Every medical office we work with is asking the same question right now: can we use AI without getting in trouble? The honest answer is yes, but only if you understand which AI tools touch patient data and which don’t, and what HIPAA actually requires from each.
The category that matters: PHI or not
HIPAA cares about Protected Health Information (PHI), names tied to medical details, diagnoses, treatment notes, billing records. If an AI tool will see, store, or process PHI, you need a Business Associate Agreement (BAA) with the vendor. Period. If the AI tool only handles things like marketing copy, scheduling availability, or general office workflows that never touch patient data, you don’t need a BAA, and the risk profile is dramatically lower.
That single distinction, does this AI see PHI or not, determines almost everything else.
What you can do safely today
Plenty of AI uses don’t go anywhere near PHI. Drafting your monthly patient newsletter, generating ideas for a Google Ads campaign, writing your “About the Practice” page, creating social media posts about flu season tips, transcribing internal staff meetings, summarizing CME articles you’re reading. Tools like Claude, ChatGPT, and standard Canva AI features are fine for any of this, with one rule: never paste a real patient name, chart note, or identifiable detail into the prompt. If the use case requires PHI to be useful, it’s the wrong tool.
What requires a BAA
Any AI tool that processes patient communication, helps draft chart notes, summarizes visits, transcribes appointments, or operates inside your EHR needs a BAA with the vendor before you turn it on. The good news: most of the serious players now offer them. Microsoft (with Azure OpenAI), Google (with Vertex AI for healthcare), AWS Bedrock, and Nuance (Microsoft’s clinical AI division) all sign BAAs. Standalone consumer tools like the free ChatGPT, Claude.ai, or Google Gemini, even paid Pro versions, typically do not, which means they’re off-limits for anything involving real patient data.
The ambient scribe question
The biggest AI win in medical offices right now is ambient documentation, Abridge, DAX Copilot, Suki, and Heidi listen to the patient encounter and generate the chart note. Practices using these tools report 1, 2 hours of charting time saved per provider per day. Every reputable ambient scribe vendor offers a BAA. The decision isn’t really “should we use AI?”, it’s “which vendor matches our EHR and budget?” If you’re a small or solo practice, look at the vendors that integrate directly with athenahealth, eClinicalWorks, or whatever EHR you already use.
Front-desk and scheduling AI
AI receptionists and scheduling assistants are becoming standard. They book appointments, answer hours questions, handle prescription refill requests, and triage which calls actually need a human. These do touch PHI, appointment data is technically PHI when tied to a patient name, so a BAA is required. Vendors like Hyro, Klara, and Notable Health are built for healthcare and handle the compliance side. Generic AI chatbots are not appropriate here.
The training problem nobody talks about
Even with the right tools and the right BAAs, the weakest link is usually staff training. A team member pasting a patient note into the wrong chatbox creates a breach regardless of which compliant tools your practice owns. Two rules solve most of this: AI tools used at the practice live on the practice’s accounts (not personal logins), and any new AI use case gets approved before it goes live. Boring, but effective.
What to do this month
Make a list of every AI tool currently in use at your office, including the ones staff installed informally. For each, ask: does this touch PHI? If yes, do we have a BAA? If no, pause that use immediately and find a compliant alternative. Then identify one or two high-value AI use cases you’d like to add (ambient scribe, AI receptionist, automated patient reminders), and look only at vendors who sign BAAs and have healthcare references.
The competitive reality
Practices that figure out HIPAA-compliant AI are pulling ahead, faster documentation, better patient communication, lower no-show rates, less staff burnout. Practices that either ignore AI or use it carelessly are creating a different kind of risk. Doing this right is the difference.
If your practice wants help building an AI strategy that respects HIPAA from the ground up, talk to us. We work with medical offices across South Florida, including managing IT for multiple pediatric locations, and we know what compliant looks like in the real world.
