
AI is already in your medical practice. The question is whether it's there legally
Physicians are loading protected health information into consumer AI tools. Here’s how to avoid risk of HIPAA violations
In the past few years, physicians of all specialties have found ways to integrate artificial intelligence (AI) programs into their clinical and administrative duties. In vascular and interventional radiology, the promise of AI is real and well-documented: faster image analysis, automated lesion detection, more consistent procedural documentation and reduced administrative burden on already-stretched practices. By 2024, 66% of U.S. physicians reported using some form of AI in their practice, according to the American Medical Association — a figure that had nearly doubled in a single year.
What is far less visible is how that AI is actually being used at the practice level, and whether the tools physicians reach for in their daily workflow are legally permitted to touch the data being fed into them.
The gap between convenience and compliance
Consider a scenario that is not hypothetical. A physician in a busy interventional practice uses a consumer AI chatbot — ChatGPT, Gemini or a similar tool — to draft or refine a medical record addendum. The patient's name, date of birth, procedure details and clinical history are included in the prompt because this context makes the output clinically useful. The physician gets a well-structured addendum in seconds. The patient's protected health information (PHI) has just been transmitted to a third-party system that has no business associate agreement (BAA) with the practice, no compliance obligations of the Health Insurance Portability and Accountability Act (HIPAA), and no restriction on how those data may be retained, analyzed or used to train future models.
This is not a technical violation buried in the fine print. It is a straightforward breach of the HIPAA Privacy and Security Rules. Under 45 CFR §164.502, a covered entity may not disclose PHI to a third party — including a technology vendor — without either patient authorization or a valid BAA. Consumer AI platforms do not sign BAAs as a standard condition of use. Using them with identifiable patient data is, on its face, impermissible regardless of the physician's intent.
As Medical Economics has previously reported,
Why vascular and interventional practices are particularly exposed
Interventional specialties face a documentation burden that is structurally higher than primary care. Procedures generate operative reports, postprocedure notes, complication documentation, imaging interpretations and increasingly complex medical necessity addenda — especially given the current audit environment around office-based peripheral vascular procedures. The volume and complexity of that documentation create a strong pull toward any tool that reduces the time required to produce it.
That pressure is compounded by independent and small-group practice structures, which are common in interventional radiology and vascular surgery. Unlike large health systems that deploy enterprise-grade, HIPAA-compliant AI platforms with formal governance structures, independent practices typically lack dedicated compliance officers and information technology security staff. The physician who reaches for a consumer chatbot is not being reckless; they are solving a real productivity problem with the tools immediately available to them.
The risk, however, is both institutional and individual. Under HIPAA, the covered entity — the practice — bears primary liability for unauthorized PHI disclosure. A physician's personal use of a consumer AI tool for work-related documentation does not transfer that liability to the AI vendor. It stays with the practice. In May, the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) released a report prompting further examination of physicians performing vascular procedures. Now that the HHS-OIG report has put interventional vascular practices under elevated federal scrutiny, a separate HIPAA enforcement action is not a remote possibility. It is an additional vector of regulatory exposure.
What HIPAA actually requires before using AI
The compliance framework for AI in clinical documentation is not ambiguous, even if awareness of it is uneven. Any AI tool that will process, store or transmit PHI must be covered by a BAA executed between the vendor and the covered entity before first use. The BAA must specify the permitted uses of PHI, require the vendor to implement appropriate safeguards, and establish breach notification obligations.
A BAA alone, however, does not end the compliance analysis. Under the HIPAA Security Rule (45 CFR §164.308), covered entities must conduct a formal risk analysis before deploying any new technology that handles electronic PHI, including AI tools. That analysis must assess the likelihood and impact of potential PHI compromise, and it must be documented. Many practices deploying AI documentation tools have not completed this step.
As Medical Economics has noted in its coverage of AI adoption frameworks,
A practical checklist before the next prompt
For interventional practices currently using or evaluating AI documentation tools, the following steps address the most significant compliance gaps:
- Inventory current AI use. Ask every physician and staff member what AI tools they use for any work-related task. Consumer tools used informally are the most common compliance gap and are the least likely to appear in a formal technology audit.
- Verify BAA status before use. If a BAA is not in place with the AI vendor, PHI cannot be used with that tool — period. This also applies to free tiers of enterprise tools; BAA coverage typically requires a paid enterprise agreement.
- Conduct a security risk analysis. Before deploying any AI tool that processes PHI, document the risk assessment. This is not optional; it is a HIPAA Security Rule requirement.
- Establish a clear acceptable-use policy. Physicians need explicit guidance on which tools are approved for clinical documentation, which require BAAs, and which are prohibited entirely for work-related PHI. Verbal guidance is not sufficient; the policy must be written and documented.
- Train with specificity. General HIPAA training does not cover AI-specific risks. Staff and physicians should receive targeted training on the PHI exposure risks created by consumer AI tools, including the specific mechanics of how data entered into a chatbot prompt may be retained and used.
Ensure compliance or face regulatory risk
AI already is a meaningful part of vascular and interventional practice. The clinical and operational case for it is sound, but the productivity gains are not worth the regulatory exposure of deploying tools that handle PHI outside a proper compliance framework. The physicians most likely to face consequences are not those who chose AI deliberately; they are those who used it casually, assuming that a widely available tool with a polished interface must have the compliance infrastructure to match.
It does not. Verifying that it does, before the first prompt, is now a basic professional responsibility.
Elina Sabilova, CPC, CFPC, CPMA, is a billing and compliance specialist in the Billing Department at





