Which LLMs have HIPAA BAAs?

Azure OpenAI has a BAA. AWS Bedrock (which hosts Claude and other models) has a BAA. Anthropic has enterprise tiers with HIPAA-aware terms. OpenAI has enterprise with DPAs but getting a BAA requires enterprise negotiation. For most healthcare workloads, Azure OpenAI or AWS Bedrock are the default because the BAA is straightforward. Self-hosted open-source models on HIPAA-eligible AWS/GCP are an option for highest-sensitivity workloads.

What about audit logs?

Every AI interaction logs: user, patient ID (when applicable), prompt (with PHI flagged), output, model used, timestamp, and downstream action. Logs stored in HIPAA-compliant infrastructure with 6-year retention. Queryable for compliance review and breach investigation. This is baseline — not optional. AI that cannot be audited creates regulatory exposure.

Can we use AI for clinical documentation?

AI-assisted clinical documentation (ambient listening, SOAP note drafting) is a viable use case — Nuance DAX Copilot and Suki are the established vendors. I do not build ambient-listening clinical documentation — that requires specialist infrastructure and FDA considerations I do not run. What I can build: structured documentation drafts from existing clinical data (previous visits, medications, problem list) that the clinician edits and signs. Same principle — AI drafts, human finalises.

How do we keep AI out of clinical judgement?

Clear boundary: AI can extract, summarise, and draft. AI cannot diagnose, recommend treatment, or calculate risk scores for clinical decisions. Prompts explicitly scope outputs to admin and communication tasks. Outputs flagged if they drift toward clinical territory. Human review on every output. For staff using AI tools, training on the boundary matters — AI is a typing assistant, not a clinical advisor. Line is hard, not fuzzy.

What about patient consent for AI?

Patients do not need to consent to admin-side AI that processes their data for treatment, payment, or operations under HIPAA's TPO (Treatment, Payment, Operations) carve-outs. Patients should be informed in the privacy notice that AI tools support admin work. For AI tools that generate patient-facing content (reminders, education), patients consent as part of general treatment consent. Your compliance team owns the consent language; I build the technical implementation.

Healthcare AI automation

AI automation for healthcare admin that respects HIPAA boundaries

Intake summarisation, follow-ups, insurance letters, documentation drafts. Admin workflows only. HIPAA-aware architecture, $3,000/mo retainer.

Available for new projects

See AI Automation

Starting at $3,000/mo · monthly retainer

Who this is for

Clinic owner, healthcare-ops director, or healthtech product lead where admin tasks eat clinical time and staff bandwidth is thin.

The pain today

Admin is eating clinical time — intake forms, scheduling, follow-ups
Insurance letters take staff 15 to 30 minutes each to draft
Patient intake data arrives unstructured and has to be re-entered
Clinical documentation drafts are not AI-generated because of HIPAA fear
Staff cannot find time to do the patient work they actually want to do

The outcome you get

AI automations for healthcare admin on $3,000/mo retainer
HIPAA-aware architecture with BAAs in place
Intake summarisation and structured extraction for clinical handoff
Insurance letter and follow-up drafting with human review
Clear boundaries between AI-appropriate and clinician-only work

Where AI safely helps in healthcare

AI in healthcare helps with admin, not diagnosis. Three places deliver clear ROI without touching clinical judgement. Intake summarisation — LLM extracts structured data from patient intake forms or transcripts, flags for clinician review. Follow-ups — LLM drafts post-visit summaries, care-plan reminders, medication adherence nudges. Staff reviews before sending. Insurance letters — prior auth, appeals, medical necessity statements drafted from structured matter data. Billing specialist reviews. In each, AI removes typing time; humans keep clinical judgement. Done right, clinical staff recover 5 to 15 hours per week.

HIPAA-aware automation architecture

All PHI-touching AI runs on HIPAA-compliant infrastructure. LLM providers with signed BAAs (Azure OpenAI with HIPAA, Anthropic enterprise with HIPAA, AWS Bedrock). Prompts and outputs stored in HIPAA-compliant infrastructure. PHI minimisation — prompts only include what the task needs. Audit logging on every AI interaction. For extremely sensitive workflows, on-premise or self-hosted open-source models on HIPAA-eligible AWS. The architecture decisions are as important as the prompts. Without BAAs, you cannot run AI on PHI legally.

Typical tools and data boundaries

LLMs with BAAs: Azure OpenAI, AWS Bedrock (Claude on AWS signs BAA), some private-tier setups with Anthropic or OpenAI. Vector DBs for RAG: Pinecone enterprise, self-hosted Qdrant, Postgres pgvector on HIPAA-eligible infrastructure. Workflow engines: Temporal, Inngest, or simpler — same as general AI automation. Email and SMS with BAAs: Paubox, LuxSci for email; Twilio with BAA for SMS. Every tool in the stack has a signed BAA before it touches PHI. This is not negotiable.

Pricing and engagement model

$3,000/mo retainer. Covers AI integration work, HIPAA-aware architecture, prompt engineering, monitoring, iteration. 14-day money-back guarantee. Cancel anytime. 100 percent code ownership under Work Made for Hire. NDA and BAA standard. LLM and infrastructure costs pass through — typically higher than non-healthcare AI ($300 to $2,000/month) because HIPAA-compliant tiers cost more. You hold the BAAs and vendor accounts directly.

Case: Instill — structured-prompt library for complex, repeatable tasks

I built Instill as a self-initiated AI skills platform. Current state: 30+ active users, 1,000+ skills saved, 45+ projects powered. Stack: Next.js 16, React 19, TypeScript, PostgreSQL, Vercel, MCP Protocol. The structured-prompt pattern applies directly to healthcare admin — a library of prompts (intake summaries, follow-up templates, insurance letters, care plans) that clinical and admin staff iterate on without touching code. Each prompt has a clear output format and human-review step. Quality compounds over months as prompts improve from real usage.

When clinical-AI vendors are a better fit

For clinical decision support (diagnosis, treatment recommendation, risk scoring), use FDA-cleared vendors (Aidoc, Viz.ai, Tempus, Paige) or established platforms (Nuance DAX Copilot for documentation). My retainer is for admin AI — tasks where humans keep clinical judgement and AI removes typing. For clinical-AI needs, specialist vendors are safer and often faster to deploy. I help you decide which bracket your need falls into. Many healthcare clients use clinical AI for clinical needs plus my retainer for admin AI — they are complementary.

Recent proof

A comparable engagement, delivered and documented.

AI Product · Beta

A prompt library that works with every AI tool

A home for your best AI prompts. Save them once, then use them in Claude, Cursor, or any AI tool you work with. No more copy-paste.

AI Product30+ active usersCross-tool workflowsSelf-funded

Read the case study

Frequently asked questions

The questions prospects ask before they book.

Which LLMs have HIPAA BAAs?: Azure OpenAI has a BAA. AWS Bedrock (which hosts Claude and other models) has a BAA. Anthropic has enterprise tiers with HIPAA-aware terms. OpenAI has enterprise with DPAs but getting a BAA requires enterprise negotiation. For most healthcare workloads, Azure OpenAI or AWS Bedrock are the default because the BAA is straightforward. Self-hosted open-source models on HIPAA-eligible AWS/GCP are an option for highest-sensitivity workloads.
What about audit logs?: Every AI interaction logs: user, patient ID (when applicable), prompt (with PHI flagged), output, model used, timestamp, and downstream action. Logs stored in HIPAA-compliant infrastructure with 6-year retention. Queryable for compliance review and breach investigation. This is baseline — not optional. AI that cannot be audited creates regulatory exposure.
Can we use AI for clinical documentation?: AI-assisted clinical documentation (ambient listening, SOAP note drafting) is a viable use case — Nuance DAX Copilot and Suki are the established vendors. I do not build ambient-listening clinical documentation — that requires specialist infrastructure and FDA considerations I do not run. What I can build: structured documentation drafts from existing clinical data (previous visits, medications, problem list) that the clinician edits and signs. Same principle — AI drafts, human finalises.
How do we keep AI out of clinical judgement?: Clear boundary: AI can extract, summarise, and draft. AI cannot diagnose, recommend treatment, or calculate risk scores for clinical decisions. Prompts explicitly scope outputs to admin and communication tasks. Outputs flagged if they drift toward clinical territory. Human review on every output. For staff using AI tools, training on the boundary matters — AI is a typing assistant, not a clinical advisor. Line is hard, not fuzzy.
What about patient consent for AI?: Patients do not need to consent to admin-side AI that processes their data for treatment, payment, or operations under HIPAA's TPO (Treatment, Payment, Operations) carve-outs. Patients should be informed in the privacy notice that AI tools support admin work. For AI tools that generate patient-facing content (reminders, education), patients consent as part of general treatment consent. Your compliance team owns the consent language; I build the technical implementation.

Get started in 60 seconds

Ready to start?

Tell me what you need in 60 seconds. Tailored proposal in your inbox within 6 hours.

Available for new projects