From April 7–10, legal and industry professionals and government officials gathered for the 43rd National HIPAA Summit to present their valuable insights on developments and trends in healthcare privacy, cybersecurity, and enforcement.
Morgan Lewis attorneys Michael J. Madderra and Sydney Reed Swanson presented on the adoption and use of artificial intelligence (AI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). They discussed how, for regulated entities, evolving regulatory expectations and expanded AI use may result in more complex and interrelated obligations across organizational privacy and security frameworks, impacting data use, contracting, and more.
The keynote address was delivered by the director of the US Department of Health and Human Services, Office for Civil Rights (OCR), and reflected on the changing regulatory and enforcement environment under HIPAA and the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (Part 2).
At the same time, healthcare industry stakeholders are continuing to integrate AI tools into clinical and operational workflows, which may introduce new compliance, operational, and ethical considerations.
This Insight examines OCR enforcement signals, regulatory developments, and practical considerations for organizations deploying AI in HIPAA-regulated environments.
OCR Enforcement Signals and Regulatory Developments
OCR Director Paula M. Stannard’s keynote address focused on a variety of topics, including new enforcement priorities tied to Part 2 and HIPAA as well as forthcoming changes to the HIPAA Privacy Rule and the HIPAA Security Rule.
OCR indicated that it is receiving complaints and breach reports tied to updated Part 2 regulatory requirements, effective February 16, 2026, and anticipates enforcement activity in the near term. Moreover, OCR’s ongoing enforcement initiative regarding failure to complete thorough HIPAA security risk analyses will be broadened to include enforcement action for failure to complete a detailed risk management plan. OCR also described how it will prioritize investigation of cases involving denials of individuals’ right of access, particularly those related to parental rights’ of access to minors’ records.
OCR also confirmed that proposed modifications to the HIPAA Privacy Rule, issued on January 21, 2021, remain under review for potential finalization. The purpose of the proposed rule is to strengthen individuals’ rights to access their own health information, improve care coordination, and reduce the compliance burden on regulated entities. OCR has indicated its renewed interest in finalizing the proposed rule under the second Trump administration. Director Stannard highlighted how OCR is evaluating adjustments to HIPAA’s minimum necessary standard, which could require updates to HIPAA covered entities’ notices of privacy practices.
OCR confirmed that it is in the process of reviewing comments related to proposed updates to the HIPAA Security Rule, issued on January 6, 2025. Director Stannard noted that OCR’s changes to the proposed HIPAA Security Rule and any public comments received will be evaluated by OCR in light of President Trump’s Cyber Strategy for America, issued in March 2026, and its call for “common sense regulation.” Director Stannard also emphasized OCR’s focus on addressable versus required implementation specifications and underscored risk analyses as a critical first step in identifying and managing broader security risks.
OCR further indicated that it anticipates publishing industry reports summarizing audit findings, similar to reports issued by the US Department of Health and Human Services, Office of Inspector General (OIG), although no publication date was announced.
AI Use Cases and Practical Challenges
AI panelists, including Morgan Lewis’s Mike Madderra and Sydney Swanson, explored how healthcare organizations and vendors are exploring AI-driven tools to improve efficiency and reduce administrative burden. A prominent use case involves the transcription and summarization of patient-provider interactions during clinical visits.
These tools ingest conversations in real-time, generating draft clinical notes for the provider to review. This may reduce time spent on documentation and allow providers to focus more directly on patient care.
These use cases undoubtedly raise legal and operational considerations. For instance, notices to patients are a central issue. Patients should understand whether AI systems are recording or processing their information, how the data is used, what systems are involved, and whether the data is stored temporarily or maintained over time.
Data integrity is another key consideration. Providers need to review and confirm that AI-generated summaries accurately reflect the interaction, as reliance on AI does not replace clinical judgment.
Data retention may also present risk. If underlying data is deleted, organizations could face questions regarding compliance and preservation obligations in litigation, particularly based on representations made to patients.
AI Governance and Security Expectations
During her address, Director Stannard emphasized that the HIPAA Security Rule should be applied to AI technologies in the same manner as any other technology. OCR identified that key risks related to the use of AI may include data leakage, data poisoning, and the potential exposure of protected health information (PHI) where a business associate agreement (BAA) is not in place. These considerations support integrating AI into existing compliance and security frameworks.
The AI panelists described how proposed updates to the HIPAA Security Rule could further shape how organizations approach AI deployment. Although final requirements remain uncertain, organizations may consider strengthening data governance practices, including maintaining inventories of AI tools, expanding risk assessments to include components tailored to use of AI, and aligning internal governance with regulatory expectations.
Data Use, Contracting, and Cross-Border Considerations
The AI panelists pointed out that most AI systems rely on large volumes of data, raising questions about the use of PHI, limited data sets, and de-identified data. Each of those categories have distinct regulatory implications, and organizations should evaluate how best to apply the principle of using the minimum necessary data.
There may also be tension between the data demands of AI systems and regulatory constraints, particularly in the context of cross-border data transfers and national security considerations. Organizations should be mindful of where data is stored and processed and consider potential regulatory scrutiny in this area.
Contractual provisions, particularly in BAAs, are evolving to address AI-related risks. Organizations may consider including restrictions on the use of PHI to train or improve AI models without appropriate authorization, more detailed definitions of permitted data uses, and audit rights that allow covered entities to monitor vendor practices.
Ethical Considerations and Patient Expectations
Beyond regulatory compliance, organizations should consider broader ethical obligations when deploying AI tools that interact with patient data. Patients may have expectations regarding confidentiality that extend beyond minimum legal requirements.
Organizations may evaluate how a reasonable person would expect their data to be used, stored, and protected. This may include considering whether data is encrypted in transit and at rest, and whether disclosures provide sufficient transparency.
A focus on confidentiality, transparency, and responsible data use remain important as AI technologies continue to evolve.
Key Takeaways
This year’s conference reflected a change in OCR enforcement priorities and sustained interest in adoption and use of AI. Regulated entities should consider the following key takeaways:
- OCR is signaling increased enforcement activity, particularly with respect to right of access, risk analysis, and risk management, as well as compliance with 42 CFR Part 2 updates.
- Ongoing rulemaking may introduce additional requirements affecting privacy, security, and data governance under HIPAA.
- As AI adoption expands, organizations should consider conducting targeted risk analyses, strengthening contractual protections, and maintaining visibility into how data is used across systems and vendors in their approach to HIPAA compliance.
- In a rapidly evolving environment, organizations that take a coordinated approach to compliance, governance, and AI deployment are positioned to better manage risk while continuing to realize potential operational benefits associated with AI.
How We Can Help
Our lawyers stand ready to assist healthcare industry stakeholders with HIPAA and Part 2 compliance and enforcement actions. Morgan Lewis also helps stakeholders tackle operational and ethical concerns related to the use of AI and develop AI governance programs. For more information, read our Health Law Scan blog.