Why SLPs Need to Know This

Every time you consider using an AI tool for clinical work, the first question is: does this involve PHI? If it does, the tool must be HIPAA-compliant and covered by a Business Associate Agreement. Pasting a child’s eval results, even with the name removed, into a consumer AI tool may still constitute a PHI violation if remaining details could identify the individual.

The 18 HIPAA Identifiers SLPs Should Know

• Names, dates (birth, admission, discharge, session dates), phone/fax numbers, email addresses
• Social Security numbers, medical record numbers, health plan numbers, account numbers
• Vehicle and device identifiers, URLs, IP addresses, biometric identifiers
• Full-face photographs, any other unique identifying number or code
• Geographic data smaller than a state (yes, including school district names)

Practical Guide for SLPs

1. When in doubt, de-identify. Remove all 18 identifiers before using any AI tool that lacks a BAA
2. Don’t just remove the name. A combination of age + diagnosis + school + session frequency can be identifying in small communities
3. Understand that “de-identified for brainstorming” and “clinical documentation” are different use cases. You can use a generic AI tool for de-identified brainstorming, but clinical documentation with PHI requires a HIPAA-compliant platform
4. Remember that what you type into an AI tool may be stored. Even temporarily, input data on non-compliant platforms may be logged, cached, or used for training

Related Terms

• BAA (Business Associate Agreement): the legal contract required before an AI vendor can handle your PHI
• Fine-Tuning: models fine-tuned on real clinical data raise questions about whether PHI was used in training
• Hallucination: a model that fabricates PHI-like details (inventing a patient name or score) creates its own compliance risks