Is Your AI Report Writing Software HIPAA-Compliant? A Practical Evaluation Guide

Psychological assessment reports contain some of the most sensitive protected health information (PHI) a practitioner handles — diagnoses, test scores, behavioral observations, family history, and detailed clinical impressions. When AI software helps you draft those reports, every piece of data you input passes through an external system. Before that happens, you need high confidence that the platform meets HIPAA requirements.

This guide focuses specifically on what to verify when evaluating AI-assisted psychological report writing tools — not HIPAA compliance in general, but the concrete checks that apply to this particular workflow. For a broader overview of HIPAA fundamentals, BAA requirements, and practice-wide compliance strategy, see our HIPAA Compliance Resource Guide.

Why Report Writing AI Carries Elevated Compliance Risk

Most AI report writing tools send your input to a large language model (LLM) hosted by a third party. The moment you paste a client's test scores, case history, or behavioral notes into a prompt, that data potentially travels to and is processed by external servers — servers that may log inputs, use them for model training, or share them with subprocessors.

This is different from, say, an encrypted file storage service. The data actively passes through inference infrastructure. Depending on the vendor's architecture, your PHI may be:

• Retained in prompt logs for debugging purposes
• Used to fine-tune or improve the underlying model
• Processed in data centers outside the United States
• Accessible to the model provider's staff under certain conditions

None of these outcomes is automatically disqualifying — but each must be evaluated against your obligations as a HIPAA-covered entity.

The Non-Negotiable: A Signed Business Associate Agreement

The single most important compliance checkpoint is whether the vendor will sign a Business Associate Agreement (BAA). A BAA is a legally binding contract that:

• Defines how the vendor may use and store the PHI you share with them
• Prohibits the vendor from using your data to train AI models without authorization
• Requires the vendor to notify you within a specified timeframe if a breach occurs
• Establishes the vendor's liability for compliance failures on their end

If an AI report writing platform will not provide a BAA, you cannot use it with real client data. Full stop. A privacy policy or "we take security seriously" statement in the terms of service is not a substitute. Always request the BAA before entering any PHI — including test data — into the system.

Technical Requirements to Verify

Beyond the BAA, verify these specific technical controls before adopting any AI report writing tool:

Data in transit and at rest

All data transmitted between your browser or application and the vendor's servers should be encrypted using TLS 1.2 or higher. Data stored on the vendor's infrastructure — including any cached inputs or generated outputs — should be encrypted at rest using AES-256 or equivalent. Ask the vendor to confirm these standards explicitly, and check whether independent audits (SOC 2 Type II, HITRUST) have verified them.

Prompt and output logging

Most LLM APIs log inputs and outputs by default for debugging and quality assurance. Ask specifically whether the AI report writing platform has negotiated with its model provider to disable logging for your requests, or whether it uses a private deployment of the underlying model. This matters because even if the report writing company itself is HIPAA-compliant, their model provider may not be — and if your data passes through the model provider's infrastructure, the model provider is a subprocessor that also needs appropriate protections.

Training data opt-out

Confirm whether client data you enter can be used to train or improve AI models, either by the report writing vendor or by the underlying model provider. HIPAA-compliant arrangements should explicitly prohibit this use of PHI, and the BAA should reflect this restriction.

Data residency

For practices with specific data residency requirements, confirm whether the vendor processes and stores data within the United States. Some model providers route traffic through international data centers, which may have implications depending on your state's regulations and your own practice policies.

Data deletion

You should be able to request complete deletion of your data from the vendor's systems, including any logs, cached outputs, or stored report drafts. Ask for the vendor's data deletion process and confirm it extends to their subprocessors.

Questions to Ask During Sales or Onboarding

When evaluating a specific platform, use these questions to assess HIPAA readiness:

1. Will you sign a BAA, and can I review it before committing to a plan?
2. What underlying LLM or AI model does the platform use, and do you have a BAA with that model provider?
3. Are user inputs and AI outputs logged? If so, where, for how long, and who has access?
4. Is client data used to train or fine-tune your AI model or the underlying model?
5. Where is data processed and stored — specifically, in which countries and with which cloud providers?
6. What encryption standards apply to data in transit and at rest?
7. Do you have a SOC 2 Type II report or HITRUST certification I can review?
8. How do I request complete deletion of my data if I cancel?
9. What is your breach notification process, and what is your average time to notify covered entities?

A vendor that cannot answer these questions clearly and specifically is a vendor that hasn't done the compliance work.

Workflow Practices That Reduce Risk Even with Compliant Tools

Even when using a properly vetted, BAA-signed AI report writing platform, adopt these practices to minimize PHI exposure:

Use anonymized or de-identified inputs where possible. Many AI report writing workflows can operate with test scores and behavioral descriptors without requiring a client's name, date of birth, or other direct identifiers. The report writing template can be populated with identifying information afterward, keeping it out of the AI inference pipeline entirely.

Review all generated text before finalizing. AI-generated content should be treated as a draft. Verify factual accuracy against source data, ensure the clinical narrative accurately reflects your professional judgment, and remove any AI-introduced errors before the report enters the client's record.

Apply your organization's minimum-necessary standard. HIPAA's minimum-necessary principle requires that you only use or disclose the amount of PHI needed for the purpose at hand. When crafting prompts for AI report writing, include only the information the tool actually needs to generate the relevant section.

Keep records of your vendor assessments. Document which platforms you evaluated, what compliance evidence you reviewed, and why you selected the tool you chose. If your compliance practices are ever questioned, this documentation demonstrates a good-faith, systematic selection process.

Red Flags That Should End Evaluation Immediately

Stop evaluating a platform if you encounter any of the following:

• The vendor declines to sign a BAA or claims one is not required
• The vendor cannot identify which model provider processes your data
• The terms of service grant the vendor rights to use your data for product improvement without restriction
• The platform is a consumer AI tool without a healthcare-specific offering (free tiers of general-purpose AI chatbots virtually never qualify)
• Security certifications, encryption standards, or subprocessor lists are not available upon request

Building HIPAA Compliance Into Your AI Adoption Process

HIPAA compliance for AI report writing isn't a one-time checkbox — it's an ongoing practice. As vendors update their infrastructure, switch model providers, or revise their terms of service, the compliance picture can change. Review your BAA and vendor security documentation at least annually, and monitor vendor communications for changes that affect data handling.

Choosing the right AI report writing platform involves balancing capability, usability, and compliance. Compliance must come first: no efficiency gain is worth a HIPAA violation and its associated penalties, reputational harm, and erosion of client trust.

For an introduction to HIPAA fundamentals, breach notification requirements, and broader practice-wide compliance strategy, visit our HIPAA Compliance Resource Guide.

This article provides general information about HIPAA compliance considerations and does not constitute legal advice. Consult with a qualified healthcare attorney for guidance specific to your practice.