Google Bard is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it is not offered under a HIPAA Business Associate Agreement and it is not designed to create, receive, maintain, or transmit electronic protected health information under HIPAA Privacy Rule and HIPAA Security Rule requirements.
HIPAA compliance for third-party services that handle electronic protected health information requires a written HIPAA Business Associate Agreement when the vendor performs functions on behalf of a regulated healthcare organization. The agreement must restrict permitted uses and disclosures, require safeguards for electronic protected health information, require breach reporting under the HIPAA Breach Notification Rule, and apply equivalent restrictions to subcontractors. Without a HIPAA Business Associate Agreement that covers the service, a Covered Entity or Business Associate cannot place protected health information into the service.
Public-facing generative AI chat tools create additional exposure pathways because user prompts and outputs can be processed and retained as part of service operations, including safety monitoring and product improvement. A single prompt can contain direct identifiers, appointment details, clinical history, medications, diagnoses, test results, insurance information, or billing context. Even if identifiers are removed, combinations of data points can still identify an individual in context. Chat histories, browser sessions, and administrative logs can also create persistence beyond the organization’s access controls and retention schedule.
Operational safeguards under the HIPAA Security Rule require access controls, audit controls, integrity controls, transmission security, and workforce procedures that govern how electronic protected health information is used and disclosed. Consumer AI chat services are not structured to provide healthcare organizations with administrator control of these safeguards at the level required for regulated data handling, and the organization cannot validate or enforce downstream handling of submitted protected health information.
Healthcare organizations may use Google Bard only for use cases that exclude protected health information and avoid patient-specific context, such as drafting policy language templates that contain no identifiers or generating general education content that does not reference individuals. Patient-facing or staff-facing workflows that involve protected health information require a vendor that will execute a HIPAA Business Associate Agreement for the services in scope and provide documented controls for access management, logging, retention, and incident response aligned with HIPAA obligations.