HomeHIPAA Checklist

    Free Tool · Healthcare

    HIPAA AI Compliance Checklist

    Interactive checklist for HIPAA requirements in healthcare AI workflows, including technical safeguards and Georgia-specific guidance.

    HIPAA AI Compliance Checklist

    Ensure your AI implementation meets HIPAA requirements

    Includes Georgia-specific guidance
    Overall Progress0/25 items
    0/18 Critical0/4 Georgia-Specific

    Critical
    Critical
    Critical
    Critical

    Frequently asked questions

    What does the HIPAA AI compliance checklist cover?

    The checklist covers five categories: AI vendor selection (BAA, SOC 2 Type II certification, encryption standards, data residency, subprocessor disclosure), Georgia-specific requirements (breach notification, consumer protection, insurance, medical records retention), implementation and security controls (role-based access, audit logging, MFA, network segmentation, vulnerability management, incident response), policies and training (AI usage policy, staff training, risk assessment, data retention, sanctions), and prohibited uses (no PHI in public LLMs, only approved tools, no PHI used for model training, human oversight on clinical recommendations, no PHI export to unsecured locations).

    Is the HIPAA checklist specific to Georgia?

    Most of the checklist applies to any healthcare AI deployment. One category is Georgia-specific: breach notification duties under Georgia law (O.C.G.A. § 10-1-912), Georgia consumer protection statutes, state cyber insurance requirements, and Georgia medical records retention rules. Practices outside Georgia can still complete the BAA, security, policy, and prohibited-use sections without the Georgia items.

    Which checklist items are critical?

    Critical items are the ones most healthcare AI deployments cannot skip: a signed BAA, SOC 2 Type II certification, AES-256 encryption at rest with TLS 1.2+ in transit, subprocessor disclosure, role-based access controls, audit logging, MFA, vulnerability management, incident response, a written AI usage policy, staff training, an annual risk assessment, and every item under prohibited uses, including never entering PHI into public LLM interfaces. Non-critical items, like data residency or a formal sanctions policy, still affect risk but are not the deal-breakers.

    Is the HIPAA checklist free?

    Yes. It is a free interactive tool. You provide a work email to unlock your full results, including the critical items still open, your progress by category, and a downloadable checklist you can share with your team.

    What happens after I complete the HIPAA checklist?

    The checklist surfaces which vendors, controls, and policies still have gaps. From there, CloudNSite's HIPAA-Ready AI architecture covers BAA-covered infrastructure, audit logging, and approved cloud deployments for the gaps a generic AI tool cannot close, and custom AI agents cover workflows where template tools cannot hold the compliance line.