Compliance Guide

SOC 2 & HIPAA for AI Platforms

What compliance actually looks like for healthcare AI governance platforms

The Compliance Confusion

Most AI platforms claim to be "HIPAA-ready" or "HIPAA-compliant." These terms sound similar but mean very different things.

Understanding the difference — and what actual compliance requires — is critical for healthcare organizations evaluating AI platforms.

HIPAA-Ready vs. HIPAA-Compliant

One is marketing language. The other is actual compliance.

HIPAA-Ready

"We have some security features, and if you configure everything correctly, you might be able to use this in a HIPAA-compliant way."

  • Basic security features exist (encryption, access controls)
  • YOU configure everything for compliance
  • YOU implement PHI protection yourself
  • YOU ensure BAAs exist with every vendor
  • YOU maintain and prove compliance over time
  • Homework disguised as a solution

You do all the compliance work yourself and hope you didn't miss anything.

HIPAA-Compliant

"This platform is architected specifically for HIPAA compliance. PHI protection is automatic, BAAs are in place, and compliance is the default."

  • Designed from the ground up for healthcare
  • PHI protection happens automatically
  • BAAs with all AI vendors included
  • Audit trails built-in from day one
  • Compliance is the default, not an add-on
  • Governance infrastructure already built

Compliance is the default — not an add-on you have to build yourself.

What HIPAA Compliance Actually Requires

8 non-negotiable requirements for AI platforms handling PHI

1

Automatic PHI Detection & Redaction

Platform must automatically identify and cleanse all 18 HIPAA identifiers before data reaches AI models. Manual removal doesn't scale and fails 100% of the time.

Must have:

  • Real-time PHI detection using NLP/pattern matching, automatic redaction, data rehydration for output
2

Business Associate Agreements (BAAs)

Platform provider AND all AI model vendors (OpenAI, Anthropic, Google) must have executed BAAs. No BAA = HIPAA violation if PHI is shared.

Must have:

  • Signed BAAs with platform and all underlying model providers, available for audit
3

Complete Audit Logs

Every AI interaction must be logged with timestamp, user, model, and data shared. Logs must be immutable and retained per HIPAA requirements (6 years).

Must have:

  • Tamper-proof audit logs, searchable/exportable, long-term retention, SIEM integration
4

Encryption in Transit & At Rest

All data sent to/from AI models must be encrypted during transmission and when stored. Minimum TLS 1.2 for transit, AES-256 for rest.

Must have:

  • End-to-end encryption, certificate management, encrypted storage
5

Access Controls & Authentication

Role-based access control (RBAC), multi-factor authentication (MFA), and session management. Only authorized users can access AI tools.

Must have:

  • RBAC, MFA, SSO/SAML integration, session timeouts, user provisioning/deprovisioning
6

Breach Notification Procedures

Platform must have documented procedures for detecting, reporting, and responding to PHI breaches. Breach notification within 60 days required by HIPAA.

Must have:

  • Breach detection monitoring, notification workflows, incident response plan
7

Data Residency & Retention Controls

Ability to control where PHI is stored/processed (US-only for most BAAs) and how long data is retained.

Must have:

  • Data residency options, retention policy configuration, data deletion capabilities
8

Security Risk Assessment

Platform provider must conduct regular security risk assessments per HIPAA Security Rule. Third-party validation demonstrates this.

Must have:

  • SOC 2 Type II certification, penetration testing, vulnerability management program

SOC 2 Type II: What It Means

The gold standard for SaaS security and compliance validation

SOC 2 Type II is an independent third-party audit of a company's security controls over a period of time (typically 6-12 months). It validates that the company doesn't just have security controls — they actually work and are consistently followed.

SOC 2 Type I vs. Type II

Type II is the one that matters

SOC 2 Type I

  • "We have these security controls in place" (point-in-time snapshot)
  • Proves controls exist at a single moment
  • A starting point — not proof of operating effectiveness

A snapshot that shows controls exist but doesn't prove they work over time.

SOC 2 Type II

  • "We have proven these controls work over time and are audited" (operating effectiveness)
  • Validates controls over 6-12 months of continuous operation
  • The gold standard — proves security is sustained, not just implemented

Proof that security controls actually work and are consistently followed.

What SOC 2 Type II Validates

The five Trust Service Criteria

  • Security Trust Principle

    Infrastructure, software, people, and procedures are protected against unauthorized access

  • Availability Trust Principle

    System is available for operation and use as committed or agreed

  • Processing Integrity Trust Principle

    System processing is complete, valid, accurate, timely, and authorized

  • Confidentiality Trust Principle

    Confidential information is protected as committed or agreed

  • Privacy Trust Principle

    Personal information is collected, used, retained, disclosed, and destroyed per privacy policy

Compliance Red Flags

Warning signs that a platform isn't truly compliant

🚩 Uses "HIPAA-Ready" Instead of "HIPAA-Compliant"

HIPAA-ready is marketing speak for 'you have to do all the compliance work yourself.'

🚩 No SOC 2 Type II Report Available

SOC 2 Type I is a starting point. Type II proves controls actually work over time.

🚩 Can't Provide BAAs with AI Model Providers

Platform might have a BAA with you, but if they don't have BAAs with OpenAI/Anthropic/Google, PHI is still exposed.

🚩 Relies on Manual PHI Removal

If the platform tells users to 'remember to remove PHI,' it's not a governance platform — it's a liability.

🚩 No Audit Logs or Limited Logging

If you can't prove what data was sent where, you can't demonstrate compliance during an audit.

🚩 Claims 'AI-Generated BAAs Are Fine'

BAAs are legal contracts that require lawyers, not ChatGPT. Vendor-generated templates need legal review.

Questions to Ask AI Platform Vendors

1

SOC 2 Type II Report

Can you provide your SOC 2 Type II report — not Type I, but Type II, which proves operating effectiveness.

2

BAAs with AI Providers

Do you have executed BAAs with OpenAI, Anthropic, Google, and any other AI providers you use.

3

PHI Detection Demo

How do you detect and redact PHI automatically, and can you demonstrate this.

4

Audit Log Export

Can I export complete audit logs showing all AI interactions for the past 12 months.

5

Data Residency

Where is data stored and processed, and can I specify US-only data residency.

6

Breach Procedures

What happens if there's a PHI breach, and what are your notification procedures.

7

Retention Policies

How long do you retain data, and can I configure retention policies.

8

SSO & Access Control

Do you support SSO/SAML and role-based access control.

See the Difference

AuthenTech AI is SOC 2 Type II certified and designed for HIPAA compliance from the ground up — not "HIPAA-ready," actually compliant

Evaluate AI Platform Security View Security Details

Concerned about Shadow AI in your organization?

3 Minutes. 16 Questions. No Fluff.

Quick Online Risk Check