HIPAA AI Use Policy Template

A ready-to-adapt HIPAA AI use policy for medical clinic staff. Covers approved tools, PHI prohibitions, BAA requirements, the Approved Tools Registry, and incident reporting procedures.

Short answer

A practical AI use policy template that clinic administrators can adapt and distribute to staff. Includes an Approved Tools Registry table with BAA status tracking and a clear framework for what staff may and may not input into AI tools.

What is inside

Clear scope: applies to all staff using any AI tool for any work-related task
PHI prohibition for unapproved tools: no patient data in consumer AI — no exceptions
Approved Tools Registry table with BAA status, date, and permitted/prohibited use columns
BAA requirement before any AI tool processes patient-adjacent content
Incident reporting procedure for suspected AI-related PHI exposures
Annual review cycle built into the policy — keeps pace with the rapidly changing AI landscape

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 27, 2026

Best next step: Open the matching product path

Sources

Security Rule Guidance | HHS
Business Associates | HHS

Download the PDF

HIPAA AI Use Policy for Clinical Staff — a starting-point template your practice can adapt today

Enter your email and we will send the PDF.

Questions

Do AI tools require a BAA under HIPAA?

Any AI tool that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. A signed BAA is required before that tool processes PHI. Consumer AI products — ChatGPT, Gemini, Claude.ai, Copilot in personal accounts — do not offer BAAs and must not receive PHI under any circumstances.

What counts as PHI when entering content into an AI tool?

Any information that could identify a patient in connection with their health care is PHI. Patient names, dates of service, diagnoses, medications, geographic details below state level, account numbers, and similar identifiers are PHI even in a partial draft or a question typed into a chat window. De-identified content under 45 CFR §164.514 may be used in tools without a BAA, but full de-identification is a structured process — not just removing a name.

Can staff use AI tools to write clinical notes or prior authorizations?

Only if the tool has a signed BAA and appears on the clinic's Approved Tools Registry. Clinical documentation workflows involve PHI by definition. Verify BAA status before any such use begins, and document the approval in the registry.

What if a staff member already used a consumer AI tool with patient data?

Treat it as a potential security incident. The staff member should report it to the Privacy Officer immediately under Section 6 of this policy. The Privacy Officer will conduct a breach risk assessment under 45 CFR §164.402 to determine whether notification is required.