Get Support
Get Support

The AI Shortcut That Could Cost Your Clinic Everything

By /

AI tools are quickly becoming part of daily life in medical, dental, chiropractic, and specialty care offices. They can help teams draft emails, summarize information, outline patient education materials, clean up internal documents, and move faster during busy days. Used carefully, AI can be a useful productivity tool.

But there is a serious risk many small practices are still underestimating: unapproved AI use, often called Shadow AI. Shadow AI happens when employees use public or unapproved AI tools without the practice owner, office manager, compliance officer, or IT provider knowing about it.

That shortcut can become a compliance problem fast. In healthcare, the issue is not simply whether an AI tool is convenient. The issue is whether protected health information, or PHI, is being entered into a system that is approved, secured, documented, and covered by the right agreements.

What Shadow AI Looks Like in a Clinic

Most Shadow AI situations do not begin with bad intent. Staff members are usually trying to save time, reduce administrative burden, or get help with a task that feels routine.

  • A medical assistant pastes patient notes into a chatbot to create a cleaner summary.
  • A billing team member asks an AI tool to help explain a claim denial.
  • An office manager uses AI to draft a letter that includes patient-specific details.
  • A provider uses a public tool to rewrite clinical instructions before sending them to a patient.
  • A team member uploads a spreadsheet, screenshot, referral document, insurance form, or EHR export to get help organizing the information.

Each example may feel harmless in the moment. But if the information identifies a patient or could reasonably be connected back to a patient, the practice may have exposed PHI outside approved systems.

Why Public AI Tools Can Create HIPAA Risk

The HIPAA Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, whether that information is electronic, paper, or oral. HHS explains that PHI includes information related to a person’s health condition, care, or payment for care when it identifies the individual or could reasonably be used to identify the individual. For more information, see the HHS summary of the HIPAA Privacy Rule at HHS.gov.

That matters because many public AI tools are not designed to be used with patient data. Some tools may store prompts, process information outside the practice’s control, allow data to be reviewed for quality or abuse monitoring, or use data in ways that are not appropriate for healthcare workflows. Even when a tool has strong security, that does not automatically mean it is appropriate for PHI.

The key question is whether the AI vendor is acting as a business associate and whether the vendor will sign a valid Business Associate Agreement, commonly called a BAA. HHS states that when a covered entity uses a contractor or other non-workforce member to perform services involving PHI, the covered entity must include specific protections for that information in a business associate agreement. HHS also notes that a covered entity may not authorize a business associate to use or disclose PHI in a way that would violate the Privacy Rule.

The BAA Test: A Simple Rule for Staff

A practical rule for clinics is simple:

If the tool is not approved by the practice and there is no BAA in place, do not enter patient information into it.

This rule should apply to obvious identifiers like names, birth dates, phone numbers, email addresses, addresses, account numbers, medical record numbers, appointment details, insurance information, and screenshots. It should also apply to less obvious details that could identify someone when combined with other information.

For example, “a 42-year-old patient from a small town who had a specific dental procedure on Tuesday” may not include a name, but it could still be identifiable in context. De-identification is not something staff should guess at during a busy workday.

Why Smaller Practices Are Especially Vulnerable

Large healthcare organizations often have formal approval processes, compliance teams, security reviews, vendor risk assessments, and written AI-use policies. Smaller practices may not have those layers of oversight. That makes them more flexible, but it also creates gaps.

A small clinic may rely on a few key people to handle IT, billing, scheduling, insurance, and patient communication. If one person starts using an AI tool to speed up their work, the behavior can spread quickly before leadership realizes what is happening. By the time the risk is discovered, patient information may have already been copied into systems the practice does not control.

What Your Practice Should Do Now

The answer is not to ban AI completely. AI can be helpful when it is governed properly. The better approach is to create a clear, practical policy that tells your team what is allowed, what is prohibited, and who to ask before using a new tool.

  1. Create an approved AI tools list. Make it clear which tools staff may use and for what purpose.
  2. Require approval before using new AI platforms. Staff should not test new tools with practice data without review.
  3. Ban PHI in public AI tools. Make this rule simple enough that every staff member can remember it.
  4. Verify BAAs before using AI with patient data. If a vendor will not sign a BAA, the tool should not be used with PHI.
  5. Train staff on real examples. Show your team what PHI looks like in notes, emails, screenshots, spreadsheets, forms, and billing workflows.
  6. Review browser extensions and plug-ins. AI extensions can access content in the browser, which may include patient information inside email, EHR, billing, or portal systems.
  7. Document your decisions. Keep records of approved tools, vendor agreements, staff training, and policy updates.

Questions to Ask Before Approving an AI Tool

  • Will the tool receive, process, store, or analyze PHI?
  • Will the vendor sign a Business Associate Agreement?
  • Where is the data stored and who can access it?
  • Can prompts, uploads, or outputs be used for model training?
  • Does the tool support access controls, audit logs, and retention settings?
  • Does the tool integrate with existing systems in a secure way?
  • Who inside the practice is responsible for reviewing and approving its use?

A Better Way to Think About AI

AI should be treated like any other system that touches sensitive business or patient information. You would not let staff upload patient charts to an unknown billing platform, store EHR exports in a personal cloud account, or send insurance documents through an unapproved app. AI should be held to the same standard.

The goal is not fear. The goal is control. With the right policies, vendor review, security settings, and staff training, your practice can benefit from AI while protecting patient privacy and reducing compliance risk.

FAQ: AI, HIPAA, and Patient Data

Can our clinic use AI at all?

Yes. AI can be used responsibly, especially for tasks that do not involve PHI. For workflows involving patient information, the tool should be approved, secured, documented, and supported by the right vendor agreements.

Is it safe if we remove the patient’s name?

Not always. Patient information can still be identifiable even without a name, especially when details like dates, locations, procedures, provider names, or rare conditions are included.

What is the safest policy for staff?

The safest simple policy is: do not enter patient information into any AI tool unless the practice has approved that tool for the specific use case and has confirmed the appropriate privacy and security requirements.

Who should review AI tools before use?

At minimum, the practice owner, office manager, compliance lead, and IT provider should be involved. For tools that may handle PHI, legal or compliance counsel may also need to review the vendor agreement.

Need Help Reviewing AI Risk?

TaaSPak helps healthcare, dental, chiropractic, and service-based organizations think through technology risk, cybersecurity, vendor management, and practical IT policies. Learn more about our healthcare technology support in Georgia, cybersecurity services, and IT support for dental practices in Georgia. If your team is using AI or asking about it, now is the time to create clear rules before a shortcut turns into a compliance issue.

This article is for general education and is not legal advice. For legal interpretation of HIPAA obligations, consult qualified counsel or official HHS guidance.

— TJ Blackmon

Scroll to Top

This website uses cookies to ensure you get the best experience on our website. ​

Accept and Close
See Our Privacy Policy