HIPAA for the security leader who is not the privacy officer
Your job is the Security Rule and the risk analysis keystone. The Privacy Rule belongs to someone else — know exactly where the line is.
Read this first: ISMS Copilot does not sign a BAA — keep PHI out of chats
ISMS Copilot does not sign a Business Associate Agreement (BAA), so it cannot lawfully process Protected Health Information on your behalf under 45 CFR §164.502. Do not paste actual PHI or ePHI — names, dates, MRNs, diagnoses, provider-patient conversations — into chats. ISMS Copilot is a compliance learning and policy-drafting tool, not a HIPAA Business Associate. Use it to draft Security Rule policies, build your risk analysis methodology, and prepare evidence — keep ePHI in your dedicated HIPAA-compliant systems. If your use case requires processing PHI through an AI assistant, you need a BAA-signed vendor instead.
Full HIPAA stance and limitations →HIPAA for the security leader who is not the privacy officer
If you own security but not privacy, draw the statutory line first. The Security Rule (45 CFR §164.302–§164.318) governs administrative, physical, and technical safeguards for ePHI — that is your remit. The Privacy Rule governs uses and disclosures of PHI in any form — Notices of Privacy Practices, minimum necessary, authorizations — and is the privacy officer's remit. Do not let the two blur in your control set. Within your half, the keystone is the §164.308(a)(1) risk analysis: an accurate, organisation-wide assessment of risks to ePHI confidentiality, integrity, and availability. Almost every other Security Rule control — access management, audit controls, contingency planning — traces its scoping back to it, and it is the first artefact an OCR investigation asks for. Get the risk analysis methodology defensible and the rest of the Security Rule has a spine. ISMS Copilot drafts that methodology and the safeguard policies; it never holds the ePHI.
HIPAA-covered and digital-health teams →Frequently Asked Questions
Will ISMS Copilot sign a BAA so I can use PHI in it?
No. ISMS Copilot does not sign Business Associate Agreements and cannot process PHI on your behalf under 45 CFR §164.502. Do not paste PHI or ePHI into chats. Use it for documentation, methodology, and training only; keep ePHI in BAA-covered systems.
Where does the Security Rule end and the Privacy Rule begin?
The Security Rule (§164.302–§164.318) covers safeguards for ePHI — the security leader's remit. The Privacy Rule covers uses and disclosures of PHI in any form — the privacy officer's remit. Keep the two scopes distinct in your control set.
Why is the §164.308(a)(1) risk analysis the keystone?
It is the accurate, organisation-wide assessment of risks to ePHI that scopes nearly every other Security Rule control, and it is the first thing an OCR investigation requests. A weak risk analysis undermines the entire Security Rule programme.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.