Using AI in your Healthcare Business – Responsible Vendor Management and HIPAA Compliance
Tuesday, July 14th, 2026
Using AI in your Healthcare Business – Responsible Vendor Management and HIPAA Compliance
By: Amanda Hobbs
For those of us who lived through the format wars, the browser wars, and who may still be stubbornly holding onto our standard USB chargers and accessories before fully committing to USB-C while other folks move fast and break things, the deluge of phone calls, emails, and ads from vendors promising the moon through AI may be met with some healthy skepticism, if not outright suspicion. However, as we have learned from these experiences, some version of the newest fad in technology often prevails and will inevitably become an almost mundane and unremarkable – but indispensable part of our day-to-day existence.
This leaves those in the healthcare space with the question: How do I tell the MS Word from the WordPerfect? The Google from the AskJeeves? How do I avoid ending up with the equivalent of a box full of Blu-rays – a technology that created more problems than it solved? The answer to that question is forward-thinking vendor management that prioritizes regulatory compliance and long-term interoperability.
The most stark differences between contracting with a company promising AI technology and any other typical healthcare vendor is 1) AI software-as-a-services (SAAS) companies often see your patient data as their asset that they acquire as part of the contract, not as your asset that requires protection; and 2) AI software-as-a-services (SAAS) companies are frequently unfamiliar with the regulatory landscape applicable to patient data – and have no qualms about leaving the healthcare entity holding the bag. This is usually evident from their proposed contracts, which often contain terms that give them expansive rights to use whatever data they come into contact with as they see fit, indemnification and risk allocation provisions that offer the health care entity little to no protection in the event of a breach, and empty promises of security measures that are not couched in HIPAA language and offer little to no visibility into how they intend to comply with the specific regulatory obligations applicable to healthcare entities. Frequently, these contract terms are not presented until well after the healthcare entity has already invested substantial time, effort, and energy in the potential relationship, and are not presented as negotiable.
While this may sound bleak, knowing that this is the lay of the land, the healthcare entity has the upper hand. Smaller companies interested in only one or two AI vendor relationships for discrete or limited tasks may simply ask for proposed contract terms up front, prior to engaging too heavily in sales pitches or demos. Provisions that should send up alarms can include provisions giving the SAAS company expansive access to data, ownership interests in data, expansive rights to use data for their own purposes, and contracts that only make reference to the security of Personally Identifiable Information (PII) but do not make special provision for Protected Health Information (PHI). Other red flags include indemnification or risk allocation provisions that place substantial limitations on the SAAS company’s responsibility or liability for security or privacy lapses, effectively shifting the burden to the healthcare entity for the SAAS company’s privacy and security failures. Finally, contracts that include no Business Associate Agreement at all, or include a Business Associate Agreement with nonstandard terms or terms that conflict with the underlying contract should cause immediate concern. In evaluating these potential relationships, the healthcare entity’s Privacy Officer and compliance stakeholders should be given a key role in reviewing any potential contract involving the use of AI, as well as a role in monitoring this relationship going forward. Additionally, legal assistance should be sought if there is any question as to whether use of a particular vendor could place the healthcare entity’s sensitive data in jeopardy.
For more complex healthcare entities and those who intend to invest heavily in multiple AI modalities, a more robust internal AI infrastructure is warranted. Setting up an AI Governance Committee and creating AI-specific policies may sound daunting. However, what this really means is identifying and communicating with existing stakeholders and compliance folks and putting together a framework for how to evaluate vendor relationships and handle implementation in a manner that complies with applicable regulations – all things a healthcare entity investing in AI technology is going to have to do anyway. The only difference is that, when policies are created, the thought process that goes into those choices is memorialized so it can be used again in the future.
Helpful policies for an AI Governance Committee include policies regarding evaluating contracts, AI implementation, data governance, ethical safeguards, vendor monitoring, AI use by employees, an AI Code of Conduct, and a policy for requesting/suggesting new vendors. While the majority of this organizational work can be accomplished internally, particularly in entities with a robust compliance department, obtaining legal assistance on the front-end can help to ensure that policies address state-law-specific concerns, appropriately entrench HIPAA obligations, and take into account unique industry or payor-specific regulations, setting you up for success in managing the increasingly complex relationship between healthcare and emerging technology.
For legal guidance rooted in exceptional quality, personalized service, and the strength of a national healthcare law firm, connect with Amanda F. Hobbs, JD. As a Shareholder with the Healthcare Group at Brown & Fortunato, Amanda represents hospitals, ASCs, physician groups, HME companies, and other healthcare organizations across the United States. Reach out at
(806) 345-6312 or ahobbs@bf-law.com to learn how she can support your organization with strategic, experienced legal counsel.
This article is for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. This article was prepared on a specific date, and the law may have changed since it was written. You should contact your attorney to obtain advice with respect to your specific legal issue and needs.