Your staff is saving time with AI. They just don’t know they’re breaking the law while doing it.
It starts with good intentions. Your front office coordinator copies a patient’s intake notes into ChatGPT to draft a referral letter faster. Your billing manager pastes a patient account summary into an AI chatbot to help write an appeal. A provider drops a SOAP note into a free AI tool to get a quick coding suggestion between patients.
Nobody told them not to. Nobody even thought to ask whether it was okay. And now that same protected health information has been processed by a consumer AI tool that has no Business Associate Agreement with your practice — a direct HIPAA violation under the Privacy and Security Rules, regardless of intent.
This is Shadow AI: the use of AI tools outside of official approval and oversight. And according to industry surveys from early 2026, it’s happening in roughly 40% of healthcare organizations, with 57% of healthcare professionals reporting they’ve used or encountered unauthorized AI tools at work. Most practices don’t find out until a compliance audit, a breach investigation, or an OCR inquiry forces the question.
Why shadow AI spreads so fast inside medical practices
Blaming staff isn’t the answer. The tools are free, genuinely useful, and one browser tab away. Without a policy, there’s nothing stopping a well-meaning employee from using them with the best of intentions.
- AI tools are visibly faster: A tool that drafts a referral letter in 10 seconds instead of 10 minutes is going to get used, especially in understaffed practices where saving time is survival.
- The compliance risk is invisible: When a staff member enters PHI into a non-compliant AI platform, there’s no error message, no alert, and no log entry. The violation happens silently.
- Policies haven’t kept up: Most HIPAA security policies were written before generative AI existed. They address email, USB drives, and portable devices — not whether it’s okay to paste a patient chart into a web browser AI.
- The boundary is genuinely confusing: Staff who use AI tools at home don’t automatically understand that the same tool becomes a compliance risk the moment patient data enters the conversation.
- Leadership often doesn’t know it’s happening: Unlike a data breach, there’s no incident report. Shadow AI is invisible until someone asks the right questions.
What HIPAA actually says about using AI with patient data
The Business Associate Agreement (BAA) requirement
Any vendor or tool that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a Business Associate Agreement with your practice. This is non-negotiable under 45 CFR §164.308(b). Consumer versions of AI tools — the free ChatGPT interface, standard Gemini, Microsoft Copilot outside of enterprise configurations — do not come with BAAs. OpenAI has explicitly stated it does not sign BAAs for consumer accounts. That means using any of these tools with PHI is a HIPAA violation: an unauthorized disclosure of protected health information to a third party with no safeguards agreement in place.
The training data risk
Consumer AI tools may use user inputs to improve their models. Even when a provider doesn’t retain inputs, the platform’s data processing activity itself creates exposure. Once PHI enters an external system without a BAA, the covered entity loses all control over how that data is handled — which is precisely what HIPAA’s Security Rule is designed to prevent.
The audit trail problem
HIPAA requires covered entities to maintain audit controls that record and examine activity in systems containing PHI (45 CFR §164.312(b)). When PHI flows through a consumer AI chatbot, there is no audit trail. You cannot tell a compliance auditor or OCR investigator what was disclosed, when, or to whom.
The minimum necessary standard
HIPAA’s minimum necessary rule requires that PHI disclosures be limited to the smallest amount of data needed for a given purpose. Staff pasting full patient charts into AI tools to answer a narrow question almost certainly violates this principle.
Six things your practice needs to do right now
Survey your staff anonymously: Which AI tools are you using? For what tasks? How often? Most practices that do this for the first time discover 5 to 10 tools in active use that compliance leadership didn’t know about.
If your current HIPAA policies don’t mention AI, chatbots, or language models, they need to be updated. Staff need a clear, written policy that specifies which AI tools are approved, which are prohibited, and what data may and may not be entered into any AI platform.
Use enterprise-grade tools that offer HIPAA-compliant configurations and will sign a BAA. Microsoft 365 Copilot (within a properly configured M365 Business Premium or E3/E5 environment), Google Workspace Gemini under a Healthcare data processing addendum, and purpose-built clinical AI tools are built for this. Consumer accounts are not.
Add a dedicated AI compliance module to your annual HIPAA training. Most compliance violations in this category happen because staff genuinely don’t understand the rule — not because they’re careless. Awareness is the cheapest control you have.
DNS-level web filtering can block access to non-approved AI tools from practice devices. Data loss prevention (DLP) rules in Microsoft 365 can flag or block PHI strings from being pasted into external web applications.
A risk assessment that ignores AI in 2026 is, by definition, incomplete. AI-related exposure — unauthorized tool use, absence of BAAs, lack of audit trails — must now be part of every annual security risk assessment.
How Atlantic Computer Systems helps practices get ahead of the shadow AI problem
Most small and mid-size medical practices don’t have a compliance officer who stays current on OCR guidance, AI vendor BAA policies, and DLP configuration simultaneously. ACS builds AI governance into the same managed service that handles your helpdesk, security monitoring, and EHR environment.
HIPAA Risk Assessments
We conduct thorough annual risk assessments that now explicitly cover AI tool exposure, unauthorized data flows, and missing BAAs — the documentation OCR looks for first.
Microsoft 365 Compliance Configuration
We configure your M365 environment with DLP policies, sensitivity labels, and Copilot governance so staff can use AI tools safely — within a framework that’s HIPAA-covered by Microsoft’s BAA.
Web Filtering & Endpoint Controls
DNS filtering and endpoint policy management that can restrict access to non-approved AI tools from practice-managed devices — reducing accidental PHI exposure at the technical layer.
AI-Specific HIPAA Training
Updated staff training modules that address AI tool use, the BAA requirement in plain English, and real-world examples of compliant vs. non-compliant AI use.
Policy Documentation
We draft and maintain the written HIPAA policies — including AI use policies — that auditors and cyber insurers expect. Current, signed, and stored in a format you can produce on demand.
EHR & Workflow Integration
We help practices identify HIPAA-compliant AI tools that integrate directly with your EHR — so staff have a safe, fast alternative to consumer AI tools for clinical documentation and coding support.
The practices that get ahead of this are the ones who ask the question first.
Shadow AI isn’t a future risk. It’s a present one, and it’s likely already active in your practice whether or not anyone is aware of it. The practices that avoid OCR penalties in 2026 won’t be the ones where staff never thought to use AI — they’ll be the ones where leadership asked the right questions before a breach forced the issue.
Our free 30-minute IT and HIPAA security assessment includes an AI exposure review: which tools are in use, where PHI might be flowing outside your control, and what a compliant AI policy looks like for a practice your size. No obligation. No sales script.
Is your practice exposed to shadow AI? Find out in 30 minutes.
Book a free IT & HIPAA security assessment with the ACS team. We’ll review your AI exposure, your current HIPAA posture, and give you a clear picture of what needs to change — in plain English, no jargon.
Book My Free Assessment30-minute call · No obligation · Remote-first, nationwide