Skip to main content
NC State Home

AI Use Guidance for HIPAA Covered Components

NC State encourages the responsible use of AI to improve efficiency, communication, research and operations. AI use must also comply with FERPA, HIPAA, university data governance requirements and applicable NC State policies.

See AI for Staff and Business Use for general guidance.

What Is Not Permitted

Do not enter the following into public or unapproved AI systems:

  • Protected Health Information (PHI)
  • Individually identifiable patient information

Note: There is no approved AI solution for PHI at this time. If one of the HIPAA Covered Components has a requirement to leverage AI, including AI functionality in existing tools, an IT Purchase Compliance submission is required that explicitly states PHI or non-student health information is involved.

Best Practices

  1. Protect PHI and Sensitive Data
  2. Use Approved Tools
    • Only use approved AI tools and be sure to log in with your university account.
    • Do not use personal AI accounts for university business involving university data.
  3. Verify Everything
    • Remember that AI can generate inaccurate, incomplete or fabricated information.
    • Review and verify all AI-generated content before use or distribution.
  4. Maintain Human Oversight
    • Keep a human in the loop for decisions, communications, clinical-adjacent activities and compliance-sensitive work.
    • Employees remain accountable for AI-assisted outputs.
  5. Be Transparent
    • When AI substantially contributes to a work product, follow applicable unit, research, publication or communication disclosure requirements.
    • Document AI use when required by sponsors, journals or business processes.

Resources