# HIPAA Technical Safeguard Checklist for AI Deployments A one page printable checklist your compliance officer can sign. Verify each item before any AI tool touches PHI in your environment. > Brought to you by ByteWorthy. byteworthy.io --- ## Vendor agreements - [ ] Signed BAA with every AI vendor that will touch PHI - [ ] Written data flow diagram from each vendor showing where PHI travels - [ ] Written confirmation the vendor does not train on your PHI - [ ] List of every subprocessor (vendor of the vendor) that handles your data - [ ] Documented breach notification process meeting HIPAA timelines (60 days federal, may be stricter at state level) ## Access control - [ ] Role based access control with unique user IDs (no shared logins) - [ ] Multi factor authentication required for all users with PHI access - [ ] Automatic logoff configured (15 minutes idle is a defensible baseline) - [ ] Documented emergency access procedure for break glass scenarios ## Audit controls - [ ] Every PHI access event logged: who, what, when, from where - [ ] Logs are immutable (append only, no edit or delete by users) - [ ] Log retention meets your state requirement (most states require 6 years) - [ ] Logs are reviewed at least monthly for unusual patterns ## Integrity controls - [ ] Data cannot be silently altered (change tracking on PHI fields) - [ ] Backup integrity verified at least monthly (spot check restorability) - [ ] Checksums or equivalent integrity verification on stored data ## Authentication - [ ] System verifies user identity before any PHI access - [ ] Password complexity rules enforced (min length, complexity, expiration as required) - [ ] Account lockout after failed authentication attempts ## Transmission security - [ ] All PHI in transit encrypted with TLS 1.2 or higher - [ ] Internal service-to-service traffic also encrypted - [ ] No unencrypted endpoints in any data flow involving PHI ## Encryption at rest - [ ] PHI encrypted at rest in every system: database, backups, logs, cache - [ ] AES-256 minimum - [ ] Encryption keys held separately from the data they encrypt - [ ] Key rotation policy documented and followed ## Operational hygiene - [ ] All staff using the AI tool received HIPAA training in the last 12 months - [ ] Tabletop incident response drill run in the last 12 months - [ ] Annual review of every BAA and data flow diagram scheduled - [ ] Monthly audit log review documented --- ## Sign-off | Role | Name | Date | |---|---|---| | Compliance officer | | | | Engineering lead | | | | Privacy officer | | | --- ## When to re-run this checklist - Annually as part of your standard HIPAA review - Before any new AI vendor onboarding - After any model version change that affects how data is processed - After any incident or near-miss This checklist is a starting point. A green result here does not replace a full HIPAA risk analysis. A red result tells you to stop and engage someone qualified before adding new AI vendors. --- > Brought to you by ByteWorthy. byteworthy.io