AI in Healthcare: Innovation Is Here, But So Are New Risks

Artificial intelligence is showing up everywhere in healthcare right now. From tools that draft visit notes to systems that suggest diagnoses, automate patient messages, or flag billing issues, AI is quickly becoming part of day-to-day operations in medical and dental practices.

That’s not necessarily a bad thing. Many of these tools can reduce workload and help overstretched teams stay afloat. However, the problem most organizations are quietly running into is that AI is already being used inside your practice, whether you’ve approved it or not.

And in many cases, it’s happening through free tools, personal devices, and well-meaning staff who don’t realize the risk they’re creating.

Why AI Adoption Feels Out of Control

Most healthcare organizations didn’t roll out AI through a formal project plan. Instead, it’s creeping in organically.

• A front desk employee finds a free tool online.
• A provider tries an app a colleague mentioned.
• Someone uses their phone to “quickly clean up” a note at the end of the day.

None of this goes through IT. None of it goes through compliance. And often, leadership doesn’t know it’s happening until something triggers an alert, or worse, a problem.

At the same time, locking everything down isn’t realistic. Providers depend on internet access for clinical references, payer portals, labs, and communication tools. Over-restricting access can interfere with patient care. So, organizations end up stuck in the middle:

• Too much restriction slows care
• Too little oversight increases risk

What’s Actually Happening Inside Practices

The biggest AI-related risk today isn’t a hacker. It’s everyday workflow decisions. Here are a few scenarios that reflect what’s really happening:

Scenario 1: “I Just Needed Help with the Message”

A front desk employee receives a frustrated email from a patient about a billing issue. Wanting to respond clearly and professionally, they paste the message into a free AI chatbot and ask it to draft a reply. The original message includes:

• The patient’s full name
• Appointment dates
• Details about services and insurance

The response they get back is polished and helpful. They send it and move on. What they don’t realize is that they may have just shared protected health information (PHI) with a third-party platform the organization has never evaluated and may have no agreement with.

Scenario 2: “I’ll Fix My Notes Later”

A provider is running behind and uses a personal device at home to clean up documentation. They paste parts of their visit notes into an AI tool to summarize and generate instructions. It saves time. It feels efficient, but:

• The tool wasn’t approved by the organization
• No Business Associate Agreement (BAA) exists
• The provider used their personal account

Now PHI may be stored, processed, or even retained by a vendor the practice has never vetted, and IT has no visibility into it.

Scenario 3: “It’s Just for Drafting”

A team member in billing or administration uses AI to help draft appeal letters or explain denials. To get accurate output, they include specific patient cases with diagnoses, dates of service, and payer details. They assume this is low risk because it’s “not clinical care,” but it’s still PHI. Again, it’s being entered into tools the organization hasn’t approved or configured for compliance.

Scenario 4: The Invisible Risk, Personal Devices

This is the one many practices underestimate. Even if you restrict tools on your network, staff can:

• Use AI apps on their personal phones
• Log into web-based tools from home
• Copy information into personal accounts

From the organization’s perspective, this activity is completely invisible. From a compliance perspective, it’s still your responsibility.

The Core Issue: Visibility and Control

Most organizations aren’t struggling because they allow AI. They’re struggling because they don’t know where or how it’s being used.

A few patterns are showing up consistently:

• Staff are using free, public AI tools without understanding data handling
• AI use is happening outside approved systems
• Personal devices are being used for work-related tasks
• There are no clear guidelines, so people make their own decisions

And importantly, these actions are almost always well-intentioned. People are trying to:

• Work faster
• Communicate better
• Keep up with workload

But without guardrails, those shortcuts can create real exposure.

HIPAA Still Applies – No Matter the Tool

Some organizations mistakenly believe that because AI technology is new, HIPAA regulations have not yet caught up. That assumption is incorrect.

HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule apply regardless of the technology being used. Healthcare organizations remain responsible for:

• Protecting the confidentiality of PHI
• Limiting disclosures of patient information
• Implementing appropriate administrative, physical, and technical safeguards
• Managing workforce access and training
• Assessing risks associated with new technologies

If PHI is entered into an AI platform, the organization must evaluate whether the vendor is acting as a Business Associate and whether HIPAA requirements are being met. The introduction of AI does not eliminate compliance obligations.

It doesn’t matter if the tool is new, popular, or widely used. If PHI is involved, your obligations don’t change. That means:

• You must know where PHI is going
• You must ensure vendors meet HIPAA requirements
• You must have appropriate agreements in place
• You must train your workforce on what’s allowed and what isn’t

“Everyone is using it” is not a compliance strategy.

Cybersecurity Risks Associated with AI

AI introduces additional cybersecurity concerns that practices should understand.

• Data Exposure: employees may unknowingly submit sensitive information into unsecured AI platforms.
• Unauthorized Data Retention: some AI vendors may retain submitted information to improve their systems or train future models unless specific protections are in place.
• Phishing and Social Engineering: cybercriminals are increasingly using AI to create convincing phishing emails, fraudulent messages, and impersonation attempts.
• Shadow AI: “Shadow AI” refers to employees using AI tools without organizational approval or oversight. Just as shadow IT created security concerns in previous years, shadow AI is becoming a significant compliance challenge for healthcare organizations.
• Inaccurate Information: AI-generated content can sometimes produce inaccurate or fabricated information. Healthcare staff should never rely solely on AI-generated clinical, compliance, legal, or operational guidance without appropriate review.

Risk Assessments Matter More than Ever

The HIPAA Security Rule has always required covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic protected health information (ePHI). Historically, organizations have focused their Security Risk Analysis on:

• Electronic health record systems
• Practice management software
• Email platforms
• File sharing systems
• Network infrastructure
• Mobile devices

Today, AI tools deserve the same scrutiny.

Unfortunately, many organizations have not updated their risk assessment process to account for rapidly evolving AI technologies. As a result, AI may be operating within the organization without ever being evaluated from a privacy or security perspective, and that creates unnecessary risk.

The Proposed Security Rule Updates Raise the Bar

The Department of Health and Human Services has proposed significant updates to the HIPAA Security Rule that place greater emphasis on formalized risk analysis, technology inventories, vulnerability assessments, and ongoing reviews. Among the concepts emphasized within the proposed changes are:

• Comprehensive technology asset inventories
• Formal risk analyses of systems and technologies affecting ePHI
• Regular reviews and updates to risk management activities
• Enhanced documentation requirements
• More structured cybersecurity oversight

While organizations should continue monitoring the final rulemaking process, the direction is clear: regulators expect healthcare organizations to maintain a current understanding of technologies that impact patient information and to evaluate associated risks on an ongoing basis. For many practices, AI represents a newly emerging technology that should be incorporated into those evaluations.

A More Practical Approach to AI Governance

Organizations do not need to prohibit AI entirely. In fact, many AI solutions can improve efficiency, patient experience, and operational effectiveness. Instead, they should create a framework that supports innovation while protecting patient information. Every practice should consider implementing a written AI Use Policy that addresses:

• Approved AI tools
• Prohibited uses
• Requirements for handling PHI
• Workforce responsibilities
• Security expectations
• Documentation requirements

1. Start with Clear, Simple Rules

Your staff doesn’t need a 20-page policy, they need clarity. At a minimum:

• Do not enter PHI into unapproved AI tools
• Use only approved platforms for AI-assisted work
• Do not use personal accounts or devices for AI involving patient information

Make it easy to understand and easy to follow.

2. Assume AI Is Already in Use

Instead of asking if AI is being used, assume that it is. Then:

• Ask departments what tools they’ve tried
• Look for patterns in workflows where AI might be helpful
• Identify where risk already exists

You’ll get much further acknowledging reality than trying to prevent it entirely.

3. Approve Safe Alternatives

If you tell staff, “Don’t use AI,” they’ll find workarounds.

If you give them approved, secure tools, they’re far more likely to stay within boundaries. Focus on:

• Vendors willing to sign a BAA
• Clear data handling practices
• Administrative controls and audit visibility

4. Address Personal Device Use Directly

This is uncomfortable, but necessary. You don’t need to eliminate personal device use entirely, but you do need guardrails:

• Define what work can and cannot be done on personal devices
• Prohibit entering PHI into AI tools outside approved systems
• Reinforce that “off network” doesn’t mean “off responsibility”

5. Train with Real Examples

Generic training doesn’t stick as well as real scenarios do. Use situations like:

• “You’re answering a patient email…”
• “You’re catching up on notes at home…”
• “You’re drafting an appeal…”

Help staff recognize when they’re about to cross a line, not just what the rule is.

Final Thought: This Is a Workflow Problem, Not Just a Technology Problem

AI adoption in healthcare isn’t slowing down. If anything, it’s accelerating faster than policies can keep up. The organizations that will manage this well aren’t the ones that lock everything down, they’re the ones that:

• Accept that AI is already in use
• Create clear expectations early
• Give staff safe ways to use it
• Address personal-device risk head-on

Because at the end of the day, this isn’t just about technology. It’s about how work is getting done and making sure it’s done in a way that protects your patients, your staff, and your organization.

Key Takeaways

• If AI is being used, it should be evaluated. AI tools should be assessed just like any other system that may impact electronic protected health information.
• You cannot manage risks you have not identified. Developing an inventory of approved and unapproved AI tools is often the first critical step.
• Risk assessments are becoming increasingly important. Proposed Security Rule updates reinforce the expectation that organizations maintain ongoing awareness of technologies affecting ePHI.
• Annual reviews should become standard practice. AI technologies change rapidly, requiring regular reassessment of risks and safeguards.
• Governance starts with documentation. A documented risk assessment demonstrates due diligence and provides the foundation for AI policies, training, and security controls.

AI Readiness Checklist for Healthcare Practices

Discovery and Inventory

• Identify all AI tools currently being used
• Document approved and unapproved applications
• Create and maintain an AI technology inventory

Privacy Review

• Determine whether PHI is entered into AI systems
• Evaluate permitted uses and disclosures
• Assess Business Associate Agreement requirements

Security Review

• Review vendor security documentation
• Verify encryption and access controls
• Assess data retention practices
• Evaluate cybersecurity risks

Workforce Review

• Assess employee understanding of AI risks
• Identify shadow AI usage

Governance

• Written AI policy established
• Leadership approval and oversight defined
• Acceptable-use standards communicated

Compliance and Risk Assessment

• AI included in Security Risk Analysis
• HIPAA implications evaluated
• Business Associate Agreements reviewed and executed when applicable
• Approved AI tools inventoried
• Data retention practices reviewed
• Encryption and access controls verified
• Incident response plan updated
• Ongoing monitoring established

Workforce Training

• Staff educated on AI risks
• Employees trained not to enter PHI into unapproved systems
• Reporting procedures communicated

Ongoing Review

• Annual AI governance review scheduled
• Emerging threats monitored
• Policies updated as technology evolves

DoctorsManagement helps medical and dental practices evaluate emerging technologies like AI as part of a thorough Security Risk Analysis, develop a written AI use policy, and train their teams on safe, compliant workflows. If you would like help bringing AI into your practice in a way that protects patient information, contact us to learn more.

Contact Us

The post AI in Healthcare: Innovation Is Here, But So Are New Risks appeared first on DoctorsManagement.