From the HASP team

The HASP Blog

Practical guides on HIPAA-ready AI, regulated workflows,
and compliant tooling for healthcare, legal, and financial-services teams.

HIPAA + AI · May 22, 2026 · 10 min read

HIPAA Security Rule and AI: What § 164.308 Requires of Vendors

When you put AI into a HIPAA workflow, the AI vendor becomes a business associate. Here is how to evaluate that vendor through the lens of § 164.308.

Read article

HIPAA + AI · May 22, 2026 · 12 min read

Real HIPAA Violations From AI: What Regulators Have Penalized

OCR has not yet fined anyone for an AI tool by name. That is a lag, not an all-clear. Here is what regulators have penalized that maps directly onto how AI fails.

HIPAA + AI · May 22, 2026 · 12 min read

How to Evaluate HIPAA AI Vendors: A 20-Point Checklist

A 20-point checklist for evaluating HIPAA AI vendors — BAA scope, the inference path, PHI handling, audit integrity, and the vendor's own posture.

HIPAA + AI · May 22, 2026 · 10 min read

Is ChatGPT HIPAA-Compliant? An Honest Answer for 2026

It depends on which ChatGPT, and the default answer is no. Here's what OpenAI's BAA actually covers in 2026 — and what a regulated team still has to build around it.

HIPAA + AI · May 22, 2026 · 9 min read

Is Claude HIPAA-Compliant? What Anthropic's BAA Actually Covers

Anthropic will sign a BAA for some Claude products and not others. Here's what that BAA covers, what it leaves to you, and how to tell the difference.

HIPAA + AI · May 22, 2026 · 11 min read

PHI Scanning vs. Redaction: What Actually Protects Data

Scanning finds PHI in a prompt. Redaction removes it. They are not the same thing, and redaction is not the safe default most teams assume it is.

HIPAA + AI · May 18, 2026 · 7 min read

Prior Authorization and AI: What Works, What Doesn't

AI can cut prior authorization work significantly - but only if the deployment handles PHI correctly and leaves the right decisions to humans. A practical breakdown.

Regulated AI · May 13, 2026 · 10 min read

Built on every model. Never locked to one.

Single-provider AI deployments are a resilience problem, a pricing problem, and a model-quality problem. Multi-provider deployments are a compliance problem — unless someone else owns the BAA. Here's the case for model-agnostic regulated AI.

Regulated AI · May 11, 2026 · 7 min read

What Makes an Audit Trail Hold Up in an Investigation

Application logs and compliance audit trails are different things. Here's what a real audit trail looks like for AI systems handling regulated data - and why the gap between the two matters.

HIPAA + AI · May 4, 2026 · 8 min read

What a HIPAA BAA Actually Covers When You Use AI

Most AI vendors will sign a BAA. That doesn't mean the BAA covers what you think it does. Here's what to check before you call your AI deployment compliant.

Regulated AI · Apr 27, 2026 · 8 min read

Why Regulated Teams Can't Just Use ChatGPT

ChatGPT is a useful tool. It is not a compliant one. Here's the specific gap between what general-purpose AI offers and what healthcare, legal, and financial services teams actually need.