AI Use Guidance for HIPAA Covered Components
NC State encourages the responsible use of AI to improve efficiency, communication, research and operations. AI use must also comply with FERPA, HIPAA, university data governance requirements and applicable NC State policies.
See AI for Staff and Business Use for general guidance.
What Is Not Permitted
Do not enter the following into public or unapproved AI systems:
- Protected Health Information (PHI)
- Individually identifiable patient information
Note: There is no approved AI solution for PHI at this time. If one of the HIPAA Covered Components has a requirement to leverage AI, including AI functionality in existing tools, an IT Purchase Compliance submission is required that explicitly states PHI or non-student health information is involved.
Best Practices
- Protect PHI and Sensitive Data
- Never upload PHI into AI tools unless the tool has been specifically approved for that purpose and appropriate agreements are in place.
- Follow NC State’s Data Management Framework and HIPAA requirements.
- Abide by the Institutional Review Board’s standards and guidelines regarding the use of AI in research with human subjects.
- Use Approved Tools
- Only use approved AI tools and be sure to log in with your university account.
- Do not use personal AI accounts for university business involving university data.
- Verify Everything
- Remember that AI can generate inaccurate, incomplete or fabricated information.
- Review and verify all AI-generated content before use or distribution.
- Maintain Human Oversight
- Keep a human in the loop for decisions, communications, clinical-adjacent activities and compliance-sensitive work.
- Employees remain accountable for AI-assisted outputs.
- Be Transparent
- When AI substantially contributes to a work product, follow applicable unit, research, publication or communication disclosure requirements.
- Document AI use when required by sponsors, journals or business processes.