The HIPAA-Compliant AI Playbook for Small Practices

Practical mapping of 45 CFR 164 to common AI use cases, remediation, and priorities.

Top 7 AI use cases (ranked by ROI vs risk)

Clinical scribe / documentation assistant — 10x ROI, high PHI exposure. First priority: BAA + Zero Data Retention or on-prem model.
Patient intake automation (forms & triage) — High ROI, medium risk. Requires validation + safe storage.
Billing & RCM automation (no PHI in prompts) — High ROI, low-medium risk. Keep PHI out of the prompt context.
Telehealth triage assistant (redact before model) — 2–3x ROI, high risk. Redaction pipeline required before any PHI hits the model.
Patient communication drafts (secure pipeline, no PHI) — Moderate ROI, low risk when de-identified.
Knowledge-base summarization (de-identified corpora) — 1–2x ROI, low risk. Works well with off-the-shelf models.
Image-assist diagnostics — 4–10x ROI, very high risk. Requires clinical validation, governance, and FDA SaMD classification review.

Rule section	Requirement	AI control
164.308(a)(1)	Risk analysis	AI data flow diagram + retention policy review
164.308(a)(5)	Workforce training	Staff AI-use policy + annual tabletop exercise
164.312(a)(2)(iv)	Encryption	Confirm TLS in transit + AES-256 at rest for all AI vendor storage
164.312(c)(1)	Integrity controls	Signed BAAs + audit logging on AI outputs
164.312(e)(2)(ii)	Encryption in transit	HTTPS-only endpoints; no PHI over unencrypted channels
164.314(a)(1)	BAA with business associates	BAA required before any AI vendor touches PHI
164.316(a)	Policies & procedures	Written AI acceptable-use policy, updated annually

List every AI tool staff is using today
For each tool, confirm whether a BAA exists or can be signed
Identify PHI touchpoints (EHR exports, uploads, copy-paste into AI prompts)
Block consumer AI tools (ChatGPT free, Gemini free) on practice endpoints via policy + DNS filter
Sign BAA or migrate to a vendor with BAA + Zero Data Retention for any PHI use case