AI Security in Healthcare | HIPAA Compliance | Managed IT Services for Medical Practices Salt Lake City
The clinical documentation looked perfect. Detailed, well-organized, exactly the kind of note that makes a chart review straightforward. Then the physician looked closer. The medication dosage cited in the AI-generated summary didn't match what was actually prescribed. The AI had filled in a detail — confidently, clearly, in a format that looked authoritative — that simply wasn't accurate. For Salt Lake City medical practices adopting AI tools faster than they're building guardrails around them, this isn't a hypothetical. It's a patient safety and HIPAA compliance risk happening right now.
The Intern Nobody Onboarded
Imagine bringing on a new clinical assistant and on day one handing them access to everything: patient charts, clinical notes, referral documents, billing records, protected health information across your entire practice. "Just figure it out. Let me know if you need anything." No orientation. No scope of practice conversation. No supervision.
That's how many medical practices are adopting AI right now. Not because they're reckless — in fact, it's the opposite. AI tools are genuinely useful and already built into the platforms clinical staff use every day. There's an AI button in your EHR, another in your documentation tool, another in your patient communication platform. It feels like productivity has arrived.
And in many ways, it has. AI is effective for clinical documentation, summarizing patient histories, drafting referral letters, and organizing prior authorizations. The issue isn't the tool — it's the absence of supervision. Not every Salt Lake City practice has stopped to think about what happens when a staff member clicks that button with a patient's PHI in the window.
What Your Unsupervised AI Is Actually Doing
When AI tools arrive in a medical practice without a policy, three things tend to happen — and all three carry HIPAA implications.
First, PHI gets shared with tools that haven't been vetted.
Staff paste patient notes into consumer AI platforms to generate a quick summary or draft a referral letter. They drop billing data into a chatbot to format an appeal. Research by CybSafe and the National Cybersecurity Alliance found that 38% of employees are sharing confidential data with AI platforms without approval. In healthcare, "confidential data" means protected health information — and sharing PHI with a non-HIPAA-compliant AI tool is a reportable breach, regardless of intent.
Second, unapproved tools start appearing across the practice.
A BlackFog survey found that 49% of workers are using AI tools their employer hasn't approved. In a medical practice, that means tools accessing or processing patient information with no Business Associate Agreement, no security review, and no visibility from your IT team. That's shadow IT — and it's a HIPAA liability.
Third, AI output gets trusted without clinical verification.
AI clinical tools are confident. They don't flag when they're uncertain. They produce clean, professional output whether the underlying information is accurate or not. A medication error buried in an AI-generated summary looks exactly like a correct one. In a healthcare setting, the consequences of unreviewed AI output go beyond business risk — they touch patient safety.
How to Supervise Your AI in a Medical Practice
The answer isn't to ban AI tools — that puts your practice at a disadvantage and doesn't reflect how clinical work is actually evolving. The answer is to govern AI the same way you'd govern any new staff member: with clear scope, supervision, and boundaries.
Know which tools are HIPAA-compliant before they touch PHI.
Not all AI tools have signed Business Associate Agreements or undergone security review. Before any AI tool processes patient data, verify it's HIPAA-compliant, review the BAA, and add it to your approved vendor list. This isn't bureaucracy — it's required under the HIPAA Security Rule.
Establish a clinical review step before AI output goes anywhere.
AI drafts. Clinicians verify. Nothing generated by an AI tool should enter a patient chart, go to a referring provider, or be shared with a payer without a qualified staff member reviewing it first. This is especially critical for clinical documentation, medication information, and diagnostic summaries.
Define what patient information staff can and cannot put into AI tools.
PHI — including patient names, dates of service, diagnoses, medications, and insurance information — should not be entered into consumer AI platforms. If your staff don't have a clear policy, they'll cross the line without realizing it. Make the boundary explicit.
Is Your Salt Lake City Practice Using AI Safely?
Maybe your practice already has approved AI tools, a BAA on file for each one, and a clinical review process before anything AI-generated enters a chart. If so, you're ahead of where most practices are.
But if your clinical and administrative staff are using AI the way many are — enthusiastically, independently and without a framework — it's worth a conversation about what's actually happening behind those helpful little buttons in your EHR.
Qualit helps Salt Lake City medical practices build HIPAA-compliant AI governance frameworks — so your team can use these tools effectively without creating new compliance exposure.
Schedule a discovery call to talk about how AI is currently being used in your practice and where the HIPAA risks may be.
And if you know a practice owner who's handed their AI assistant access to patient data without a policy in place, send this their way. The practices that struggle with AI won't be the ones who used it — they'll be the ones who never decided how it should be used.
Frequently Asked Questions
Is using consumer AI tools with patient data a HIPAA violation?
Yes, in most cases. If a consumer AI platform hasn't signed a Business Associate Agreement with your practice and doesn't meet HIPAA's security requirements, entering PHI into that tool constitutes an unauthorized disclosure. Even if no harm results, it may be a reportable breach. Only AI tools with a signed BAA and documented security controls should process patient information.
What HIPAA risks does AI create for medical practices in Salt Lake City?
The primary risks are unauthorized PHI disclosure through unapproved AI tools, inaccurate clinical documentation from unreviewed AI output, and shadow IT — staff using AI platforms that IT has no visibility into. Each of these can trigger HIPAA investigations, breach notifications, and patient safety concerns.
Can Qualit help our medical practice create an AI policy that's HIPAA-compliant?
Yes. We work with Salt Lake City medical practices to identify which AI tools are currently in use, assess their HIPAA compliance, and build governance policies that give your staff clear guidance on what they can and can't use with patient data. We'll also help ensure any approved tools have proper BAAs in place.
