Healthcare workers are among the most active users of unauthorized AI tools — and the industry carries some of the highest consequences when those tools expose protected health information. Here's what an AI acceptable use policy needs to cover for healthcare organizations, without requiring a legal department to implement.
In February 2026, Healthcare Brew published survey data showing that 57% of healthcare professionals reported encountering or using unauthorized AI tools at work. The same survey found that clinicians are using ChatGPT, Claude, Gemini, and similar tools to draft clinical notes, generate diagnostic hypotheses, and create patient education materials — often with PHI in the prompt.
This isn't a small-practice problem. It's happening at health systems, medical groups, specialty clinics, behavioral health practices, and healthcare administrative offices at every scale. And unlike most industries, healthcare has a specific regulatory framework — HIPAA — that makes the stakes materially higher when AI tool use isn't governed.
Three factors combine to make healthcare a high-risk environment for shadow AI:
High-value data by default. Healthcare workers handle protected health information as part of their normal daily work. Unlike a marketing employee who might occasionally paste customer data into an AI tool, a clinician or medical administrator is almost certain to work with PHI in any given session. The data risk is structural, not incidental.
Productivity pressure drives adoption. Clinical staff are under significant time pressure. AI tools that can draft a SOAP note in 30 seconds instead of 10 minutes are genuinely useful — and clinicians discover this quickly. When an approved alternative isn't available, the calculus of "use this free tool and get home on time" wins for many people.
HIPAA creates specific legal exposure. Entering PHI into a consumer AI tool that lacks a Business Associate Agreement (BAA) with your organization is a potential HIPAA violation — regardless of whether the information is actually misused or breached. The violation is the transmission of PHI to an entity that hasn't entered into the required contractual protections.
HIPAA's Privacy and Security Rules don't specifically address AI tools — they predate the current wave of AI adoption. But the existing framework applies clearly:
Any vendor or service provider that handles PHI on behalf of a covered entity must sign a Business Associate Agreement. A BAA is a contract that commits the vendor to specific data handling, security, and breach notification obligations under HIPAA. Without a BAA, sharing PHI with that vendor is a violation.
Free consumer tiers of AI tools — ChatGPT Free, standard Gemini, Claude.ai personal accounts — do not typically offer BAAs. Enterprise tiers of major AI tools often do. The practical implication for your AI policy is that the free/paid distinction isn't just a data training concern — it's potentially a compliance threshold.
Any AI tool used in a context where it could receive PHI needs either (a) a signed BAA with your organization, or (b) a clear written rule that PHI must never be entered into that tool. Both the approved-tool list and the data handling rules in your AI policy need to reflect this.
A general AI acceptable use policy covers most of the right territory. A healthcare-specific policy needs to go further in four areas:
The policy must clearly state that PHI — including patient names, dates of birth, diagnoses, treatment information, insurance information, and any combination of information that could identify a patient — may only be entered into AI tools that have a signed BAA with your organization. This isn't a general data handling principle. It needs to be a specific, named rule.
Clinical documentation is the highest-risk use case and also the most compelling one. AI-assisted note generation is genuinely useful and increasingly common. Rather than prohibiting it, a good policy identifies specific approved tools — those with BAAs, security assessments, and integration into your existing EHR workflow — so clinicians have an approved path that meets both the productivity need and the compliance requirement.
AI tools used to support diagnostic reasoning or treatment planning require explicit human oversight language. No AI output should substitute for clinical judgment, and any AI-generated clinical content — diagnostic summaries, treatment plan drafts, medication information — must be reviewed and verified by a licensed clinician before being used in patient care. This may seem obvious, but it needs to be explicit and documented.
HIPAA requires breach notification within specific timeframes. Your AI policy should specify that any suspected exposure of PHI through an AI tool — including accidental input of PHI into an unauthorized tool — must be reported to your Privacy Officer immediately. Do not let an unclear reporting process be the reason a HIPAA breach notification window is missed.
The most common failure in healthcare AI governance isn't technical — it's communication. Policies exist in the compliance manual. Staff have never been walked through what they mean for daily workflows. The clinical team doesn't know which AI tools are on the approved list. The front desk team doesn't know whether using ChatGPT to draft a patient communication letter is allowed.
Healthcare organizations that have reduced shadow AI usage most successfully share a common pattern: they announced an approved AI tool alongside the policy. When clinical staff were given access to an enterprise-tier AI documentation tool with a BAA already in place, unauthorized tool use dropped sharply — because the approved alternative was genuinely useful, not just technically compliant.
"One healthcare system that provided approved AI tools saw a 89% reduction in unauthorized use and 32 minutes of daily time savings per clinician." — Healthcare Brew / Second Talent Research, 2026
Administrative and non-clinical staff are often excluded from healthcare AI policy thinking — the focus goes to clinicians and PHI in clinical contexts. But administrative staff handle substantial amounts of PHI too: billing records, insurance verification, scheduling data, HR files on clinical employees, financial data tied to patient accounts.
A healthcare AI policy that covers clinical documentation but doesn't address administrative AI use has covered the most visible risk while leaving a large surface area unaddressed. Your tool tier list and data handling rules should explicitly include administrative functions, not just clinical ones.
Shadow AI Policy generates a tailored AI acceptable use policy, tool tier list, employee acknowledgment form, and manager FAQ — with healthcare-specific data handling rules and PHI guidance built in.
Generate my healthcare policy →