AI Compliance: HIPAA, SOX, GDPR — What You Actually Need
A no-BS guide to keeping your AI systems legal without drowning in regulatory paranoia
CTO & Founder, The Fort AI Agency

Let's cut to it: you want to use AI in your business, but every time you mention it, someone in legal turns pale and starts mumbling about fines. Meanwhile, your competitors are shipping AI features and you're stuck in a compliance limbo.
I've spent 20 years in IT — running an MSP, cleaning up other people's messes, and now helping businesses at The Fort AI Agency implement AI without stepping on a regulatory landmine. So let me give you the straight version of AI compliance: what HIPAA, SOX, and GDPR actually require, and what's just noise.
Spoiler: most of the fear is misplaced. The real risks are boring, specific, and totally avoidable.
Is AI HIPAA Compliant?
AI is not automatically HIPAA compliant. HIPAA compliance depends on how you configure the AI system, whether you sign a Business Associate Agreement (BAA) with your vendor, and whether protected health information (PHI) is properly encrypted and access-controlled. The tool itself is neutral — your implementation is what makes it compliant or not.
Here's the thing people get wrong. They ask "Is ChatGPT HIPAA compliant?" as if the answer is a simple yes or no. It's neither. It's "depends on your contract and your setup."
What HIPAA Actually Requires for AI
If you're handling PHI — patient records, diagnoses, billing tied to health data — you need these boxes checked:
- A signed BAA with your AI vendor. OpenAI offers BAAs for its enterprise and API tiers. Consumer ChatGPT? No BAA, no PHI. Full stop.
- Encryption in transit and at rest. Non-negotiable.
- Access controls and audit logs. You need to know who touched what data and when.
- No training on your data. Make sure your vendor contractually agrees not to use your PHI to train their models.
- Data minimization. Don't feed the AI more PHI than the task requires.
The Common HIPAA Mistake I See Constantly
A clinic employee pastes patient notes into the free version of an AI tool to "summarize" them. Boom — you just sent PHI to a third party with no BAA, and that data may be used for training. That's a reportable breach.
The fix isn't banning AI. It's giving your team a compliant tool so they don't reach for the shadow-IT option. At The Fort AI Agency, this is the first thing we lock down for healthcare clients — a sanctioned, BAA-covered AI workflow that people actually want to use.
How Do I Make My AI Solution GDPR Compliant?
To make your AI solution GDPR compliant, you need a lawful basis for processing personal data, transparency about how the AI uses that data, mechanisms for data subject rights (access, deletion, correction), and safeguards for automated decision-making. GDPR applies to any business handling EU residents' data — regardless of where your company is located.
That last point trips up a lot of American businesses. You're in Fort Wayne, your customer is in Frankfurt — GDPR applies to you. Location of the business doesn't matter; location of the data subject does.
The GDPR Checklist for AI Systems
- Establish a lawful basis. Consent, contract, legitimate interest — pick one and document it. "We wanted to" is not a lawful basis.
- Be transparent. If AI is making or influencing decisions about people, tell them. Buried terms-of-service disclosures don't count.
- Honor data subject rights. People can request their data, ask you to delete it, or correct it. If your AI vendor can't help you comply, that's a problem.
- Handle automated decision-making carefully. Article 22 of GDPR gives people the right not to be subject to purely automated decisions with significant effects. Loan approvals, hiring, that kind of thing. You need human review in the loop.
- Data Protection Impact Assessment (DPIA). For high-risk AI processing, this is required. It's basically documenting the risks before you deploy.
The "Right to Explanation" Wrinkle
GDPR gives individuals a right to meaningful information about the logic of automated decisions. This is where black-box AI gets you in trouble. If a customer asks "why did your AI deny me?" and your answer is "the model said so," you've got a compliance gap.
This is why explainability isn't just a nice-to-have anymore. It's a legal requirement in certain contexts.
What Regulations Apply to AI in Business?
The regulations that apply to AI in business depend on your industry and the data you handle. The big four are HIPAA (healthcare data), GDPR (EU personal data), SOX (financial reporting for public companies), and the EU AI Act (risk-based AI regulation). Additional rules like CCPA/CPRA apply for California residents, and sector-specific regulations may apply to finance, legal, and government contractors.
Let me break down who cares about what.
SOX and AI: The Overlooked One
Sarbanes-Oxley (SOX) governs financial reporting for public companies. If you're using AI to generate, analyze, or influence financial statements, that AI is now part of your internal controls over financial reporting.
Translation: you need to be able to audit and validate what the AI produced. If AI drafts your quarterly numbers and nobody can explain how, your auditors will have a field day — and not the fun kind.
SOX requires:
- Auditability. Every AI-influenced financial output needs a traceable path.
- Access controls. Segregation of duties still applies. AI doesn't get to bypass that.
- Change management. Update your AI model? That's a change to your control environment. Document it.
The EU AI Act — The New Kid That Everyone's Ignoring
As of 2026, the EU AI Act is phasing in, and it's the first comprehensive AI-specific regulation with teeth. It classifies AI systems by risk:
- Unacceptable risk (social scoring, manipulative AI): banned.
- High risk (hiring, credit, medical devices): heavy compliance requirements.
- Limited risk (chatbots): transparency obligations.
- Minimal risk (spam filters, most business tools): basically free rein.
If you serve EU customers, this is now on your radar whether you like it or not. Andy Oberlin's take: most small and mid-sized businesses fall into the limited or minimal risk categories, so don't panic — but know where you land.
The Machine-Readable Web Angle
Here's a timely one. There's an active discussion on Hacker News right now asking whether the web for machines — things like the proposed /llm.txt standard — is the web we wish we'd built for humans. As AI agents increasingly crawl and act on your data, compliance is bleeding into how your content is structured and exposed.
If you're publishing an llm.txt or opening APIs to AI agents, you're making decisions about what machine consumers can access. That's a data governance question, and governance is where compliance lives. The standards are still forming, but the businesses thinking about this now will avoid retrofitting compliance later.
The Compliance Framework That Actually Works
After cleaning up dozens of "we deployed AI first and asked questions later" situations, here's the framework I give clients at The Fort AI Agency.
Step 1: Data Classification
Before any AI touches your data, know what you have. PHI? PII? Financial records? Public marketing copy? You can't protect data you haven't classified.
Step 2: Vendor Due Diligence
Read the actual terms. Ask these questions:
- Will you sign a BAA (if healthcare) or Data Processing Agreement (if GDPR)?
- Do you train on customer data? Can I opt out?
- Where is data stored and processed geographically?
- What are your security certifications (SOC 2, ISO 27001)?
If a vendor dodges these, that's your answer.
Step 3: Human-in-the-Loop for High-Stakes Decisions
Anything that affects a person's health, money, employment, or legal standing needs a human checkpoint. This isn't just good ethics — it's often legally required under GDPR Article 22 and the EU AI Act.
Step 4: Audit Trails Everywhere
Log inputs, outputs, and decisions. When a regulator or auditor comes knocking, "we don't have logs" is the worst possible answer. Boring infrastructure, huge payoff.
Step 5: Written Policy Your Team Will Actually Read
A 40-page compliance manual nobody reads is worthless. A one-page "here's what you can and can't put into AI tools" that your team actually follows is priceless.
Key Takeaways
- AI compliance is about implementation, not the tool. The same AI can be compliant or a breach waiting to happen depending on your setup.
- HIPAA requires a signed BAA before any PHI touches an AI system. No BAA, no PHI. Ever.
- GDPR applies based on where your customers are, not where your business is. EU residents' data means GDPR obligations.
- SOX makes AI part of your financial controls if it influences reporting — it must be auditable and traceable.
- The EU AI Act classifies AI by risk. Most SMBs are low-risk, but know your category.
- Human-in-the-loop is often legally required for decisions affecting health, money, employment, or legal standing.
- Shadow AI is your biggest risk. Give your team a compliant tool so they don't reach for the free, non-compliant one.
Frequently Asked Questions
Is ChatGPT HIPAA compliant?
ChatGPT is HIPAA compliant only if you use OpenAI's enterprise or API tier with a signed Business Associate Agreement (BAA) and configure it to prevent data retention and training. The free consumer version of ChatGPT is not HIPAA compliant and should never receive protected health information.
Does GDPR apply to my US-based business?
Yes, GDPR applies to any business that processes the personal data of EU residents, regardless of where the business is located. If you have EU customers, website visitors, or handle EU citizens' data through your AI systems, you must comply with GDPR.
What happens if my AI system violates compliance rules?
Penalties vary by regulation but can be severe. GDPR fines reach up to 4% of global annual revenue or 20 million euros, whichever is higher. HIPAA violations can cost up to 1.5 million dollars per violation category annually. SOX violations carry both financial penalties and potential criminal liability for executives.
Do I need a compliance officer to use AI in my business?
Not necessarily for most small and mid-sized businesses. What you need is a clear data governance policy, vendor agreements that cover your regulatory obligations, and someone accountable for AI decisions. For high-risk industries like healthcare or finance, dedicated compliance oversight is strongly recommended.
How do I know which AI regulations apply to my company?
Start with your data and your customers. If you handle health data, HIPAA applies. If you serve EU residents, GDPR applies. If you're a public company using AI in financial reporting, SOX applies. A quick assessment of your data types and customer geography usually maps your obligations clearly — and it's one of the first things we do in a Fort AI Agency consultation.
Stop Guessing About AI Compliance
Here's the truth: AI compliance isn't about becoming a lawyer or hiring an army of consultants. It's about knowing which rules apply to you and building sensible guardrails so you can move fast without getting burned.
At The Fort AI Agency, we help businesses implement AI ethically and legally — no fearmongering, no overengineering. Just practical compliance that lets you actually use the technology.
Schedule a free consultation at thefortaiagency.ai and let's map your AI compliance requirements in a single conversation. You'll walk away knowing exactly what you need — and what you can safely ignore.
Get Expert Support for Your AI Strategy
Get a confidential Shadow AI audit and discover how to transform your biggest risk into your competitive advantage.
Related AI Resources and Insights
How to Protect Your Business Data When Using AI
Learn how to protect your business data when using AI. Real security risks, practical safeguards, and the privacy framework Andy Oberlin uses with clients.
Anthropic Regulatory Trap for Startups
Anthropic and OpenAI invite government oversight -- a strategic choice locking in incumbents and raising the compliance bar for new entrants.
Pentagon vs Anthropic: AI Risks for SMBs
Pentagon's February 2026 designation of Anthropic as supply chain risk impacts businesses using Claude AI, while OpenAI secures classified contracts.