Limited-time offer: LAUNCH50 gives 50% off forever. Auto-applied at checkout.See pricing

HIPAA Compliant AI Tools

Best HIPAA-Compliant AI Tools for Small Medical Clinics (2026)

A guide to AI tools small clinics can use with BAA coverage — covering AI scribing and documentation, administrative AI, AI coding and billing tools, and which consumer AI tools must be prohibited for PHI workflows.

Decision summary

Small clinics can use AI tools for documentation, administration, coding, and billing — but only tools with signed BAAs and appropriate enterprise data terms. Purpose-built healthcare AI scribes (Nabla, Abridge, Ambiance) are the safest starting point for clinical workflows. Consumer AI tools without BAAs (standard ChatGPT, Perplexity, DeepSeek) must be prohibited for any PHI use.

How to evaluate AI tools for HIPAA compliance

Before reviewing specific tools, the evaluation framework: any AI tool that will process, store, or transmit PHI in the course of performing its function is a business associate under HIPAA. You must sign a BAA before deploying that tool in a PHI workflow. This is not negotiable, and it is not addressed by the vendor being “HIPAA aware” or using secure infrastructure.

The evaluation questions for any AI tool:

  1. Does the vendor offer a BAA for the plan you are purchasing?
  2. What products and features are covered under that BAA?
  3. What are the data retention terms for inputs and outputs?
  4. Does the vendor use customer data to train AI models? What are the opt-out provisions?
  5. What subprocessors does the vendor use, and are they covered?
  6. What are the breach notification obligations and timelines?

Only after confirming these questions in writing — by reviewing the actual BAA document — should a covered entity deploy the tool in a PHI workflow.

Category 1: AI documentation and scribing tools (BAA available)

These tools are purpose-built for healthcare documentation workflows and are designed with HIPAA compliance as a core feature, not an add-on.

Nabla

What it is: Nabla is an AI scribe tool that listens to clinical encounters (in-person or telehealth) and generates structured documentation — SOAP notes, HPI, assessment and plan. It integrates with many major EHR platforms.

HIPAA posture: Nabla executes BAAs with covered entities. The platform is built for healthcare use and does not use patient encounter data for model training by default under enterprise agreements. Verify current terms with Nabla directly.

Best for: Primary care and many specialty practices that want ambient documentation support integrated into their EHR workflow.

Caveat: Clinicians must review and approve AI-generated documentation before it is finalized in the medical record. AI scribes produce first drafts, not final records. Quality review is a clinical obligation that cannot be delegated to the AI.

Abridge

What it is: Abridge is a clinical conversation AI platform that captures patient-provider conversations and generates structured clinical notes. Abridge has partnerships with several major health systems.

HIPAA posture: Abridge executes BAAs with covered entities. Data handling is designed for the healthcare enterprise context.

Best for: Practices that have significant documentation burden and want AI-assisted summarization of clinical encounters.

Caveat: Abridge’s current deployments are weighted toward enterprise health systems. Small independent practices should confirm availability and pricing for their specific context.

Ambiance (formerly Suki AI scribe functionality, and similar tools)

What it is: Several AI ambient scribing tools compete in this space — Suki AI, DeepScribe, and others with similar functionality. Most are designed for healthcare and execute BAAs.

HIPAA posture: Varies by vendor. Each tool in this category must be evaluated individually. A BAA is required from each.

Best for: Specialty practices with high documentation volume.

Caveat: Evaluate EHR integration compatibility before committing. A scribe tool that does not integrate with your specific EHR creates workflow friction that may offset the documentation efficiency gain.

Category 2: AI administrative tools (BAA evaluation required)

AI tools for administrative tasks — scheduling, patient communication, billing inquiries — vary in their HIPAA posture. Evaluate each individually.

AI-assisted appointment scheduling

Several practice management platforms now include AI features for scheduling optimization and patient outreach. If a scheduling tool accesses patient names, contact information, or appointment types, it is processing PHI. Confirm BAA coverage with your scheduling platform before enabling AI features.

AI-assisted patient communication

AI-generated appointment reminders, recall messages, and patient education content are increasingly common. If these communications include patient-specific information — which most useful communications do — a BAA is required with the communication platform. Many healthcare-focused patient engagement platforms (Klara, Luma Health, Relatient) offer BAAs as part of their standard healthcare terms.

AI-generated administrative content

Drafting non-PHI internal documents — job descriptions, staff policies, training materials for general topics — does not require a BAA because no PHI is involved. For this use, enterprise AI tools with appropriate data terms are acceptable. The risk is scope creep: staff who use an AI tool for general content may start using it for PHI-adjacent tasks. A written policy must define the boundary.

Category 3: AI coding and billing tools (BAA required)

Medical coding and billing AI tools process claims data that may include diagnosis codes, procedure codes, dates of service, and patient demographic information — all of which are PHI. Any AI tool that assists with coding, charge capture, or claim review in a patient-specific context is a business associate and requires a BAA.

Revenue cycle management platforms with AI coding

Many revenue cycle management (RCM) vendors now include AI-assisted coding and claim scrubbing. If your practice uses an RCM vendor, confirm that the AI coding features are covered under your existing BAA with that vendor, or whether the AI features represent a new subprocessor that requires additional agreement.

Standalone AI coding tools

AI coding tools that operate independently of your EHR or RCM (receiving encounter data as input and returning coding suggestions) must execute a BAA. Evaluate whether the tool processes raw clinical notes (which are PHI) or structured claim data, and review the data retention terms for both input and output.

Category 4: AI tools to prohibit for PHI workflows

These tools must not be used for any work task that involves patient information. Staff need explicit training and a written policy that names these tools as prohibited.

Consumer ChatGPT (Free, Plus, Team)

No BAA available. Do not use for any PHI workflow. See is ChatGPT HIPAA compliant for the full analysis.

Perplexity AI (all plan tiers)

No BAA available as of early 2026. High risk as a PHI vector because staff use it for search queries that may inadvertently include patient context. Explicitly prohibit and train staff on the risk. See is Perplexity AI HIPAA compliant.

DeepSeek (consumer interface)

No BAA, Chinese data residency, no compliant data handling path. Prohibit all staff use for any work task. See is DeepSeek HIPAA compliant.

Consumer Claude (Free, Pro)

No BAA on consumer plans. Claude Enterprise API has a BAA available for enterprise customers. Consumer plans must not be used with PHI. See is Claude HIPAA compliant.

Standard Cursor AI editor

No public BAA program as of early 2026. Healthcare developers working on PHI-adjacent code must use enterprise alternatives with documented BAA coverage.

Building your AI use policy

A written AI use policy is an administrative safeguard requirement under the HIPAA Security Rule. The policy should address:

  1. Approved tools: Named list of AI tools authorized for clinical and administrative use, with the use cases each is approved for and the BAA status
  2. Prohibited tools: Explicit list of AI tools prohibited for any work task involving PHI — not just “tools without BAAs” in the abstract, but specific names
  3. Approval process: How staff request approval for a new AI tool before using it for work tasks
  4. PHI definition reminder: What information constitutes PHI and why it cannot be entered into unapproved AI tools
  5. Enforcement: What happens when the policy is violated
  6. Annual review: How frequently the approved and prohibited lists are reviewed and updated

The HIPAA AI use policy template provides a starting framework for this policy.

Managing AI compliance as the landscape evolves

AI tools are evolving faster than any other category in the software market. A tool that has no BAA today may offer one in six months. A tool that offers a BAA today may change its terms. A new tool your staff discovers and starts using this week may not be on your approved list.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources

FAQ

Questions clinics ask when narrowing a shortlist

Can we use ChatGPT for clinical documentation if we have the Enterprise plan?

ChatGPT Enterprise includes a BAA from OpenAI, which creates the necessary contractual framework. However, Enterprise requires direct negotiation with OpenAI's sales team, has pricing designed for organizations with significant budget, and still places the covered entity's configuration and access control obligations on the clinic. For most small clinics, a purpose-built healthcare AI scribe with existing HIPAA infrastructure is more practical than negotiating a ChatGPT Enterprise arrangement.

What does an AI scribe actually do, and what are the HIPAA risks?

AI scribes listen to or receive input from clinical encounters and generate structured documentation — SOAP notes, HPI summaries, assessment and plan sections. The HIPAA risk is that patient encounter audio, transcripts, or summaries are PHI. The AI scribe vendor is a business associate and must have a signed BAA. You must also ensure that recording policies are disclosed to patients and that scribe outputs are reviewed by the clinician before being finalized in the medical record.

How do we know if an AI tool has a real BAA, not just a HIPAA marketing claim?

Ask the vendor: Do you offer a Business Associate Agreement as a standard document? What is the process to execute it? What products and features are in scope? Ask for the BAA document itself, not a summary or a web page. Vendor claims about being 'HIPAA compliant' or 'HIPAA ready' are not the same as a signed BAA. See [how to audit vendor HIPAA claims](/learn/vendor-management/how-to-audit-vendor-hipaa-claims) for the full evaluation methodology.

We have a tight budget. Are there any lower-cost HIPAA-compliant AI options?

Purpose-built healthcare AI scribes vary in pricing, with some offering per-provider subscription models that may be accessible for smaller practices. For administrative AI tasks (drafting policies, writing non-PHI communications), enterprise AI tools with BAAs are an option but require upfront investment in the enterprise agreement. The most cost-effective approach is often to start with a specific high-value use case — documentation support — and evaluate from there rather than deploying AI broadly.

Operational assurance

Move from comparison pages to a safer operating system.

PHIGuard is built for clinics that need a BAA, auditability, and recurring compliance work in one place instead of stitched across tools.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.