Skip to content
Back to Resources
ClaudeHealthcareBeginnerCheat Sheet

HIPAA-Safe AI Workflow Checklist

Step-by-step checklist for using AI tools safely with clinical data. Covers de-identification, tool selection, review, and documentation.

Before You Start

Verify tool and data readiness before opening any AI application.

Tool Verification

  • Confirm the AI tool is on your organization's approved tools list
  • Verify a signed Business Associate Agreement (BAA) is in place if you will input any PHI
  • Confirm you are using the enterprise/professional tier, not a free or personal account
  • Check that the tool's data retention settings are configured per your organization's policy
  • Verify you are logged into the correct organizational account, not a personal account

Data Classification

  • Identify the type of data you will be working with (clinical notes, billing, research, administrative)
  • Determine whether the data contains any of the 18 HIPAA identifiers (see De-identification Checklist below)
  • If data contains PHI, confirm that de-identification is feasible for your use case
  • If de-identification is not feasible, confirm BAA coverage and document the business justification

De-identification Checklist

Remove or replace ALL of the following 18 HIPAA identifiers before inputting data into any AI tool without BAA coverage. This list comes from the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)).

Direct Identifiers — Remove Completely

  • Names — patient, family members, employers, providers associated with the patient
  • Geographic data — street address, city, county, zip code (first 3 digits may be retained if the geographic unit contains more than 20,000 people)
  • Dates — birth date, admission date, discharge date, date of death, and all ages over 89 (year is permitted; shift dates by a consistent offset if temporal relationships matter)
  • Phone numbers — all phone numbers associated with the patient
  • Fax numbers — all fax numbers associated with the patient
  • Email addresses — all email addresses associated with the patient
  • Social Security numbers
  • Medical record numbers (MRNs)
  • Health plan beneficiary numbers
  • Account numbers — billing and financial account numbers
  • Certificate/license numbers — any professional or government-issued numbers
  • Vehicle identifiers — license plate numbers, VINs
  • Device identifiers and serial numbers — including implanted device IDs
  • Web URLs — personal websites, patient portal links
  • IP addresses
  • Biometric identifiers — fingerprints, voiceprints, retinal scans
  • Full-face photographs — and any comparable images
  • Any other unique identifying number or code — not already listed above

Replacement Strategy

  • Replace patient names with consistent placeholders (e.g., "Patient A," "the patient")
  • Replace provider names with role descriptions (e.g., "the attending physician," "the referring specialist")
  • Replace specific dates with relative references (e.g., "Day 3 of admission," "two weeks prior")
  • Replace specific ages over 89 with "90+"
  • Replace facility names if they could identify the patient (small or specialty clinics)

During Use — What to Input and What to Avoid

Safe to Input (After De-identification)

  • De-identified clinical narratives for documentation assistance
  • De-identified lab values and vital signs for clinical decision support
  • General medical questions not tied to a specific patient
  • Drug interaction queries using generic medication lists
  • Procedure descriptions for coding assistance (without patient identifiers)
  • Template and workflow improvement requests using sample data

Never Input — Even with BAA Coverage, Exercise Caution

  • Psychotherapy notes (receive additional protections under HIPAA beyond standard PHI)
  • Substance abuse treatment records (42 CFR Part 2 applies additional restrictions)
  • HIV/AIDS status in jurisdictions with heightened protections
  • Genetic information (GINA may apply)
  • Information the patient has specifically restricted from disclosure

After Generation — Review Checklist

Before using any AI-generated output in clinical or administrative workflows:

  • Verify all clinical facts, drug names, dosages, and interactions against authoritative sources
  • Check that no patient identifiers were inadvertently generated or inferred by the AI
  • Confirm the output is clinically appropriate for the specific patient context
  • Review for hallucinated citations, guidelines, or diagnostic criteria
  • Ensure the tone and language are appropriate for the intended audience (patient, provider, insurer)
  • Have a licensed clinician approve any output that will be used in patient care
  • Edit the output to reflect your professional judgment — do not use AI output verbatim for clinical decisions

Documentation — What to Record

Maintain a record of AI use for compliance and audit purposes:

  • Tool used — name and version of the AI application
  • Date and time of use
  • Purpose — brief description of the task (e.g., "drafted progress note from de-identified clinical data")
  • Data type — what category of data was used (de-identified clinical notes, general medical query, etc.)
  • De-identification confirmed — note that identifiers were removed before input, or that BAA covers the use
  • Reviewer — name and credentials of the clinician who reviewed the output
  • Disposition — whether the output was used as-is, modified, or discarded
  • Any issues noted — inaccuracies, concerns, or incidents flagged during review

Quick Reference: Decision Tree

  1. Does the data contain any of the 18 HIPAA identifiers? If NO, proceed with any approved tool. If YES, go to step 2.
  2. Can you de-identify the data without losing the clinical value you need? If YES, de-identify and proceed. If NO, go to step 3.
  3. Does your AI tool have BAA coverage? If YES, proceed with documentation. If NO, do not use AI for this task.

Get weekly AI prompts for Healthcare professionals

Join professionals already saving hours every week. Free. No spam.