Is your AI chatbot leaking patient data?

Artificial intelligence chatbots have become a go-to shortcut for time-strapped physicians, but experts are raising red flags about what happens when patient information gets typed into a public model. Unlike electronic health record systems built around HIPAA compliance, tools like ChatGPT and Gemini were never designed to safeguard protected health information, and that gap is creating risk that many practices haven't fully reckoned with.

The danger isn't hypothetical. Public LLMs store, process, and in some cases reuse the data fed into them, meaning patient details entered for something as simple as drafting a note or summarizing a visit could end up retained in ways the physician never intended or sanctioned. Once that information leaves a secure system, there's no guarantee that it stays private, and tracing where it went afterward becomes difficult.

The legal exposure compounds the privacy problem. Physicians who lean on consumer-grade AI tools instead of dedicated, FDA-cleared software for clinical tasks may be opening themselves up to costly compliance violations, even when the intent was simply to save time. And because the underlying business models behind these chatbots weren't built with protected health information in mind, physicians are often left guessing about how securely their inputs are actually being handled.

Medical Economics spoke with Harley Sugarman, founder and CEO of Anagram Security, about how exactly how these risks play out in everyday practice, and what physicians should be doing differently.