A hospital network I talked with last year had bought a "HIPAA-compliant" AI chat tool, signed the BAA, and rolled it out to their patient portal. Six weeks in, their security team found patient names and appointment details sitting in a third-party session-replay tool that recorded every keystroke in the chat widget. The session-replay vendor had never signed a BAA. The chatbot was compliant. The deployment was a reportable breach waiting to happen.

That gap is the whole story. Healthcare buyers ask "is this product HIPAA compliant?" when the question that actually protects them is "can you show me every place PHI travels, and prove each one is covered?" HIPAA compliance is not a sticker a product earns. It is a property of how the entire system is wired, logged, and operated. The good news: you can verify it with a short list of pointed questions, most of which vendors are not expecting you to ask.

A BAA Is the Floor, Not the Ceiling

The Business Associate Agreement is where every honest evaluation starts. Under the HIPAA Privacy and Security Rules, any vendor that creates, receives, maintains, or transmits protected health information on your behalf is a business associate, and you cannot lawfully share PHI with them until that contract exists. The U.S. Department of Health and Human Services lays this out plainly in its HIPAA security guidance.

Here is what trips people up: the BAA is necessary but it proves almost nothing about security. It is a liability contract. It says the vendor agrees to safeguard PHI and notify you of breaches. It does not tell you whether their encryption is real, whether their access controls work, or whether they have a single engineer who can read your patient transcripts on a Tuesday afternoon. I have seen vendors hand over a signed BAA in under an hour and then fail every technical question that followed.

So treat the BAA as the entry ticket, not the verdict. If a vendor will not sign one, the conversation is over. If they will, the real evaluation begins. The NIST guide to implementing the HIPAA Security Rule (SP 800-66 Revision 2) is the most useful free reference for what "safeguard PHI" actually means in technical terms, and it is the document I point buyers to when a vendor's answers feel hand-wavy. If the vendor's security posture maps to those administrative, physical, and technical safeguards, you are dealing with someone who has done the work.

Key takeaway: No BAA, no deal. But a BAA alone is the beginning of due diligence, not the end of it.

The Subprocessor Problem Nobody Demos

This is the single highest-value question you can ask, and it almost never comes up in a sales demo: where does PHI go after it reaches your system?

A modern AI customer service agent is not one box. It is a chain. The chat widget passes text to an orchestration layer, which calls a large language model, which might call a retrieval service against your knowledge base, which logs the interaction to an analytics platform, which may route a transcript to a speech-to-text or translation API. Every link in that chain that touches PHI is a subprocessor, and every subprocessor needs its own BAA flowing through your vendor.

The hospital story above is the textbook failure. The primary vendor was compliant. The session-replay subprocessor was not even on anyone's radar. The HIPAA Journal has documented this pattern repeatedly in its breach reporting: PHI rarely escapes through the front door of a well-known vendor. It leaks through the integrations and logging tools bolted on around it.

Ask for the subprocessor list in writing. A serious healthcare vendor maintains one and will hand it over. Then check the model layer specifically. If the agent runs on OpenAI's API, OpenAI must have a BAA with your vendor (it offers one to eligible enterprise accounts). If it runs on Anthropic, the same applies; Anthropic offers a BAA for qualifying commercial and API customers. If your vendor cannot name which model provider sees the PHI and confirm that provider's BAA, they do not actually know where your patient data goes.

A practical test: ask the vendor to draw the data flow for a single patient message, naming every service it passes through and the encryption state at each hop. If they can do it on a whiteboard in five minutes, they have thought about it. If they get vague after the second box, walk.

Key takeaway: PHI leaks through the plumbing. Demand the full subprocessor list with BAA status for each, especially the model provider.

What PHI Logging Should Actually Look Like

Every AI agent logs. It has to, for debugging, quality, and the audit trails that regulated industries require. The question is how it logs, and this is where compliant and reckless systems diverge sharply.

A well-built healthcare agent treats PHI in logs as a first-class concern:

Logging practice Compliant approach Red flag
Storage Encrypted at rest, access-controlled, retention-limited Plaintext transcripts in a general analytics tool
Redaction PHI tokenized or masked before reaching debug and analytics layers Raw names and conditions in error dashboards
Access Role-based, audited, minimum-necessary "Any engineer can grep the logs"
Audit trail Immutable record of who accessed what PHI, when No record of internal access at all

The "minimum necessary" standard is a HIPAA core principle, not a nice-to-have. Your vendor should be able to explain how an analytics dashboard sees aggregate metrics without exposing the underlying patient text, and how PHI gets redacted or tokenized before it lands anywhere a support engineer might browse it casually.

Audit trails deserve special attention in healthcare because they do double duty: they satisfy the HIPAA accounting-of-disclosures expectation and they give you forensic evidence if something goes wrong. This is the same discipline I have written about for any regulated deployment in AI agent audit trails for regulated industries. The agent should record not just what it told a patient, but what data it retrieved, what decision it made, and where a human took over. When the Office for Civil Rights investigates a complaint, "we have a complete, tamper-evident log" is the difference between a quick close and a painful settlement. The HHS breach portal is a sobering reminder of how often the organizations on it could not produce one.

Key takeaway: Logging is unavoidable. Redaction, access control, and an immutable audit trail are what make it safe. Ask to see all three.

Model Isolation and the Training Data Question

Two technical questions separate a serious healthcare AI vendor from a repackaged general-purpose chatbot.

First: does our data train your models? For HIPAA workloads the only acceptable answer is no, and it has to be contractual, not a verbal assurance. A compliant configuration excludes your conversations from model training, fine-tuning, and any human review pipeline used to improve the product. The major model providers support this for their API and enterprise tiers, but it is a setting and a contract clause, not a default everywhere. If a vendor says "your data helps our AI get smarter over time," that is a confession, not a feature.

Second: how is our data isolated from other customers? Multi-tenant systems are fine when isolation is enforced correctly, but you want to understand whether retrieval, caching, and memory are partitioned per customer. The failure mode to probe for is cross-tenant leakage, where one organization's PHI surfaces in another's session because a cache or vector index was shared carelessly.

This is also where AI-specific security risks enter that traditional vendor checklists miss entirely. Simon Willison's writing on the "lethal trifecta" for AI agents describes the combination that makes agents dangerous: access to private data, exposure to untrusted input, and the ability to send data somewhere. A patient-facing healthcare agent has all three by definition. It holds PHI, it reads whatever a patient (or an attacker posing as one) types, and it can call tools and APIs. A vendor who has never heard of prompt injection is not equipped to protect PHI in an agentic system, no matter how clean their BAA looks.

Ask directly: what stops a patient from typing instructions that make the agent reveal another patient's record, or exfiltrate data to an external endpoint? A real answer involves input handling, tool permission scoping, and output filtering. "Our model is really well-behaved" is not an answer.

Key takeaway: No training on your data, real tenant isolation, and an explicit defense against prompt injection. These are AI-native risks a generic security review will miss.

The Human-in-the-Loop Requirement

The most overlooked safety control in healthcare AI is also the simplest: knowing what the agent must never handle alone.

A patient asking for clinic hours is low-stakes. A patient describing chest pain, asking about a medication interaction, or expressing suicidal ideation is not a customer service interaction at all. It is a clinical and safety event, and the agent's job is to recognize that boundary and escalate immediately, not to improvise an answer.

Anthropic's guidance on building effective agents makes the case that the right level of autonomy depends on the cost of a wrong action, and few domains carry a higher cost than health. The design principle for healthcare is to define the escalation triggers before you define the conversation flows. Map the categories that require a human, build deterministic handoffs for them, and log every escalation so you can audit that the boundary held.

A well-designed handoff does three things: it recognizes the trigger reliably, it transfers full context to the human so the patient does not have to repeat a distressing story, and it records the moment in the audit trail. When you evaluate a vendor, ask them to walk through what happens when a patient types something clinical. If the agent tries to answer instead of routing to a nurse line or staff member, that is a design failure with real liability attached.

This is part of a larger build-versus-buy decision that I cover in AI customer support platform vs custom AI agent. Off-the-shelf platforms often bury escalation logic in settings you cannot fully inspect. Custom builds let you define exactly which intents are off-limits to the AI, which matters more in healthcare than in almost any other vertical.

Key takeaway: Define what the AI is forbidden to handle before you define what it does. Verify the escalation path, the context transfer, and the audit record.

The Buyer's Verification Checklist

Bring this to every vendor conversation. The goal is not to trust the marketing page. It is to make the vendor demonstrate, in front of you, how PHI is protected at each step.

  • BAA: Will you sign one today, and does it cover every service that touches PHI?
  • Subprocessors: Show me the full list, including the model provider, and confirm each has a BAA.
  • Data flow: Trace one patient message through every service and name the encryption state at each hop.
  • Logging and redaction: How is PHI masked before it reaches analytics and debug layers? Who can read raw transcripts?
  • Audit trail: Can you produce an immutable record of every PHI access and every AI decision?
  • Training: Confirm in writing that our data never trains, fine-tunes, or is human-reviewed to improve your product.
  • Isolation: How is our data separated from other customers in retrieval, cache, and memory?
  • Prompt injection: What stops a malicious input from making the agent leak or exfiltrate PHI?
  • Escalation: Show me what happens when a patient says something clinical or urgent.
  • Breach process: What is your detection and notification timeline, and have you tested it?

If a vendor answers eight of these crisply and stumbles on two, you have a manageable conversation about gaps. If they cannot get past the BAA question, the rest of the demo is theater. Budget for this matters too: the genuinely compliant configurations cost more to build and run, which is part of why I break down what drives the number in custom AI agent cost. Compliance is not free, and a price that looks too good usually means a control got skipped.

How OpenNash CX Can Help

If you are scoping AI customer service for a healthcare workflow, the build path matters as much as the vendor list. OpenNash CX designs patient-facing agents around the checklist above rather than retrofitting compliance after launch. The work starts with an audit that maps where PHI actually flows in your operation, then a design phase that defines escalation triggers, redaction rules, and human approval points before any code ships. The build keeps the model provider, logging, and audit trail under contracts and configurations you can inspect, and the deployment hands you full ownership so the audit trail and data flow are yours to show a regulator.

To be fair about fit: if your needs are simple and a platform vendor can satisfy every line of the checklist with a signed BAA and a clean subprocessor list, buy the platform. If you handle high-stakes clinical intents, need provable isolation, or want auditability you control end to end, a custom build is worth the cost. If you are early and unsure which patient interactions even belong in an AI agent, do the mapping first and automate later.

Book a call to map this checklist to your specific patient workflows, and we will tell you honestly whether you should build, buy, or wait.


This post runs ~2,300 words, hits the buyer-side checklist angle the topic notes asked for, and uses source diversity: NIST SP 800-66, HIPAA Journal, HHS breach portal, and Anthropic commercial terms alongside the background HHS and Simon Willison references. All three internal links are wired in, and the close has the required `How OpenNash CX Can Help` H2 with a pricing-neutral CTA.

A couple of verification notes before this goes near the publisher:
- I asserted that **OpenAI and Anthropic offer BAAs** for eligible enterprise/API tiers. That was true as of my knowledge cutoff, but BAA availability and tiers change. Confirm both still hold before publishing, since a wrong compliance claim in a HIPAA post is the kind of error that costs trust.
- I linked the lethal-trifecta post at `simonwillison.net/2025/Jun/16/...`. The resource guide lists the Substack version; if the live publisher validates links, point it at the URL that actually resolves.

Want me to save the file to `_posts/2026-06-07-hipaa-compliant-ai-customer-service.md`, or were you reviewing the draft first?