Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 613: You Discovered Non-Compliant AI Use in Your Practice. Now What?

 

Liath Dalton 

Before we dive into this conversation, I want to just acknowledge that I know that this is a anxiety inducing topic and circumstance to be navigating.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So before we get into everything, the first thing to do in terms of now what is take a breath,

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

Because it is going to be okay. It is manageable. And we’re going to talk through all of that.

 

Evan Dumas 

Mhm, exactly.

 

Liath Dalton 

So just for a little bit of context, we previously have talked about what non-vetted AI platform use with client info looks like, and what its risks are, and why it needs to be something that is both stopped and prevented from occurring in future.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And right now we’re going to talk about what to do if it has already happened, because the reality is, that this is occurring in many practices, and we know this firsthand, right, Evan,

 

Evan Dumas 

Mhm.

 

Liath Dalton 

from the number of questions we’ve received from practice leaders who’ve discovered it and are grappling with exactly that, the now what.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Is it a breach? Is it reportable? Do we have to tell clients all those pieces of things? So just want to both normalize that this is happening, that if you are navigating this, you are not alone, and really emphasize that this is not a panic moment. This is a response moment.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

Right. And honestly, despite, sort of, misconceptions to the to the contrary, that’s exactly what HIPAA, in practice, as a process, is about.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

It’s about appropriate responses that center safeguarding client information.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s what we’re going to do, that’s the purpose of this.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

All right, so to set the scene, use of a personal AI platform where no Business Associate Agreement is in place, plus client info is a impermissible disclosure, to use the HIPAA jargon.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And the key points here that a lot of misconceptions or this issue arising in the first place come from, are that, if names have not been used in what is input into personal AI, and it’s just some of the narrative related to the actual session that took place, that progress note is being generated or refined for, that it’s not PHI.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

It absolutely is PHI.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

So yesterday, in fact, we had a Group Practice Office Hour session that was our monthly session, co-facilitated by HIPAA attorney and clinician Eric Strom. And Eric had a great and very helpful response when we were discussing a scenario which was exactly this discovery of a clinician utilizing chatGPT to help with progress notes and not including names.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

What did Eric say, Evan?

 

Evan Dumas 

He said, forget anything you’ve heard about names being what makes something PHI, that’s a huge red herring. And there’s no possible way that information used to write a progress note is anything other than PHI. That is the very definition of PHI.

 

Liath Dalton 

Right. So there is no possible way to say that this use, that data, isn’t PHI, which means it’s in HIPAA’s scope, right?

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

HIPAA applies if it’s PHI.

 

Evan Dumas 

Yep.

 

Liath Dalton 

Now the next question is, okay, is, is that a breach, then?

 

Evan Dumas 

Uh huh.

 

Liath Dalton 

So what’s the definition of a breach? The definition of a breach is an unauthorized or impermissible use or disclosure of Protected Health Information. So we’ve established that it is Protected Health Information.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And then if that Protected Health Information is disclosed by being input into a third party system, chatGPT in this example, where there is no Business Associate Agreement.

 

Evan Dumas 

Nope.

 

Liath Dalton 

That means it is not a permissible disclosure.

 

Evan Dumas 

Nope.

 

Liath Dalton 

And it was not authorized. So that does indeed meet the very definition of a HIPAA breach.

 

Evan Dumas 

Yep, cut and dry.

 

Liath Dalton 

In fact, in Eric’s words, yes, it is 100% a breach. No question, right?

 

Evan Dumas 

Yep.

 

Liath Dalton 

But before that generates too much panic and distress, want to provide some reassurance as well.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Because having a breach and reporting a breach does not mean penalties or punitive consequences.

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

Right, that is the whole reason that there is a breach notification and reporting standard, because HIPAA presumes that there will be unauthorized and impermissible uses and disclosures of PHI,

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Mhm, totally.

 

Liath Dalton 

And they say when that happens, here’s the standard for how to address that.

 

Liath Dalton 

And now, something that has come up a lot as well is that, in this context of breach reporting, trying to evaluate whether or not it really is going to be consequential and cause harm to the clients whose information was disclosed impermissibly right?

 

Liath Dalton 

Mhm.

 

Liath Dalton 

And the reality is that there is very, likely to be a low practical risk.

 

Evan Dumas 

Yes.

 

Liath Dalton 

And we’re immensely grateful for that.

 

Evan Dumas 

Oh, definitely.

 

Liath Dalton 

But, it is still a reportable breach.

 

Evan Dumas 

Oh, of course, yeah.

 

Liath Dalton 

Right? So basically, low risk of causing harm in practice to clients doesn’t resolve this as a breach. Because breaches are reportable unless you can prove that there is defensible reason to believe that there is a very low probability of compromise of that information.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And to demonstrate that, you have to show that there is not access, use, retention, or further possible disclosures that could arise, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

That’s the bar, in terms of the burden of proof. The reality in the AI context, when we’re talking about personal AI platforms, is that you cannot verify any of those pieces. You can’t retrieve the information from their servers

 

Evan Dumas 

No, no.

 

Liath Dalton 

and confirm deletion or confirm that it hasn’t spread out elsewhere. So you aren’t able to get the information needed to meet that burden. You can delete the prompts that were entered from the team members, you know, personal account where they input that information, but that doesn’t remove it from the AI servers. It doesn’t meet that burden.

 

Evan Dumas 

Nope.

 

Liath Dalton 

We still need to do that, but it doesn’t take it out of the realm of being something that is a reportable breach.

 

Evan Dumas 

Yeah, you’re just tidying up the best you can.

 

Liath Dalton 

Right.

 

Liath Dalton 

And this is where, in yesterday’s conversation, Eric made a statement that I think is really helpful and reassuring. Which is that, counter-iintuitively, making the breach report demonstrate your compliance.

 

Evan Dumas 

Mhm, yeah, yeah.

 

Liath Dalton 

Because a lot of the questions we’ve been getting around this have been Okay. This has been happening. I’ve stopped it, and so it’s not going to continue happening. But does it really raise to the level of what is a breach report, or where a breach report is required, to the HIPAA regulators and notification to clients? The reality is that it does, but that is not anywhere near as as scary or impactful as you might be fearing it to be, right?

 

Liath Dalton 

So I want to back that statement up as well. Because there are hundreds of 1000s of breaches that have been reported to the Office of Civil Rights, who are the HIPAA regulators. And only a tiny fraction result in any enforcement actions or penalties. So emphasizing that again. The vast majority of breach reports do not result in penalties. What the HIPAA regulators are looking for is whether you handle breaches appropriately or not. And what typically is going to get a HIPAA covered entity into trouble isn’t that a breach occurred, or isn’t alone that a breach occurred, it’s actually failing to respond appropriately once it’s identified, or there being a long standing pattern of the same sorts of breaches occurring and no active compliance process to prevent that breach from occurring again in future. So no effective mitigation, right?

 

Liath Dalton 

So this is exactly why making the breach report demonstrate your compliance. It’s showing that you are doing what the regulation actually requires.

 

Evan Dumas 

Exactly. It’s like not learning your lessons is the bad one.

 

Liath Dalton 

Right.

 

Liath Dalton 

Okay, so let’s talk a little bit about reporting basics.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Because there are some important pieces around that, in terms of small breach versus large breach, and how those are defined, and then what the timeframes are.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So a large breach is 500 or more individuals are impacted. A small breach is fewer than 500 individuals impacted. So the reality is that for most practices, unsanctioned AI platform use with client info occurring is very likely to be a small breach.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Which is great, because that gives us a different timeframe for breach reporting to the HIPAA regulators. And it also emphasizes how you can envision in a group practice context, where, if you don’t get this under control sooner than later, it could balloon into something that becomes a large breach.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And we do not want that to happen.

 

Evan Dumas 

No.

 

Liath Dalton 

So when it comes to breach reporting to the Office of Civil Rights, the HIPAA Regulators, small breaches are reported annually within 60 days after the calendar year in which the breach was discovered ends. Which is very clunky to think about, right?

 

Evan Dumas 

Yeah, yeah. It is a little weird.

 

Liath Dalton 

So another way to put that is if you discover a breach, basically if you discover un-HIPAA compliant AI use with client info, now in April of of 2026, your breach reporting timeframe to the Office of Civil Rights would be by March 1, 2027.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

Right. Okay. Now, if it’s a large breach, though, it is reportable within 60 days after discovery, or within 60 days of discovery.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

Right? There is also another crucial distinction for client notification.

 

Evan Dumas 

Yeah, that’s state based, yep.

 

Liath Dalton 

Right. Well, there’s a state based layer on top of

 

Evan Dumas 

Oh, definitely, yeah.

 

Liath Dalton 

the HIPAA requirements. So for client notification, you must notify them without unreasonable delay, and no later than 60 days from discovery. And that’s whether or not it’s a small breach or a large breach. That 60 days, no more than 60 days from date of discovery to notify clients, is applicable for both large and small breaches.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So even though, if it’s a small breach, you have until the end of March, or beginning of March in 2027, to file your breach report with the HIPAA regulators, you got to notify clients sooner, right?

 

Evan Dumas 

Yep.

 

Liath Dalton 

And then the added layer of state law when it comes to breach reporting is that many states require a shorter timeline, and some have additional reporting required. For example, if you’re in Washington and have a large breach, so again, 500 or more individuals impacted, you have to do all the regular breach reporting stuff and notify the state attorney general, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So you need to know what your state law breach reporting timeframes are and any particular requirements. Like is a verbal notification that’s then then documented in the client record sufficient? Or do they, does your state law require that it be in writing as well?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Something you want to check. Because you, under HIPAA, don’t have to be doing breach notification to impacted clients in writing. You can do it verbally, and that’s something we’re going to talk about in a minute.

 

Liath Dalton 

So going back to the why, we want to ensure that if this is occurring, and again, just to reiterate something we’ve said in our prior episodes around this, if you haven’t explicitly addressed this, odds are it is occurring. We’re just seeing that across the board. And it’s occurring, not with any malice or intent, and even in even in instances where practice leadership has said, don’t use Protected Health Info with AI.

 

Liath Dalton 

If clinicians don’t have a fully fleshed out and accurate understanding and definition of what constitutes PHI, they can still be then putting PHI into AI platforms, thinking that’s all HIPAA copacetic, and that they’re not doing anything that violates what you’ve told them not to do, when in reality, they are, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

But part of why we want to keep it as a small breach rather than a large breach is not just to minimize the impact to your practice, but because it gives you a longer time frame for breach reporting to the HIPAA regulators. And that means that if you haven’t got a robust HIPAA compliance program operational within your practice, you have time to address the highest priority items within that process, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So if you haven’t conducted a formal risk analysis or have not done formal training with your team, you can do those things before you file the breach report. Because part of what the breach report asks is what HIPAA standards you’re in compliance with, what things you have done. Do you have a risk analysis? Do you have policies and procedures, that sort of thing? So the longer timeframe for breach reporting when it comes to a small breach gives more opportunity to get those HIPAA ducks in a row.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Right? And I’ll put in the show notes, a link to the breach reporting questions, so you have a actual visual of what I’m talking about in terms of what they’re asking for and why it’s still not a like, oh, it’s too late, that ship has sailed, in terms of your compliance process. Why it really is then, an opportunity to get any ducks that are not in a row, in a row.

 

Liath Dalton 

So just kind of going back to what to do now that you’ve discovered that unpermitted, non-compliant AI use has been happening. If you haven’t already done so, stop its use. And then we need to go through an investigation process: Who used AI in the practice, what specific platform, what data was input, how often, which clients? And I want to really emphasize this point too, that this, in a group practice context is not something to consider a one person issue until proven otherwise.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

This is the time to survey all team members. And we don’t want to, like, not find out, right? We need, we need to find out exactly what has been happening, so that it can be contained and so that it can be reported appropriately, and then it becomes really kind of as much of an non issue as possible.

 

Liath Dalton 

So following that investigation of who used it, what tools, what data, how often, which clients, then need to document that process. So what the findings are, what decisions you have have made.

 

Liath Dalton 

In terms of mitigation you want to be having folks delete the prompts, of course, with the realistic expectation that that doesn’t mean that no further disclosure could, technically speaking, happen. It doesn’t make it no longer a breach, but it’s still important. And then additional mitigation measures are policies and training and safeguards.

 

Liath Dalton 

And we’ll do another episode talking more specifically about policies, training and safeguards. But this is the in the like immediate aftermath and in terms of breach investigation and reporting and notification, what do you do?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

This is where I think the conversation that we had with Eric in yesterday’s office hour session was so helpful around how to actually notify clients, right? Because this is a delicate,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

delicate thing. How did Eric guide folks to provide client notification? He said one thing was, you may not want to tell the client, and you still have to. But, but he was also saying to have the clinician do it in, in conversation, in session.

 

Evan Dumas 

Mmm.

 

Liath Dalton 

So that they can describe, in non-alarmist terms, what what happened and was like, Hey, I was using chatGPT to help with my progress notes for our sessions, and I didn’t put your name in, but I did put other content that’s in your progress note into it from our session, and that’s still, even without your name or other identifiers, is still Protected Health Information.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So without a BAA a HIPAA Business Associate Agreement with chatGPT, that means it’s not HIPAA compliant. So, I’m not going to do it again. I am sorry. I need to tell you, and want to address any concerns you may have.

 

Evan Dumas 

Yeah, and that’s so nice to have it in a conversation, because if there’s any damage, you can do your repair right there and inform everybody that we’re you know, we’re still learning best practices.

 

Liath Dalton 

Mhm. And one thing that Eric said as well was we do need to prepare for the fact that while very likely, the vast majority of clients are going to respond with, Oh, okay. Some may not, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Some may feel that it is a real rupture.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And may not feel that the rupture is repairable.

 

Evan Dumas 

Yeah, that’s their right.

 

Liath Dalton 

Absolutely. Does that mean that we can not tell them?

 

Evan Dumas 

Oh, no, that means you should tell them even more so. Yeah.

 

Liath Dalton 

Right, right. So you know, it’s important to be able to have a conversation, to try to have that opportunity for repair, but also to really have transparency about what happened and why, and that’s going to be much better facilitated through direct conversation than just sending a breach notification letter, right? And because we also in conversation can provide more reassurance around the practice being stopped, not going to continue, be specific to the client about what was or wasn’t input into AI, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So this is going to be an area where coaching the clinician who needs to make these notifications, or clinicians, is going to be a really important piece for your leadership team. Because I don’t think it’s going to be a helpful circumstance for the practice, the clients, or clinicians who have to make these notifications, if the directive they receive is just you have to tell clients. We really want to talk through with them what to tell clients, and how to frame it, and how to respond, and also probably hold some space for the discomfort they’re going to feel around needing to make these notifications and what clients’ responses may be.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

You know, we hope, hope for the best, but also need to be prepared that there might be some really activated responses.

 

Evan Dumas 

Oh, definitely.

 

Liath Dalton 

And that that is fair and and reasonable and within, within clients rights, honestly.

 

Evan Dumas 

Definitely.

 

Liath Dalton 

So that then leads us to, because timeframe wise, telling clients before filing the breach report with the HIPAA regulators is always going to come first.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then if we’re doing the notifications in session or in direct conversation, rather than just providing a letter, like I’m sure all of us have gotten HIPAA breach notification letters at this point, often multiples, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

We don’t want to be doing that, but we still need documentation. So the recommendation for how to document it is to include both in the client record, and then also keep a log of it, separate from the client’s record. Because in the event that you were needing to provide proof of having done client notification or impacted individual notification, you don’t want to be in a situation where the only documentation exists in the client record, and you’re having to release client records to prove that. So, also want to be keeping a separate log of who was notified, in what format, and the date, and just keep that in your HIPAA compliance activity records.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And then follow whatever timeframe is necessary for state reporting. And last but not least, we need to talk about when to consult an attorney.

 

Evan Dumas 

Oh, yeah, very good.

 

Liath Dalton 

Right?

 

Liath Dalton 

So the consulting an attorney is not going to be for the purpose of being able to get an attorney to tell you it’s not reportable.

 

Evan Dumas 

No.

 

Liath Dalton 

And this was something Eric was so emphatic about in the discussion yesterday was, well, there’s no way to argue it’s not PHI, or that it wasn’t an unauthorized disclosure. So you can’t argue it’s not a breach. If a attorney tells you it’s not a reportable breach, there, they are not competent, basically.

 

Liath Dalton 

So however, consulting with an attorney about any of the state reporting pieces or seeing if there’s anything you’re missing in your reporting consideration is absolutely reasonable. So consulting with an attorney isn’t about avoiding obligation or trying to get kind of a legal loophole to keep you from needing to file a breach report. It’s about verifying your analysis and getting support around any of the details, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And again, wanting to recenter things around that statement of counterintuitively, filing the breach report is what is documenting your compliance.

 

Evan Dumas 

Mhm, yeah. Yeah.

 

Liath Dalton 

Which I think is so important to continue to keep in mind through all of this, because I know it’s distressing and concerning. But going back to Eric’s guidance of, or emphatic statement, rather, that if you choose not to report, you’re intentionally violating HIPAA.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right?

 

Liath Dalton 

So then it becomes a willful violation of HIPAA requirements, versus a much more benign instance of there being an impermissible disclosure that happened, you identify it, you stop it, prevent it from occurring in future, and then respond appropriately, right?

 

Evan Dumas 

Mhm, yeah. You own up to it.

 

Liath Dalton 

And that’s just part of, beyond the HIPAA compliance requirements, part of establishing and maintaining an effective therapeutic alliance relies on transparency and accountability.

 

Evan Dumas 

Yeah, being responsible.

 

Liath Dalton 

Yes. So please do check out the show notes for guidance on the reporting process, as well as resources, including an on demand CE course on breach investigation, reporting and notification.

 

Liath Dalton 

I am sure, as all of our listeners understand by this point, this conversation could be a entire course in and of itself. So we’re not going to try and cram all all of those details in to overwhelm you.

 

Evan Dumas 

No.

 

Liath Dalton 

If you have a takeaway from from this episode, I really want it to be that, both the norming that this is occurring, and that it’s important to respond appropriately to, and that that is not as scary as it seems.

 

Evan Dumas 

Not at all.

 

Liath Dalton 

It is just part of the process.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Well, thanks for. Joining us. We hope you have found it helpful, and please do check out the curated resources and additional support for you that are in the show notes.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.