AI in your practice
without the HIPAA landmine.
Most AI vendors won't sign a BAA. Most BAAs are wrong. We make AI tools work in your practice while keeping you out of OCR's crosshairs, from assessment through implementation to ongoing governance.
Three ways to engage
AI Readiness Assessment
$2,500 – $5,000We map your current AI tools, vendor BAAs, PHI data flows, and endpoint controls. You get a written risk register and prioritized remediation roadmap, the defensible plan that turns "we should look into this" into a documented compliance posture.
HIPAA-Compliant Implementation
$7,500 – $25,000Turnkey rollout of AI scribes, EHR copilots, intake automation, or RCM tools, with BAA execution, Zero Data Retention configuration, secure logging, and staff training included. Done end-to-end with documentation your compliance officer can sign off on.
Managed AI Compliance
$1,500 – $5,000/moOngoing BAA tracking and renewals, quarterly vendor audits, policy updates on regulatory changes, workforce training, and AI acceptable-use enforcement. The AI landscape changes monthly. So does your compliance posture if no one is watching.
What goes wrong, and the safer path
These aren't hypotheticals. They're the situations we get called in to remediate. Each one represents a real OCR exposure.
A provider copies patient visit notes into ChatGPT Plus to generate a discharge summary.
ChatGPT Plus has no BAA. PHI sent to OpenAI's consumer platform is an unauthorized disclosure. No data retention controls. Subject to OCR breach investigation.
ChatGPT Enterprise or API with Zero Data Retention both include a BAA. Same AI capability, compliant configuration. We handle the contract and configuration.
A practice deploys an ambient AI scribe tool after seeing a vendor demo. No one reviewed the BAA.
Many AI scribe vendors offer BAAs that exclude key subprocessors (cloud storage, LLM API, transcription engine). A BAA that doesn't cover the actual data path is a BAA in name only.
BAA review before any PHI flows. We audit the vendor's subprocessor list, data retention terms, and encryption posture, not just whether a signature page exists.
Billing staff use a consumer AI tool to draft insurance appeal letters, including patient diagnosis codes.
Diagnosis codes combined with patient identity are PHI. Consumer AI tools used without oversight represent ongoing unauthorized disclosure that compounds with every use.
DNS-layer blocking of consumer AI tools on practice networks, combined with a compliant alternative and a written AI acceptable-use policy. Training that explains why, not just what.
The vendors that will (and won't) sign a BAA
The single most-asked question we get. The honest, current answer:
| Vendor | BAA? | Plan required | Covers |
|---|---|---|---|
| OpenAI (ChatGPT Enterprise / API ZDR) | Yes | Enterprise, Edu, or API w/ Zero Data Retention | API requests + Enterprise chat |
| Anthropic Claude (via AWS Bedrock) | Yes | AWS Bedrock + signed AWS BAA | API only |
| Google Workspace + Gemini | Yes | Workspace Business+ with BAA | Gmail, Drive, Docs, Gemini in Workspace |
| Microsoft 365 Copilot | Yes | M365 E3/E5 + signed Microsoft BAA | Copilot in M365 apps |
| ChatGPT (free / Plus consumer) | No | — | Do not use with PHI |
| Google Gemini (consumer) | No | — | Do not use with PHI |
| Notion AI | Limited | Enterprise plan + BAA | Workspace-scoped only |
| Perplexity | No | — | Do not use with PHI |
Verified as of May 2026. Re-verified quarterly. A BAA on paper is not a BAA in practice. We audit configuration too.
HIPAA AI Risk Self-Assessment
A printable checklist mapping 45 CFR §164 to the most common AI use cases in small practices. Identify your top exposures in under 30 minutes.
Built from real OCR settlements and the BAAs we've actually negotiated. No fluff, no "AI revolution" language.
⬇ Download the checklist (PDF)
Or enter your email and we'll send 3 annotated practice scenarios covering real PHI exposure patterns we see repeatedly:
No spam. Unsubscribe anytime.
The gap nobody was filling
Big consultancies won't take a 6-provider practice. Solo IT contractors don't know HIPAA. Healthcare-specific MSPs don't know AI. Vendors will tell you anything to close the sale.
Techcuro is the brand we built to fill that gap: a service-disabled veteran-owned operation, HIPAA-specialized, that actually understands the AI stack you're being sold. Same compliance discipline that protects your endpoints today, applied to the AI tools your staff are about to start using whether you're ready or not.