Daviyon DanielsWhen a healthcare practice starts taking AI risk seriously, it usually runs into two reference points: HIPAA, which it must comply with, and the NIST AI Risk Management Framework, which it keeps hearing about. A common misreading is to treat them as competing checklists. They are not. One is a legal obligation; the other is a structure for meeting it well.
What the NIST AI RMF is — and is not
The NIST AI Risk Management Framework (AI RMF 1.0), formally NIST AI 100-1, was published in January 2023. It is voluntary — a framework, not a regulation. Nothing in it carries the force of law the way HIPAA does.
What it offers is a coherent way to organize AI risk work. Its core is built around four functions: GOVERN, MAP, MEASURE, and MANAGE. GOVERN is described as a cross-cutting function that runs throughout the others; MAP establishes context and identifies risks; MEASURE analyzes and tracks them; MANAGE acts on them and allocates resources to the risks that matter most.
For a healthcare organization, the value is that those four functions line up cleanly with what HIPAA already requires you to do — and give you a defensible way to show your work.
Mapping the four functions to HIPAA
HIPAA's Security Rule requires, as a Required implementation specification at 45 CFR §164.308(a)(1)(ii)(A), an "accurate and thorough" risk analysis of the risks to electronic protected health information. The AI RMF's functions are a practical scaffold for producing one that holds up:
- MAP is where a HIPAA risk analysis actually begins for AI: identifying every place AI touches ePHI — sanctioned tools, embedded AI features, and shadow AI. You cannot be "accurate and thorough" about risks you have not mapped.
- MEASURE is the analysis itself: evaluating each AI touchpoint against the confidentiality, integrity, and availability standard the Security Rule sets, and against your vendor agreements and access controls.
- MANAGE is remediation and prioritization — turning findings into a roadmap, addressing the highest-exposure items first.
- GOVERN is the part most practices skip and OCR cares about: the policies, oversight, and accountability that make the work repeatable rather than a one-time document. It maps directly to the Security Rule's administrative safeguards, including workforce training.
This is the relationship in one sentence: HIPAA tells you what you must achieve; the AI RMF gives you a structured, recognized way to demonstrate that you did.
Why this matters for the people who ask
The audiences that scrutinize a healthcare practice's AI posture — cyber-insurers at renewal, hospital partners running vendor-security reviews, and OCR if it ever asks — are not satisfied by good intentions. They want to see that risk was identified, measured, and managed in a defensible way. A HIPAA risk analysis organized along the AI RMF's functions is far easier to evidence than an ad-hoc one, because it follows a framework those audiences already recognize.
The open standard we score against, AISS, maps to both the HIPAA Security Rule and the NIST AI RMF for exactly this reason — so a single assessment produces a result that speaks the language of the people who will ask. If you want to see where your practice stands, book a scoping call or read more about our methodology.
This article is general information, not legal advice. NIST AI RMF references describe a voluntary framework; verify specific HIPAA requirements against the current regulatory text and consult counsel for your situation.