HIPAA-Compliant AI for Medical and Dental Practices
Can your practice use AI without violating HIPAA? A clear guide to where PHI and AI tools intersect — business associate agreements, what you can and can't paste, and how to adopt AI safely.
HIPAA-Compliant AI for Medical and Dental Practices
AI can save a medical or dental practice real time — drafting notes, summarizing records, handling routine patient communication, streamlining admin. But there's a hard line running through all of it: the moment AI touches protected health information (PHI), you're in HIPAA territory, and getting it wrong is a compliance violation with real penalties. This guide is about where that line sits and how to use AI without crossing it.
The core problem: PHI and third-party AI tools
HIPAA governs how PHI is used and disclosed. A third-party AI tool is, in HIPAA terms, potentially a business associate — a vendor that handles PHI on your behalf. And here's the part practices miss: pasting a patient's information into a consumer AI tool can constitute a disclosure of PHI to that vendor. If the vendor hasn't signed a Business Associate Agreement (BAA) with you and doesn't handle PHI in a HIPAA-compliant way, that disclosure may be a violation — even if your intent was completely benign.
That's the whole crux. Not "is AI allowed" (it can be), but "is this specific tool, used this specific way, handling PHI under the right agreements and safeguards."
The Business Associate Agreement is the gate
If an AI tool will handle PHI, you need a BAA with that vendor. Full stop. The BAA is the contract that obligates the vendor to protect PHI to HIPAA's standards and defines what they can do with it. Many consumer AI tools will not sign one and are not built for PHI — which means they cannot be used with any patient-identifiable information, no matter how convenient they are. Some enterprise and healthcare-specific AI vendors will sign a BAA and are built for compliant PHI handling. The presence or absence of a signed BAA is the single clearest dividing line for whether a tool can touch patient data at all.
What you can do without a BAA
Plenty, as long as PHI never enters the tool. AI is genuinely useful for tasks that involve no patient-identifiable information:
- Drafting general patient-education material and practice communications
- Writing and editing marketing, policies, and internal documents
- Answering general clinical or administrative questions in the abstract
- Building templates that staff later fill with PHI inside a compliant system
The rule of thumb: de-identified or non-patient content is fair game; anything that identifies a patient is not unless the tool is covered by a BAA and appropriate safeguards.
A safe-adoption checklist for practices
- Classify the task. Does it involve PHI or not? This determines everything downstream.
- For any PHI task, require a signed BAA with the AI vendor before a single patient record touches it.
- For non-PHI tasks, confirm no identifiable information slips in — train staff that patient details never go into a general AI tool.
- Keep a human reviewer on anything clinical or patient-facing; AI output is a draft, not a decision.
- Document your policy. A written AI-use policy that staff are trained on is both a safeguard and evidence of good-faith compliance.
Why the framework matters more than the tool
Healthcare AI vendors will come and go, and their capabilities will change. The HIPAA framework — PHI triggers business-associate obligations, BAAs gate PHI handling, de-identified content is the safe zone, humans review clinical output — is stable. A practice that understands the framework can evaluate any tool, including ones not yet on the market, and adopt AI confidently instead of either avoiding it out of fear or using it recklessly.
This is part of the Strategic Series — AI guides written one profession at a time, with each field's compliance framework built in. Strategic Series is part of the 2057 Holdings portfolio. For why compliance-first content wins, see jesse-myers.com. Related: AI Tools for CPAs: What's Allowed Under Professional Standards.
This guide is general information, not legal advice. Consult a qualified healthcare-compliance professional for your practice's specific situation.
Featured image: Photo by Harold Hisona on Unsplash.