Document AI Usage in Your HIPAA Policies

Using AI in your clinic? You need to document it.

HIPAA doesn’t prohibit AI—but it does require that you define how technology is used to access, store, or transmit PHI.

Here’s how to document AI use in your policies:

1️⃣ Name the Tools: List all AI tools used in your practice (e.g., OpenAI, Abridge, Notion).

2️⃣ Use Case Description: Explain what the tool is used for (e.g., summarizing de-identified notes).

3️⃣ PHI Access Status: State whether the tool ever accesses PHI, and if it operates under a BAA.

4️⃣ Risk Controls: List safeguards like staff training, prompt templates, and restricted access.

5️⃣ Review Frequency: Note how often the AI tool and policy are reviewed for compliance.

💡 Bonus: Add a clause requiring staff to get approval before testing new AI tools.