HIPAA-AI Readiness Self-Audit
Score your healthcare AI deployment against the 5 HIPAA dimensions in 5 minutes. Get a per-dimension red/yellow/green status, your top 2 gaps per area, and a prioritized 90-day remediation plan — emailed as a PDF.
Built by the Taction Software® engineering team based on 785+ healthcare implementations and 30+ AI features in production.
Why a HIPAA-AI audit is different from a regular HIPAA audit
Standard HIPAA assessments cover PHI access controls, encryption, and BAAs. AI workloads add five new risk surfaces that most audits miss:
- BAAs with AI providers — your OpenAI/Anthropic/Bedrock contract probably isn’t signed correctly
- PHI flow auditing — every byte sent to an inference endpoint is a covered transmission
- Audit logging of AI outputs — model responses and clinician overrides are records
- Model governance — registry, versioning, drift, eval harness
- On-prem fallback — what happens when the cloud LLM is unavailable
Business Associate Agreements
If you're sending PHI to a public-tier API, it doesn't matter how the data is encrypted — it's a HIPAA violation.
What’s in your audit report
- 5-dimension radar chart (visible immediately on results page)
- Per-dimension red/yellow/green scoring with the top 2 gaps in each area
- Overall readiness percentage with color-coded badge
- Detailed PDF report (emailed) with: prioritized 90-day remediation roadmap, sample BAA template for AI providers, sample audit-log schema, sample model registry checklist
Frequently asked questions
You score your deployment across five dimensions: BAAs with all PHI handlers including AI providers, PHI flow auditing on inference endpoints, audit logging of model outputs and clinician overrides, model governance (registry, versioning, drift), and on-prem fallback capability. Each dimension is scored 0–15; a deployment scoring 60+ overall (out of 75) is considered HIPAA-AI-ready. The audit above walks you through all 25 questions.
A Business Associate Agreement signed with any third-party that touches PHI on your behalf — including LLM providers (OpenAI, Anthropic, AWS Bedrock, Google Vertex). Most healthcare orgs have BAAs with their cloud provider but not with the LLM API service itself. Without one, sending PHI to that endpoint is a HIPAA violation regardless of encryption.
About 5 minutes — 25 questions across 5 dimensions, each with Yes / Partially / No / Don’t know answers.
A per-dimension breakdown, your top 2 gaps in each area, a prioritized 90-day remediation plan, a sample BAA template specifically for AI providers, and a sample audit-log schema for AI inference. Roughly 12 pages.
Your answers and email are stored against your account in our CRM so we can follow up with the relevant remediation. We never share your responses with third parties. The audit itself does not transmit any PHI; it only asks about your processes.
Your audit results page will show a low-score badge and offer our $25K HIPAA-AI Readiness Assessment service — a 3-week engagement where our team produces a written remediation roadmap with specific implementation steps for your environment.
Need help acting on the results?
Taction Software® has shipped 30+ AI features in production healthcare environments with zero HIPAA findings. Book a 30-min call and we’ll walk through your audit results together.