Lesson 3 of 4 · AI for Doctors

Regulatory Compliance and Patient Safety

reading25 min

Story: The Prompt That Changed a Hospital's AI Policy

It was 11:47 PM on a Tuesday when Dr. Sarah Chen made the mistake that would reshape her entire hospital system's approach to artificial intelligence.

She was three hours into a challenging overnight shift at a mid-size academic medical center. The patient in Bed 4 -- a 67-year-old man with a complex presentation -- had been transferred from an outside facility with incomplete records. His constellation of symptoms didn't fit any clean diagnostic box: progressive dyspnea, bilateral lower extremity edema, elevated troponin, an unusual rash on his trunk, and lab values that told contradictory stories. The outside hospital's notes were sparse, handwritten, and partially illegible.

Dr. Chen had been using ChatGPT for about six months at that point, mostly for drafting patient education materials and looking up medication interactions. She found it useful -- a quick thinking partner when UpToDate searches weren't surfacing what she needed. That night, exhausted and under time pressure, she opened a new chat window and typed something she'd never typed before:

"67M John M., MRN 4471892, admitted to Memorial Regional 1/15/24 with progressive dyspnea x 2 weeks, bilateral LE edema, troponin 0.34, BNP 1,847, creatinine 2.1 up from baseline 1.0, AST/ALT 180/210, diffuse maculopapular rash on trunk, eosinophils 12%. Outside records mention possible exposure to contaminated well water in rural Vermont. PMH: HTN, DM2, prior MI 2019. Help me think through the differential."

Concept Card

She got a thoughtful, detailed response. The AI suggested considering eosinophilic granulomatosis with polyangiitis, acute eosinophilic myocarditis, a parasitic infection given the water exposure, and several other possibilities she hadn't fully considered. She refined her workup. The patient was eventually diagnosed with a parasitic infection causing secondary eosinophilic myocarditis -- a diagnosis that might have been delayed without that late-night brainstorming session.

But the diagnostic win masked a serious problem.

What Dr. Chen Had Done

Re-read that prompt. She had entered into a consumer AI tool:

  • The patient's name (John M.)
  • His medical record number (MRN 4471892)
  • The facility name (Memorial Regional)
  • A specific admission date (1/15/24)
  • His geographic location (rural Vermont)
  • A complete clinical picture that, combined with the above, was unmistakably identifiable

Every single one of those elements is Protected Health Information under HIPAA. And ChatGPT, in its standard consumer version, is not a HIPAA-compliant platform. There is no Business Associate Agreement (BAA) between OpenAI's consumer product and her hospital. The data she entered was used, at least potentially, as training data. It was stored on servers she had no control over. It was, from a regulatory standpoint, a breach.

The Investigation

Three weeks later, during a routine compliance audit of the hospital's IT systems, a sharp-eyed analyst in the Information Security office noticed something unusual. The hospital had recently deployed a network monitoring tool that flagged when clinical workstations accessed AI platforms. Dr. Chen's session was flagged -- not because of the content (the monitoring tool couldn't see the actual text entered into an HTTPS session), but because of the duration and timing. A 45-minute session on ChatGPT from a clinical workstation at midnight warranted a follow-up.

Concept Card

The analyst contacted Dr. Chen, who -- to her credit -- was immediately forthcoming. She explained exactly what she'd done, showed the conversation, and expressed genuine surprise that it was a problem. "I didn't send the chart," she said. "I just typed a summary to get help thinking through the case."

That distinction -- typing a summary versus sending a chart -- is one that many physicians intuitively draw but that HIPAA does not recognize. Under HIPAA, PHI is PHI regardless of the medium. Whether you photocopy a chart and hand it to a stranger, read it aloud on a bus, or type it into an AI chatbot, the regulatory framework treats it the same way. The information has left the protected environment without authorization.

The Remediation

The investigation that followed was thorough but not punitive -- a critical detail. Dr. Chen was not fired, not publicly shamed, and not reported to the medical board. Her hospital recognized that she had acted in good faith, with the intent of providing better patient care, and that the root cause was a system failure, not a character failure. The institution had provided no guidance whatsoever on AI use. There was no policy, no training, and no approved alternative.

Concept Card

The remediation included:

  1. Breach notification: The hospital's privacy officer determined that the incident met the threshold for a low-probability breach under the HIPAA Breach Notification Rule. The patient was notified. No complaint was filed.
  2. Individual remediation: Dr. Chen completed additional HIPAA training with a specific focus on emerging technologies.
  3. Institutional response: The hospital formed a task force -- which Dr. Chen was invited to join -- to develop a comprehensive AI usage policy.

The policy they developed became a model for other institutions. And the lesson Dr. Chen learned became the foundation for how she now teaches residents about AI: the tool can be extraordinary, but only if you use it within the guardrails that protect your patients and your career.

This Could Happen to You

Dr. Chen's story is a composite drawn from real incidents reported to the HHS Office for Civil Rights and published in compliance literature. The details are fictionalized, but the pattern is not. Between 2023 and 2025, multiple health systems reported PHI breaches involving consumer AI tools. In every case, the physician acted with good intentions. In every case, the breach was preventable.


Concept: HIPAA and AI -- The Complete Framework

Dr. Chen's story illustrates a gap that exists in most physicians' understanding: we are extensively trained on HIPAA as it applies to faxes, emails, conversations in elevators, and access to electronic health records. But most of us received zero training on HIPAA as it applies to artificial intelligence. This section closes that gap.

What Constitutes PHI in AI Interactions?

HIPAA defines 18 categories of identifiers that, when linked to health information, constitute Protected Health Information. In the context of AI interactions, physicians most commonly expose these:

Warning

Do not let Regulatory Compliance and Patient Safety become a hidden assumption. If teammates cannot see the rule, config, or verification path, Claude will behave inconsistently across sessions.

IdentifierHow It Typically Appears in AI Prompts
Patient name"My patient John Smith..."
Dates (birth, admission, discharge)"Admitted 3/15/24..."
Medical record number"MRN 4471892..."
Geographic data (smaller than state)"Lives in rural Bennington County, VT..."
Phone/fax numbersRarely, but sometimes in referral contexts
Email addressesOccasionally in care coordination queries
Social Security numberRare but has occurred
Device identifiers / serial numbersImplant-related queries
Age if over 89"My 94-year-old patient..."

But here is the critical nuance that many physicians miss: even without any of the 18 explicit identifiers, information can constitute PHI if it is specific enough to identify an individual. A prompt like "the patient with bilateral hand transplants at our hospital" contains zero HIPAA identifiers but could easily identify a specific person given how rare that procedure is.

The Rare Condition Trap

Rare diseases, unusual procedures, and unique clinical presentations can be identifying even without names or MRNs. A prompt about "a 14-year-old with progeria at a children's hospital in Montana" is effectively identified -- there may be only one such patient in the entire state. Always consider whether the clinical uniqueness of the case functions as an identifier.

BAA Requirements: Consumer Tools vs. Clinical Platforms

The Business Associate Agreement (BAA) is the legal instrument that allows a third party to handle PHI on behalf of a covered entity. Without a BAA, sharing PHI with that third party is a HIPAA violation. Period.

Consumer AI tools WITHOUT a BAA (as of early 2026):

  • ChatGPT Free and Plus (personal accounts)
  • Google Gemini (personal accounts)
  • Claude.ai (personal accounts)
  • Perplexity, Copilot (personal versions)
  • Any AI tool accessed through a personal account
Tip

If Regulatory Compliance and Patient Safety becomes part of a recurring workflow, document the exact trigger, boundary, and verification step now. Future speed comes from clarity, not from memory.

Enterprise/Clinical AI tools that CAN have a BAA:

  • OpenAI Enterprise and API (with signed BAA)
  • Microsoft Azure OpenAI Service (with signed BAA)
  • Google Cloud Vertex AI (with signed BAA)
  • Anthropic API (with signed BAA)
  • Purpose-built clinical AI platforms (Nuance DAX, Abridge, Nabla, Suki, etc.)
  • EHR-integrated AI features (Epic AI, Oracle Health AI)

The key distinction is not the AI model -- it's the contractual and technical wrapper around it. GPT-4 accessed through a personal ChatGPT account and GPT-4 accessed through your hospital's Azure OpenAI deployment with a signed BAA are the same underlying model, but they exist in completely different regulatory contexts.

Check Before You Type

Before using any AI tool with patient-related information, ask three questions: (1) Does my institution have a BAA with this vendor? (2) Am I accessing the tool through the institution's approved channel? (3) Is this specific use case covered by the BAA's scope? If the answer to any of these is "no" or "I don't know," do not include PHI.

De-identification: The Practical Skill Every Physician Needs

De-identification is the process of removing or transforming identifiers so that the information no longer constitutes PHI. When done properly, de-identified data can be used with any AI tool because it is no longer regulated by HIPAA.

HIPAA provides two methods for de-identification:

1. Expert Determination (§164.514(b)(1)): A qualified statistical expert determines that the risk of identification is very small. This is impractical for individual clinical queries.

2. Safe Harbor (§164.514(b)(2)): Remove all 18 identifier categories and confirm that the remaining information could not identify an individual. This is the method you will use in daily practice.

The Safe Harbor De-identification Protocol for AI Prompts:

Audit the Regulatory Compliance and Patient Safety Boundary

  1. List the commands, files, or actions this lesson says should be trusted.
  2. Compare that list against your current Claude permissions or team defaults.
  3. Tighten one rule today so the boundary is explicit instead of assumed.

Here is Dr. Chen's original prompt, transformed using Safe Harbor:

Before (HIPAA violation): "67M John M., MRN 4471892, admitted to Memorial Regional 1/15/24 with progressive dyspnea x 2 weeks, bilateral LE edema, troponin 0.34, BNP 1,847, creatinine 2.1 up from baseline 1.0, AST/ALT 180/210, diffuse maculopapular rash on trunk, eosinophils 12%. Outside records mention possible exposure to contaminated well water in rural Vermont. PMH: HTN, DM2, prior MI 2019."

After (de-identified, Safe Harbor compliant): "Middle-aged male presenting with progressive dyspnea x 2 weeks, bilateral LE edema, elevated troponin, markedly elevated BNP, acute kidney injury (creatinine doubled from baseline), transaminitis (AST/ALT ~4x ULN), diffuse maculopapular rash on trunk, peripheral eosinophilia (12%). History of possible environmental water contamination exposure. PMH: HTN, DM2, prior MI. Help me think through the differential."

Notice what changed:

  • Name removed entirely
  • MRN removed entirely
  • Facility name removed entirely
  • Specific date removed
  • Exact age converted to "middle-aged" (age group)
  • Geographic specificity ("rural Vermont") generalized to "environmental water contamination exposure"
  • Lab values kept -- they are clinical data, not identifiers
  • Clinical presentation kept -- it's the medically relevant information

The de-identified version gives the AI everything it needs to help with the differential. The diagnostic reasoning quality is identical. The regulatory risk drops to zero.

State-Level Regulations Beyond HIPAA

HIPAA is the federal floor, not the ceiling. Several states have enacted or are developing regulations that add requirements beyond HIPAA:

Pressure-Test a Safety Rule

  1. Choose one risky action mentioned in the lesson.
  2. Add or verify a rule that blocks it without breaking the safe workflow around it.
  3. Test the safe path and the blocked path so you know the guardrail is real.
  • California (CCPA/CPRA + AB 352): Additional consent requirements for AI use in healthcare decisions. Patients have the right to know if AI influenced their care.
  • Colorado (SB 24-205): Requires disclosure when AI is a substantial factor in consequential decisions, including healthcare.
  • New York: Proposed legislation (as of 2026) requiring AI transparency in clinical decision-making.
  • Washington State: AI governance requirements for health systems receiving state funding.
  • Illinois (BIPA): While focused on biometric data, has implications for AI systems that process patient images or voice data.
Know Your State

AI regulation in healthcare is evolving rapidly. Check your state medical board's website and your institution's compliance office for the most current requirements. What is permissible in one state may require additional disclosures or consent in another.

Malpractice Implications of AI Use

The intersection of AI and medical malpractice is an emerging area of law, but several principles are becoming clear:

1. AI Does Not Shift the Standard of Care

PHI in AI Prompts

Do

De-identify all 18 HIPAA identifiers before entering clinical scenarios into consumer AI tools -- lab values and clinical findings can stay

Don't

Enter patient names, MRNs, facility names, dates of service, or geographic details into any AI tool without a BAA

You are held to the standard of a reasonably competent physician in your specialty. If you use AI and it gives you incorrect information that you act on without verification, you are liable -- not the AI vendor. The AI is a tool, like a reference book. If you read the wrong dosage in a drug reference and administer it, the liability is yours. AI is no different.

2. Failure to Use AI May Eventually Become a Liability

Legal scholars are already debating whether, as AI diagnostic tools become standard, failure to use them could constitute a deviation from the standard of care. We are not there yet for general-purpose AI, but for FDA-cleared diagnostic AI (such as diabetic retinopathy screening or stroke detection), this argument is gaining traction.

Pressure-Test a Safety Rule

  1. Choose one risky action mentioned in the lesson.
  2. Add or verify a rule that blocks it without breaking the safe workflow around it.
  3. Test the safe path and the blocked path so you know the guardrail is real.

3. Over-reliance on AI Is a Documented Risk

"Automation bias" -- the tendency to accept AI output without sufficient critical evaluation -- has been documented in aviation, radiology, and now general medicine. If a physician can show that they independently verified AI suggestions, their liability position is stronger. If they simply copy-pasted an AI-generated plan, they are exposed.

4. Documentation Is Your Shield

Document your clinical reasoning, not the AI's reasoning. Your note should reflect that you considered the differential, you weighed the evidence, and you made the clinical decision. Whether AI helped you think through options is a process detail; the medical record should capture your independent judgment.

Informed Consent for AI Use

The question of whether patients must be told that AI was used in their care is evolving along three tiers:

Tier 1 -- Generally No Specific Consent Required:

  • AI-assisted documentation (ambient scribes, note generation)
  • AI-assisted literature search
  • AI-assisted scheduling or administrative tasks

Tier 2 -- Disclosure Recommended, Consent Evolving:

  • AI-assisted diagnostic image interpretation
  • AI-generated differential diagnoses that influence workup
  • AI-assisted treatment planning

Tier 3 -- Specific Consent Likely Required:

  • AI-driven autonomous clinical decisions
  • AI systems that directly interact with patients (chatbot triage)
  • Research involving AI-generated clinical predictions

Quick Check

What is the main benefit of using Regulatory Compliance and Patient Safety well in Claude Code?

The American Medical Association's 2024 guidance recommends transparency as a default: "Patients should be informed about the use of AI in their care when it materially influences clinical decisions." This is not yet a universal legal requirement, but it is increasingly considered best practice.

Documentation Requirements

When AI contributes to clinical decision-making, your documentation should:

  1. Reflect your independent clinical judgment. The note should read as your assessment, not an AI transcript.
  2. Not attribute decisions to AI. Avoid phrases like "per ChatGPT" or "AI recommended." These create liability exposure and erode patient trust.
  3. Capture your verification process. If AI suggested a diagnosis and you confirmed it through clinical reasoning and evidence review, document the reasoning and the evidence -- not the AI suggestion.
  4. Follow institutional policy. Some institutions require noting when AI tools were used in clinical workflows. Others explicitly prohibit it. Know your policy.
Never Write 'Per AI' in a Clinical Note

Writing "per ChatGPT" or "AI-recommended" in a medical record creates a documentation trail that (a) may imply you deferred clinical judgment to a non-credentialed source, (b) could be used against you in a malpractice claim, and (c) may alarm patients who read their notes via OpenNotes. Document your reasoning. The tools you used to arrive at that reasoning are part of your cognitive process, not the medical record.

Institutional AI Policies: What to Expect and What to Demand

As of 2026, most major health systems have or are developing AI usage policies. These policies typically address:

  • Approved tools: Which AI platforms are sanctioned for use with patient data
  • Prohibited uses: What you cannot do (e.g., entering PHI into consumer AI)
  • Training requirements: Mandatory education before using approved AI tools
  • Incident reporting: How to report accidental PHI exposure to AI tools
  • Oversight committee: A governance body (often called an "AI Governance Committee" or "Clinical AI Council") that reviews and approves new AI use cases

Quick Check

After reading this lesson, what should you validate when applying Regulatory Compliance and Patient Safety?

If your institution lacks a policy, advocate for one. The absence of a policy does not mean the absence of risk -- it means the risk is unmanaged. Contact your Chief Medical Information Officer (CMIO), compliance office, or medical staff leadership.

The Regulatory Landscape: Where Things Are Heading

The regulatory environment for AI in medicine is being shaped by several forces:

FDA: The FDA has cleared over 900 AI/ML-enabled medical devices as of 2026, with an accelerating pace. These clearances establish a regulatory framework for AI tools that make or support specific clinical decisions. General-purpose AI assistants (ChatGPT, Claude) are not FDA-regulated because they are not marketed as medical devices, but this could change if vendors begin marketing them for clinical use.

ONC (Office of the National Coordinator for Health IT): ONC is developing interoperability standards for AI-generated clinical content, including how AI-generated notes should be tagged in EHRs and how AI-derived recommendations should be transmitted between systems.

CMS: The Centers for Medicare & Medicaid Services is evaluating reimbursement pathways for AI-assisted care. Some AI diagnostic tools already have CPT codes. As reimbursement expands, so will the regulatory requirements attached to those codes.

International frameworks: The EU AI Act (effective 2025-2026) classifies medical AI as "high-risk" and imposes transparency, documentation, and human oversight requirements. If you practice in a system that treats international patients or collaborates with EU institutions, these requirements may apply.

Quick Check

After reading this lesson, what should you validate when applying Regulatory Compliance and Patient Safety?


Apply: Building Your Compliance Muscle

Understanding the rules is necessary but not sufficient. You need to practice applying them until de-identification and compliance checks become automatic -- as automatic as hand hygiene or sterile technique.

Exercise 1: De-identify This Clinical Scenario

Below is a prompt that a physician might type into a consumer AI tool. Your task is to rewrite it so that it is fully de-identified under HIPAA Safe Harbor.

Original prompt:

"Maria Gonzalez, DOB 5/12/1958, seen at Duke Cardiology Clinic on 2/20/24. She's a 65-year-old Hispanic woman with rheumatic heart disease s/p mitral valve replacement in 2015 at Duke. Now presenting with new-onset Afib, INR 4.8 on warfarin, and a small pericardial effusion on echo done today. Her daughter called concerned about her mom's confusion. Lives alone in Durham, NC. PMH also includes lupus, CKD stage 3b, and depression. Meds include warfarin, prednisone 10mg, lisinopril, sertraline. Help me think through management priorities."

Rewrite the prompt below. Remove all 18 HIPAA identifiers. Preserve all clinically relevant information. Then check your version against the key that follows.

De-identification key -- your version should have removed or generalized:

  • Patient name (Maria Gonzalez)
  • Date of birth (5/12/1958)
  • Specific dates (2/20/24, 2015)
  • Facility name (Duke Cardiology Clinic, Duke)
  • Age can stay as a range ('60s female' or 'postmenopausal female')
  • Geographic location (Durham, NC)
  • Ethnicity can stay if clinically relevant (e.g., lupus prevalence) but consider whether it narrows identification

Example de-identified version: "Postmenopausal female with history of rheumatic heart disease s/p mechanical mitral valve replacement (approximately 9 years ago). Presenting with new-onset atrial fibrillation, supratherapeutic INR (4.8) on warfarin, and a small pericardial effusion on transthoracic echo. Family reports new confusion. Lives alone. PMH: SLE, CKD stage 3b, depression. Meds: warfarin, prednisone 10mg daily, ACE inhibitor, SSRI. Help me think through management priorities."

Exercise 2: Is This Prompt Safe? (5 Scenarios)

For each scenario below, determine: (A) Is this prompt safe for a consumer AI tool? (B) If not, what specifically makes it unsafe? (C) How would you fix it?

Scenario 1: "What are the current AHA guidelines for managing new-onset Afib with RVR in a patient on anticoagulation?"

Scenario 2: "My patient in Room 312 at St. Mary's is having an allergic reaction to vancomycin. What's the recommended Red Man Syndrome protocol?"

Scenario 3: "58-year-old male, heavy smoker, presenting with hemoptysis and a 3cm spiculated mass in the right upper lobe on CT. Staging workup plan?"

Scenario 4: "Can you help me draft a letter for my patient James Wright, DOB 3/4/1960, requesting prior authorization for Keytruda from BlueCross?"

Scenario 5: "The only patient in our ICU with Fournier's gangrene is not responding to broad-spectrum antibiotics. What are the next steps?"

Answers:

  1. Safe. This is a general clinical question with no patient information.
  2. Unsafe. Room number + facility name = identifiable. Fix: Remove room number and hospital name. "Patient receiving vancomycin is developing Red Man Syndrome. What's the recommended protocol?"
  3. Likely safe but borderline. No identifiers present, and the presentation is common enough not to be individually identifying. Acceptable for consumer AI.
  4. Unsafe. Contains patient name, date of birth, insurer. Fix: Draft the letter template in AI without any patient details, then fill in identifiers manually in your EHR.
  5. Unsafe. "The only patient in our ICU with [rare condition]" is identifying by uniqueness. Fix: Remove the uniqueness qualifier. "Patient with Fournier's gangrene not responding to broad-spectrum antibiotics. What are the next steps?"

Exercise 3: Audit Your Own AI History

If you have used a consumer AI tool for clinical purposes in the past:

  1. Open your conversation history (ChatGPT, Claude, Gemini, or whichever tool you've used)
  2. Review your last 10 clinical-related prompts
  3. For each one, ask: "If my compliance officer read this, would there be a concern?"
  4. Count how many contain potential PHI
  5. Delete any conversations that contain PHI (most platforms allow conversation deletion)
  6. Going forward, pause before every clinical prompt and run through the Safe Harbor checklist

If you have never used AI for clinical purposes, use this exercise to prepare: write three hypothetical clinical prompts -- one that is safe, one that is unsafe, and one that is borderline -- and analyze each.

Voice Assistants and Ambient AI Are PHI Risks Too

De-identification is not limited to typed prompts. If you use a voice-based AI assistant (Siri, Alexa, or ambient clinical documentation tools like Nuance DAX), be aware that spoken PHI is captured and processed. Ambient documentation tools with a BAA are designed for this purpose. Consumer voice assistants are not. Never dictate patient information to a consumer voice assistant, even in a private office. These devices are always listening for their wake word, and snippets of audio are routinely reviewed by human contractors for quality assurance.

The SAFE Framework for Every Clinical AI Interaction

Use this framework as a mental checklist before, during, and after every interaction with an AI tool in a clinical context:

S -- Scrub: Before typing, remove all 18 HIPAA identifiers. Generalize age, location, dates, and facility names. Ask yourself: "If someone read only this prompt, could they identify the patient?" If yes, scrub further.

A -- Assess: After receiving the AI's response, evaluate it against your clinical knowledge and training. Does it align with current guidelines? Does it account for the specific clinical context that you, as the treating physician, understand but the AI does not? Are the cited references real and current?

F -- Flag: If the AI's output contains uncertain, contradictory, or surprising recommendations, flag it for further verification. Do not use uncertain AI output for clinical decisions. Consult a colleague, check primary literature, or use a trusted clinical decision support tool.

E -- Evidence-check: Verify any specific clinical claims against authoritative sources -- UpToDate, current society guidelines, primary literature, or institutional protocols. AI tools can hallucinate references, invent drug interactions, and state outdated guidelines with complete confidence.


How confident do you feel about applying Regulatory Compliance and Patient Safety in a real project?

Reflect: What This Means for Your Practice

The regulatory landscape for AI in medicine is complex, evolving, and -- for many physicians -- genuinely intimidating. But it does not need to be paralyzing. The physicians who get into trouble are not the ones who use AI. They are the ones who use AI without understanding the boundaries.

Dr. Chen's story ended well. She became one of her institution's leading voices on responsible AI adoption. The policy her task force developed didn't ban AI -- it channeled it. It identified approved tools, created training programs, established incident reporting pathways, and most importantly, it gave physicians clear, actionable guidance so they didn't have to guess.

That is the goal of this lesson: not to make you afraid of AI, but to make you confident in using it safely. The regulatory framework exists to protect patients. Your role is to work within that framework while harnessing AI's extraordinary potential to improve the care you deliver.

The physicians who will thrive in the AI era are not the ones who avoid these tools. They are the ones who master the discipline of using them responsibly -- who can extract maximum clinical value while maintaining zero PHI exposure, who document their reasoning independently, who verify before they trust, and who advocate for institutional policies that enable safe adoption.

That is what it means to be AI-ready as a physician.

Key Takeaways

  • PHI in AI prompts is a HIPAA violation unless you are using a platform covered by a Business Associate Agreement (BAA) between the vendor and your institution
  • De-identification using Safe Harbor removes all 18 HIPAA identifiers and ensures remaining information cannot identify an individual -- this is your primary tool for safe AI use
  • Consumer AI tools (personal ChatGPT, Claude, Gemini) do not have BAAs with your hospital -- never enter PHI into these platforms
  • Enterprise and clinical AI platforms can have BAAs -- use your institution's approved tools when working with patient data
  • Rare conditions and unique presentations can be identifying even without explicit identifiers -- consider clinical uniqueness as a quasi-identifier
  • Malpractice liability stays with you, not the AI -- always verify AI output against your clinical judgment and authoritative sources
  • Document your reasoning, not the AI's -- avoid phrases like "per ChatGPT" in clinical notes
  • State regulations may exceed HIPAA -- know your state's specific AI disclosure and consent requirements
  • The SAFE framework (Scrub, Assess, Flag, Evidence-check) is your pre-flight checklist for every clinical AI interaction
  • Advocate for institutional AI policies if your organization lacks them -- unmanaged risk is the greatest risk