> ## Documentation Index
> Fetch the complete documentation index at: https://docs.responsibleailabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# HIPAA

> Check AI content against HIPAA Privacy and Security Rules. Covers PHI handling, minimum necessary standard, BAA requirements, breach notification, and de-identification.

<Info>
  **Endpoint:** `POST /railscore/v1/compliance/check` | **Framework code:** `hipaa` | **Credits:** 5.0 per call
</Info>

The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information. The compliance check evaluates whether AI-generated content properly handles PHI and meets HIPAA obligations.

## Supported checks

| Area                | Rule          | What's checked                                                               |
| ------------------- | ------------- | ---------------------------------------------------------------------------- |
| PHI handling        | Privacy Rule  | Whether Protected Health Information is properly safeguarded                 |
| Minimum necessary   | 164.502(b)    | Whether access/disclosure is limited to what's necessary                     |
| BAA requirements    | 164.502(e)    | Whether Business Associate Agreements are referenced for third-party sharing |
| Breach notification | 164.404-408   | Whether breach notification obligations are addressed                        |
| De-identification   | 164.514       | Whether data meets Safe Harbor or Expert Determination standards             |
| Patient rights      | 164.524-526   | Right of access to PHI, amendment requests                                   |
| Security safeguards | Security Rule | Administrative, physical, and technical safeguards                           |

## Request

```bash theme={null}
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/check \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -d '{
    "content": "The patient diagnosed with Type 2 diabetes was referred to an endocrinologist.",
    "frameworks": ["hipaa"],
    "context": "Healthcare chatbot assisting clinical staff"
  }'
```

## Response

```json theme={null}
{
  "result": {
    "overall_compliant": false,
    "frameworks": {
      "hipaa": {
        "compliant": false,
        "issues": [
          {
            "clause": "164.502(b) — Minimum necessary standard",
            "description": "Response includes specific diagnosis information. Verify that the recipient requires this level of clinical detail.",
            "severity": "medium",
            "remediation": "Apply minimum necessary principle: only include PHI elements required for the specific use case. Consider de-identifying where possible."
          }
        ]
      }
    }
  },
  "credits_consumed": 5.0
}
```

## Combine with other frameworks

For healthcare AI operating in the EU, check HIPAA alongside GDPR:

```bash theme={null}
curl -X POST https://api.responsibleailabs.ai/railscore/v1/compliance/check \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -d '{
    "content": "Patient records are stored in US-based cloud infrastructure.",
    "frameworks": ["hipaa", "gdpr"],
    "context": "Telemedicine platform serving US and EU patients"
  }'
```

<Note>
  Dedicated HIPAA endpoints for PHI detection, de-identification verification, and BAA compliance tracking are under development.
</Note>