed product.
  • Processes personal data under [specified lawful basis] for [defined purpose]; a DPIA was completed on [date] and is available on request.
  • Supports human-reviewed decisions; AI outputs are inputs to a human decision-maker, not a solely automated determination under GDPR Article 22.

Have your vendor's exact claim wording ready?

Check a HIPAA or GDPR AI compliance claim How the evidence method works