- Free ChatGPT isn't safe for patient data.
- Admin work is where AI wins first.
- No signed BAA, no patient data. Ever.
- The scribe drafts. You sign every note.
- Diagnosis and treatment stay with you.
You went to school to be a clinician. Then you also became the office manager, the billing clerk, and whoever reboots the router when it dies. The patients are the part you love. The paperwork is what keeps you at the desk after everyone's gone home.
AI can take a real chunk of that desk work off you. It can also land you in serious trouble if you're careless. So let's get the trouble out of the way first.
The free version of ChatGPT, Claude, Gemini: none of them are HIPAA-compliant. Paste protected health information (PHI) into a consumer-grade AI tool and you're very likely breaking the law, and you're breaking the trust your patients handed you. So don't.
Now the good part. Real, BAA-covered AI tools exist to handle PHI safely. And a huge amount of the work in your practice never touches PHI at all. That work is wide open for AI today, and it's probably eating more of your week than you think.
One line separates safe from not: the BAA
A Business Associate Agreement (BAA) is the legal document an AI vendor signs that makes them a HIPAA-covered partner. No BAA in place, and the vendor isn't allowed to touch PHI on your behalf. Full stop.
Where the big names stand as of writing this.
- OpenAI offers BAAs on the Enterprise tier of ChatGPT. Not on the free, Plus, or Team tiers.
- Anthropic offers BAAs on Claude for Enterprise. Not on the consumer plans.
- Google offers BAAs on Google Workspace healthcare plans, which covers Gemini inside Workspace. Not on consumer Gemini.
- Microsoft Copilot offers BAAs on its enterprise commercial tier.
Several healthcare-specific vendors come BAA-ready out of the box: Doximity GPT, Abridge, Nuance DAX, Suki, Heidi, Freed, and others. They're built for clinical use, so the legal coverage comes standard.
Before a single piece of patient information goes into any AI tool, confirm the BAA is in place. No BAA, and that tool is for non-PHI work only.
Where AI actually earns its keep in your practice
Five places. Two touch PHI, so they need BAA-covered tools. The other three never touch PHI, so you can start today with the same consumer tools everyone already has.
1. Marketing and patient-facing content (no PHI required)
You probably under-invest in marketing, and who could blame you? There's no time, and hiring someone feels like overkill for a practice your size. AI changes that math.
Use Claude or ChatGPT to draft:
- Blog posts on common patient questions ("What to expect at your first dental cleaning," "Why your back hurts after sitting all day," "How to know if you need glasses")
- Newsletter content for existing patients
- Social media posts for Instagram, Facebook, or LinkedIn
- Website copy for service pages
- Email templates for common patient communications
None of this is about a specific patient, so none of it is PHI. You or your office manager can batch a whole week of it into one hour. The AI drafts, you do a final read for clinical accuracy.
One caveat specific to healthcare: anything you publish that could read as medical advice needs a look from the licensed clinician before it goes live. AI writes the draft. You confirm it.
2. Intake and scheduling automation (PHI-adjacent, use BAA tools)
Intake is a paperwork tax on every new patient. A clipboard form gets scanned and re-typed into your practice management system, insurance gets verified by phone, reminders go out by hand or get missed. AI-assisted intake takes most of that off the front desk.
Plenty of vendors have built AI-assisted intake with BAAs already in place: Klara, Solutionreach, Weave, NexHealth, Modento (dental), Yapi (dental), Spruce. They handle structured intake, eligibility checks, and reminder cadences, and none of it means pasting PHI somewhere you shouldn't.
For a typical small practice, that's most of an hour of front-desk time back each day, fewer no-shows, and a cleaner intake record walking into the visit.
3. Clinical documentation (PHI, use clinical AI vendors)
This is where AI is changing healthcare fastest. AI scribe tools (Abridge, Nuance DAX, Suki, Freed, Heidi, Sunoh.ai) listen to the encounter with consent and hand you a draft of the note before you've even left the room.
Providers report getting a chunk of their charting time back every day. Notes come out more complete. And you get to look your patient in the eye instead of typing at a screen through the whole visit.
Every note gets read and signed by the provider. AI drafts, you confirm. This is not a "trust the model and move on" situation.
If your specialty is well-supported (primary care, internal medicine, behavioral health, urgent care, specialty consults), the math works out fast. If the tools are still maturing for you (highly procedural specialties, pediatrics with parent-as-historian), go slower. Pilot it before you standardize on it.
4. Billing and revenue cycle (PHI, use BAA-covered tools or established RCM vendors)
Billing is another spot where AI is making real headway: denial management, code suggestion, payment posting, eligibility verification, prior authorization. The vendors here (Waystar, Availity, Olive, Inbox Health, Candid) are built for HIPAA-covered workflows.
For a practice your size, pick one of these established platforms over building anything custom. Billing is too consequential and too regulated to be where you experiment with consumer AI tools.
5. Internal operations (no PHI, use whatever you like)
Anything that isn't about a specific patient is fair game for consumer-grade AI tools:
- Drafting hiring posts and screening candidate emails
- Writing staff communications and policy updates
- Building training materials for new hires
- Summarizing CE content for the team
- Researching equipment purchases or vendor comparisons
- Drafting vendor emails
- Building spreadsheet logic for financial reporting
Use Claude for nuanced writing. Use ChatGPT for structured tasks. Use Gemini if you're already inside Google Workspace.
Where to start if you haven't started at all
Haven't touched any of this yet? Good, you're not behind. Here's the order I'd go in.
Week 1, non-PHI experiments. Open Claude or ChatGPT and have it draft a single newsletter email or blog post. Spend an hour getting a feel for what good and bad output looks like. It costs you the hour and one subscription.
Weeks 2–4, marketing cadence. Commit to one piece of patient-facing content a week. Newsletter, blog, or social, whichever channel your patients actually pay attention to. AI drafts it, you edit it, your clinician fact-checks it.
Month 2, intake or scheduling vendor. Try two BAA-covered intake or scheduling vendors and pilot one. Does it plug into your practice management system? Does it genuinely save the front desk time? Is the patient experience at least as good as it is today?
Month 3, clinical documentation pilot (if applicable). If your specialty supports AI scribes, run one with a single provider for thirty days. Track charting time, note quality, and how the provider actually feels about it. If it works, expand.
Month 4 and beyond, tighten and expand. One workflow at a time. Give each an owner, a cadence, a tool, and an outcome you can measure.
What you should never automate
Diagnosis and treatment decisions. AI can summarize a chart, suggest a code, draft a note. It doesn't diagnose. It doesn't prescribe. It doesn't decide what care a patient needs. That's you.
Patient communication where empathy matters. Bad news, sensitive findings, end-of-life conversations. This is human work. AI can help you gather your thoughts beforehand, but it doesn't write the message.
Anything that requires the licensed clinician's signature. Every consult note, every prescription, every referral letter gets read by the provider before it goes out. No shortcuts.
Compliance work. HIPAA, OSHA, state licensing: get human expertise on this. AI is a research assistant, not your compliance officer.
Patient data handling outside BAA-covered tools. Never. No time-saving is worth the risk.
A specific note on telehealth and mental health
Mental health practices carry an extra consideration. Any AI tool that "listens" to a session needs explicit patient consent, every time. The relationship is the whole thing here, and patients are sensitive to a third party in the room, even a digital one. They're right to be.
The same care applies anywhere you work with sensitive populations: pediatrics, geriatric care, gender-affirming care, immigrant health, anywhere trust is fragile. Lead with consent and be plain about what's happening. The law tells you the minimum for recording consent. Good practice usually asks more.
Tools, by name
Starting from zero, here's a minimum stack:
- A consumer-grade AI for non-PHI work: Claude (Anthropic) for nuanced writing, ChatGPT (OpenAI) for structured tasks. Pick one to start.
- A BAA-covered AI for any PHI-adjacent administrative work: Google Workspace healthcare plan, Microsoft 365 commercial, or OpenAI Enterprise.
- An intake or scheduling vendor with AI features: depends on specialty. Weave, NexHealth, Klara, Solutionreach are common starting points.
- A clinical AI scribe (if specialty supports): Abridge, Nuance DAX, Suki, Freed, Heidi. Pilot before standardizing.
- A billing platform with AI features: Waystar, Availity, Candid, or your existing RCM partner.
What it costs each month rides on which clinical and operational vendors you bring in. The marketing-only side of the stack runs under $50 a month. A full clinical and intake stack can run several thousand. If it fits your specialty, the clinical side usually pays for itself inside a quarter.
The short version
Two buckets. The admin work is safe with the right tools, pays back fast, and carries low risk. The clinical work stays on purpose-built, BAA-covered tools, with you reviewing every single output.
You're wearing a lot of hats at once. AI is how you hand some of that work back so the low-leverage busywork stops eating the hours that need a human. That includes you, spending more of your day with patients and less of it fighting paperwork.
Want your AI to actually fit your practice, your specialty, your patients, your voice? It starts with handing it your context. The how-to is in training ChatGPT on your business's voice, and Give Your AI a Brain walks you through the whole thing in an afternoon. A safe place to start is replying to patient reviews with AI without sounding like a robot. Or see where you stand first.
By William Smith