Your staff is already using AI for patient notes. The question is whether they're creating HIPAA violations every time they do. I help medical and dental practices choose AI tools that actually protect patient data.
AI is transforming healthcare operations — but most practices are using tools that create immediate HIPAA exposure.
"Did I just expose patient data to an AI company without a BAA?" — Entering any patient information into an AI tool without a signed Business Associate Agreement is an automatic HIPAA violation. Most free AI tools don't offer BAAs.
"My staff is using AI for notes — I have no idea what tools or how." — Shadow AI is rampant in healthcare. Staff using free ChatGPT to draft patient letters with real patient names is a violation waiting to be discovered.
"If the AI gives wrong clinical information and I don't catch it, what's my liability?" — AI-assisted clinical decisions create malpractice exposure. Without proper validation workflows, you're accepting unreviewed AI output as your own.
"We got audited once — another audit would bankrupt us." — The average HIPAA settlement is $1.2M. OCR has issued specific guidance on AI tools and cloud services — they know what to look for.
Any AI vendor that handles, processes, or stores PHI is a Business Associate under HIPAA. This is not optional.
BAAs are required before PHI can flow to any AI tool. Most consumer AI tools (ChatGPT free, Claude.ai free) do NOT offer BAAs — entering patient info into them is an instant HIPAA violation.
AI tools must meet encryption standards (AES-256 at rest, TLS 1.2+ in transit), provide access controls, maintain audit logs, and support breach notification procedures.
A formal risk analysis must be conducted when implementing any new AI technology. This isn't optional — it's a documented requirement that OCR specifically checks during audits.
Patient names, DOB, diagnoses, treatment plans in prompts = PHI. Audio from ambient AI scribes = PHI. Even "de-identified" data can become PHI if re-identification is possible.
Heightened protections for SUD records. AI tools processing substance use disorder treatment data face extra restrictions beyond standard HIPAA requirements.
California CMIA is stricter than HIPAA with $1,000 per violation statutory damages. Texas Health & Safety Code has stricter consent requirements. Many states have specific telehealth/AI rules.
Multiple dental practices fined $350,000–$1.5M for inadequate security and unauthorized disclosure of patient data.
OCR issued specific guidance on cloud services and AI tools — reaffirmed BAA requirements apply to all AI vendors handling PHI.
Telehealth platforms fined for disclosing PHI to Meta/Google via tracking pixels — the same principle applies to AI tools processing patient data.
I don't sell AI tools. I help you audit what you're using, identify HIPAA gaps, and switch to tools that actually have proper protections.
A complete inventory of every AI tool in use at your practice — ambient scribes, patient chatbots, admin AI, and the consumer tools your staff is using without your knowledge. Each evaluated for BAA status and PHI exposure.
I identify which tools have BAAs, which don't, and which need to be replaced. Then I help you execute BAAs with compliant vendors or migrate to alternatives.
Help you choose between HIPAA-compliant ambient scribes (Nuance DAX, Suki, Abridge), secure patient communication tools, and on-premise AI options for sensitive workloads.
Updated HIPAA risk analysis that specifically covers AI tools, plus practical staff training on which tools are approved, which are prohibited, and why it matters.
30 minutes. We'll review your current AI tools and identify compliance gaps specific to your practice.
Book a Strategy CallIs your practice exposed? Rate your HIPAA AI compliance risk in under 5 minutes — before OCR does it for you.