The AI Mistake Your Staff Doesn’t Know They’re Making
A medical office manager gets a confusing EOB denial. She pastes the explanation — patient name, procedure code, insurance details — into ChatGPT and asks it to decode the denial in plain English.
She gets a clear answer in 10 seconds. She resolves the claim. Everybody wins.
Except now there’s protected health information sitting on OpenAI’s servers with no Business Associate Agreement, no audit trail, and no way to retrieve or delete it.
She doesn’t know she just created a HIPAA violation. And if you’re the practice owner, you don’t know either.
This Is Happening in Most Practices Right Now
A 2026 survey of 500+ healthcare professionals found that 40% have encountered unauthorized AI tools in their workplace, and nearly 1 in 5 admit to using them. 71% use personal AI accounts for work tasks. And 81% of data policy violations in healthcare involve protected health information.
Staff aren’t being careless. They’re doing what makes sense: using the best tool available to solve the problem in front of them. The issue is that nobody told them the best tool available is also a compliance landmine.
Why Policies Aren’t Reaching Staff
Here’s where it gets uncomfortable for practice leadership.
Many administrators believe their AI policies are “clearly communicated.” But about 1/3 providers — the people actually using the tools — agree. Administrators are more likely to be involved in developing AI policies than the staff who need to follow them.
The people writing the rules aren’t the people doing the work. And the people doing the work aren’t being asked what they need.
Why the Stakes Just Got Higher
The May 2026 HIPAA Security Rule update eliminates the “addressable” safeguard category. Everything will be mandatory, regardless of practice size. New requirements include technology asset inventories that must include AI tools, 72-hour incident reporting, and network segmentation. Enforcement begins late 2026.
A practice that doesn’t know its staff is using ChatGPT can’t include it in an asset inventory. Can’t assess its risk. Can’t report a breach it doesn’t know happened. And can’t claim ignorance as a defense.
The average healthcare security breach costs nearly $10 million. Most practices won’t face that figure — but a single HIPAA fine can cost tens of thousands, and the majority of those fines hit small practices.
This Is Fixable
When healthcare organizations provide approved, compliant AI alternatives, unauthorized tool use drops significantly. In reported cases, clinicians also save meaningful time per day.
Staff aren’t trying to break rules. They’re trying to do their jobs without enough support. Give them a safe alternative and the shadow usage almost disappears.
What to Do This Week
You don’t need a six-month initiative. Start here:
- Ask your team: “What AI tools are you using that we didn’t set up?” No judgment. Just information.
- Identify your exposure: Which tasks involve PHI? Which tools lack BAAs?
- Provide alternatives: Compliant AI tools exist for clinical documentation, billing support, and patient communication.
- Document a one-page AI policy: What’s approved, what’s not, and where to go with questions.
The goal isn’t to eliminate AI. It’s to know what your practice is already using and make it safe.
Because right now, the biggest AI risk in your practice isn’t something you adopted. It’s something your staff adopted without telling you.
