If you are building an AI product and you want to sell it to healthcare organisations in the United States, there is one piece of law you cannot avoid. It is called HIPAA, and it governs how protected health information must be handled. For a founder who has never worked in healthcare, it can feel intimidating, but the core ideas are straightforward once they are explained plainly.

This article covers what HIPAA actually is, who needs to comply with it, how it works in practice, what it costs in time and effort, and the critical thing it does not do, which is tell you whether your AI product is genuinely secure.

What HIPAA actually is

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a United States law that sets strict rules for how organisations handle protected health information, which is essentially any data that can identify a person and relates to their health, treatment, or payment for care.

Unlike a certification such as SOC 2 or ISO 27001, HIPAA is not something you earn from a single audit and hang on the wall. It is a continuous legal obligation. If you handle protected health information, you are required by law to comply, and you remain responsible for that compliance for as long as you hold the data.

The law is built around a few core components. The Privacy Rule governs how health information may be used and shared. The Security Rule sets out the safeguards you must put in place to protect it. And if you process health data on behalf of another organisation, a Business Associate Agreement makes your legal responsibilities explicit in a contract.

Who needs it and when

HIPAA applies if your product touches protected health information belonging to individuals in the United States. The key trigger for most AI startups is not your size or your revenue, it is the moment you begin working with a healthcare organisation.

This is because a healthcare provider, insurer, or their partner cannot lawfully share patient data with you until you can demonstrate compliance and sign a Business Associate Agreement. In practice that means HIPAA becomes a hard requirement the moment a healthcare deal becomes real, and trying to address it after that point puts you behind on the timeline.

You need to take HIPAA seriously in the following situations.

• You build or sell AI products that process United States patient or health data in any form.
• You sell to healthcare providers, health insurers, or organisations that work on their behalf.
• Your product stores, transmits, or analyses information that could identify a patient and relate to their health.

You can reasonably wait if you handle no United States health information and have no near term plans to sell into healthcare. In that case, your effort is better spent on the frameworks your actual buyers ask for.

How it works in practice

Because there is no single HIPAA certificate and no official certification body, compliance is demonstrated through your controls, your documentation, and your contracts rather than a one off pass or fail audit.

The Privacy Rule requires you to control how health data is used and shared, and to respect the rights patients have over their own information. The Security Rule requires you to implement three kinds of safeguard. Administrative safeguards cover your policies, training, and risk management. Physical safeguards cover the security of the devices and locations where data lives. Technical safeguards cover access controls, encryption, and audit logging.

On top of these, the Business Associate Agreement is the contract that binds you when you process health data for another organisation. It sets out exactly what you may do with the data and what happens if something goes wrong. No healthcare organisation will share protected health information with you without one in place.

What it costs in time and effort

Since there is no official certification fee, your investment goes into implementing the safeguards, documenting them properly, and often engaging an independent assessor to validate your posture. How prepared you already are matters far more than how many people you employ.

The three things to plan around are a thorough risk assessment of how health data flows through your product, the implementation and documentation of the required safeguards, and ongoing maintenance, because HIPAA compliance is never finished. It is a continuous obligation that you uphold for as long as you handle the data.

What HIPAA does not cover for AI products

This is the part that matters most for an AI founder, and it is the part most easily missed. HIPAA tells you to protect health data, but the law was written long before modern AI products existed. Meeting its requirements does not mean your AI system is actually secure.

A HIPAA compliant posture says nothing about the AI specific risks that an enterprise healthcare buyer, or a regulator, will increasingly care about.

• Health data in model prompts. HIPAA does not address whether protected health information is being sent to a third party model provider on every API call, or whether that transfer is lawful and properly covered by your agreements.
• Prompt injection. It does not test whether your AI can be manipulated by crafted inputs into exposing patient data or behaving against its intended purpose.
• Cross tenant data leakage. It does not check whether one patient's or client's data can surface in another's results through weaknesses in your model or data layer.

In other words, you can be HIPAA compliant on paper and still have an AI product that leaks sensitive health data in ways the law never anticipated. Closing that gap requires AI security expertise that sits alongside, not inside, your HIPAA work.

The honest takeaway

HIPAA is non negotiable if you handle United States health data, and it is best addressed before a healthcare deal forces your hand rather than after. But treat it as the floor, not the ceiling. It proves you have the right policies and safeguards for health data in general. It does not prove your AI product is secure against the specific ways AI systems fail.

If you are building in healthcare, the strongest position is to meet HIPAA's requirements and to layer genuine AI security on top, so that when a healthcare buyer asks the harder questions, you have real answers rather than a certificate that quietly sidesteps them.