trust7 min read2026-06-18

"AI Is Illegal Under HIPAA" Is Not True

HIPAA doesn't ban AI in your practice. It bans careless use with patient data. Here's the decision framework that separates safe from risky.

MK

Mike Kohl

Founder, Health Biz Scale

I hear this one almost every week from a practice owner: "HIPAA makes all this AI stuff too risky. I can't put patient data into AI tools, so I can't use any of it." I get why you'd think that. I want to take it seriously before I push back on it.

The fear is not paranoid

If you paste a patient's name, diagnosis, and treatment notes into a free consumer chatbot, you have a real problem. Most consumer AI tools were not built to handle protected health information. They were not designed with a Business Associate Agreement in mind. A practice that does this casually, without thinking about it, could genuinely expose itself. I have built software for 20 years. I have seen how fast a shortcut becomes a liability when nobody maps out where the data actually goes.

So if your instinct is caution, that instinct is doing its job. The mistake is not the caution. The mistake is turning one legitimate risk into a blanket rule that shuts down everything with the word "AI" attached to it. That rule costs you the parts of AI that carry zero patient-data risk at all, and it does not actually fix the parts that do carry risk.

Two different categories, treated as one

Here is the distinction that collapses when people say "AI is illegal in healthcare." There are two completely different kinds of work happening in a practice, and they carry different levels of risk.

The first category is marketing and visibility work. Blog content, SEO structure, AI-search optimization, website copy, generic reactivation message templates you'll personalize later. None of this requires a single patient's name, diagnosis, or chart note to touch an AI tool. You are writing about functional medicine in general, not about Patient X's thyroid panel. This is the bulk of what most practices actually want AI help with, and it does not touch HIPAA at all when it's done right.

The second category is anything that touches protected health information directly: documentation, chart notes, intake forms, anything with a real patient's real details. This category does require care. But the answer is not "avoid AI here." The answer is "use a tool that will sign a Business Associate Agreement and is configured correctly for that use." Plenty of vendors serving healthcare offer this. The compliant path exists. It is not a fantasy. It is a specific, buildable thing, not a wall you run into and turn back from.

Treating these two categories as one thing is where the fear turns into a business cost. You end up banning safe work because it shares a word with risky work.

The PHI decision framework

Before you touch any AI tool for anything in your practice, run the task through this:

  1. Does this task require a specific patient's identifying or health information to complete it? If you're writing a blog post about seasonal allergies in general, no. If you're summarizing a patient's chart, yes.
  2. If the answer is no: you're in low-risk territory for this task. Standard care still applies, don't paste anything you wouldn't want public, but this is not a PHI event.
  3. If the answer is yes: stop and ask two follow-up questions before you proceed. Has this vendor signed a Business Associate Agreement with your practice? Is the tool actually configured the way that agreement requires, not just signed on paper and then used carelessly?
  4. If either answer is no: don't put the PHI into that tool. Find a workflow that either removes the identifying information first, or use a tool where both boxes are checked.
  5. If both answers are yes: you're on a defensible path, and you should still confirm the specific use case with your own compliance advisor before scaling it across the practice.

That's the whole test. Does this touch PHI. If yes, is there a signed BAA and correct configuration. Run every task, every tool, every new use case through those questions before you adopt it.

A compliance caution, stated plainly

I am not a lawyer and I am not your compliance officer. Nothing here is legal advice, and I am not citing specific regulation language because I don't want to hand you a false sense of precision on a topic where precision matters. HIPAA enforcement, vendor agreements, and what counts as adequate configuration are things your own qualified HIPAA advisor or compliance counsel needs to confirm for your specific practice, your specific vendors, and your specific state rules. Treat this essay as a framework for thinking clearly, not as a substitute for that conversation. Have it before you scale anything in the second category.

What to classify first

Don't try to audit every tool and every task in your practice today. Pick the AI use case you're most tempted by right now, the one you've been avoiding because of this exact fear, and run it through the five questions above. Most of the time you'll find it lands in category one: no patient data involved, no BAA question to even ask. That's usually where the biggest, easiest win is sitting, untouched, because "HIPAA" got treated as one word covering two very different risks.

The practices making real progress with AI right now are not the ones who ignored the risk. They're the ones who got specific about where the risk actually lives, so they could move freely everywhere else. That's the whole game with Time Leverage: stop treating every task as equally dangerous or equally safe, and start sorting them so you know exactly where to spend your caution. I wrote more on why AI alone doesn't fix a practice's real bottlenecks in AI Will Not Save Your Practice.

If you want a second set of eyes on where your specific tasks fall, work with me.

Get the next essay

AI leverage, business systems, and the doctrine, one essay at a time. No pitches. Unsubscribe anytime.

Want the systems built for you? Work with me →