AI is moving fast.
Increasingly, practice leaders are discovering that clinicians on their team have been using tools like ChatGPT to help write progress notes. In every case, the clinician thought they were being careful. They removed names. They assumed that meant the information was no longer protected and therefore not in HIPAA’s scope.
It doesn’t.
This is not a hypothetical risk. This is something we’re actively helping practices navigate right now.
The misunderstanding at the center of this
The assumption we keep running into is:
“If I take out names, it’s not PHI.”
But PHI isn’t just names, dates of birth, or insurance information.
It’s the substance of the work itself: clinical narrative, life context, relational patterns, what was said, what was explored, what was identified.
The same information that makes documentation clinically meaningful is what makes it identifiable.
A simple way to ground this:
If a client would recognize themselves, it’s identifiable.
If the clinician would recognize who it’s about, it’s still identifiable.
That’s the standard that matters in practice, not whether a name is present.
So what is this, actually?
In a recent PCT Group Practice Office Hours session, therapist attorney Eric Ström, JD PhD LMHC, put it very plainly:
“100% a breach. No question.”
If client-related information is entered into a personal AI tool like ChatGPT, outside of a vetted system, and without a HIPAA Business Associate Agreement in place, that is an impermissible disclosure of PHI.
And under HIPAA, that meets the definition of a breach.
This isn’t a gray area. It just doesn’t always feel that way because the intent behind it isn’t harmful.
Where AI changes the equation
Even if we set aside the PHI misunderstanding, there’s another issue that matters just as much: control.
Once information is entered into a personal AI tool:
- You don’t control how it’s stored
- You don’t control how long it’s retained
- You can’t verify whether it’s been accessed or reused
- You can’t meaningfully audit what’s happened to it
As Eric said:
“We don’t know, and we have no way to know.”
That becomes critical when you get to the question of whether this needs to be reported.
Avoiding breach reporting requires demonstrating a low probability of compromise, and that requires evidence. In these scenarios, you simply don’t have it.
The moment where most people hesitate
This is the point where things tend to stall:
“If I report this, am I getting myself in trouble?”
It’s a completely understandable reaction, and it’s based on a misunderstanding of how enforcement actually works.
The framing Eric offered here is the one to hold onto:
“Counterintuitively, making the breach report demonstrates your compliance.”
OCR receives tens of thousands of breach reports every year. Only a very small fraction result in enforcement action.
What regulators are looking for isn’t whether a breach occurred. It’s how you handled it once you knew.
- Did you identify the issue?
- Did you investigate it?
- Did you document your process?
- Did you take corrective action?
- Did you follow the applicable standards, including the HIPAA Breach Notification Rule?
That’s what demonstrates compliance.
If this has already happened, start here
What matters here is not reacting quickly. It is responding correctly.
Start by containing the issue. Make sure the use of non-vetted AI tools with client information stops immediately.
Then step back and understand what actually occurred. That usually means looking beyond the first instance:
- Who used AI tools?
- Which tools?
- What type of information was entered?
- How often did this happen?
- Which clients could be affected?
It’s very common to find that what initially looks isolated isn’t.
Document your process as you go, not just what you conclude, but how you got there.
Then move into mitigation:
- Ensure the tool is no longer used
- Update policies
- Provide targeted training
- Put clearer safeguards in place
Client notification (and why this matters)
Clients need to be notified without unreasonable delay, and no later than 60 days from discovery.
This is often the hardest part.
As Eric put it:
“You may not want to tell the client, and you still have to.”
That doesn’t mean it has to be alarmist or damaging. Done well, it’s a straightforward, grounded conversation that gives the client accurate information and space to respond.
This aspect of it is as much about ethical practice as it is about legal requirement. In our recent Group Practice Office Hours session (available to Group Practice Care Premium subscribers), Eric talked through how to both have that conversation and how to document it.
Reporting & notification timelines (briefly, because this matters)
For most practices, this will fall into the “small breach” category (fewer than 500 impacted individuals).
That typically means:
- Client notification happens within a maximum of 60 days from date of discovery
- OCR reporting happens on an annual basis (60 days after the end of the calendar year in which it was discovered)
And importantly, state laws often require faster timelines and/or additional reporting. Once again, HIPAA is the floor, not the ceiling. Check your state-specific rules and timeframes using the Mintz Matrix.
This is also why it’s important to address this now rather than avoiding it. Early action helps prevent escalation into a “large breach” (500 or more impacted individuals), which carries significantly more intensive reporting requirements, time demands, and reputational impact.
The part that’s easy to avoid, but shouldn’t be
It’s worth saying directly: you might be able to get away with not reporting.
But if it’s later discovered that you knowingly chose not to, the situation changes significantly.
That’s where risk increases. That’s where enforcement becomes more likely.
Not reporting isn’t a compliance strategy. It is a decision to take on additional risk exposure.
Why this is happening (and what it actually points to)
In every situation we’ve seen, the clinician wasn’t intentionally violating HIPAA.
They were:
- Trying to be efficient
- Trying to reduce documentation burden
- Using a tool that seemed helpful
And they didn’t have a correct understanding of what constitutes Protected Health Information (PHI) in practice.
That combination of pressure plus incomplete information is what creates the issue.
Which means the solution isn’t just prohibition and enforcement. It’s clarity, structure, and support.
What needs to be in place going forward
At a minimum:
- A clear prohibition on using non-vetted AI tools with client information
- A shared, accurate understanding of what constitutes PHI
- Training that reflects real-world scenarios, not just theory
From there:
- A process for vetting tools
- Policies and procedures
- Ongoing governance
AI isn’t going away. But unmanaged and non-compliant use of it is something you can address.
If you’re realizing you need a clearer framework
If you’re reading this and thinking:
- “We haven’t actually addressed this yet”
- “We don’t have a clear policy”
- “I’m not confident in how to evaluate AI tools”
You’re not alone.
That’s exactly why we created:
Beyond Hype and Anxiety: A Practical Framework for Ethical AI Use in Clinical Practice
This training is designed to move past both fear and overconfidence into something more useful: a clear, practical framework for decision-making.
We’ll cover:
- What actually constitutes PHI in AI contexts
- Why de-identification often fails in practice
- How to evaluate AI tools
- What HIPAA requires
- How to implement AI use in a way that’s defensible and sustainable
This is built for what practices are navigating right now.
Live and On-Demand
A final grounding reminder
Compliance isn’t about perfection. And it isn’t just about preventing breaches.
Compliance is also about how you respond when something goes wrong.
Because breaches will occur. That is precisely why there is a Breach Notification Rule in the HIPAA regulations.
When you identify the issue, respond appropriately, and strengthen your systems, you’re not failing compliance. You’re doing it.