TechFides — June 2026
Here's a scene playing out in practices everywhere right now. A front-desk staffer pastes a patient's message into ChatGPT to help draft a reply. A billing clerk uploads a spreadsheet to summarize claims. A provider dictates a note into a free transcription app. None of them are being careless. They're being efficient, using the same tools they use at home.
And every one of those moments may be sending protected health information into a system the practice doesn't control, didn't vet, and has no agreement with. That's the exposure. It's already inside most practices, and the people creating it have no idea they're doing anything wrong.
Regulators have noticed. The direction of travel is clear: practices will be expected to know how AI touches patient information and to govern it, the same way they already govern any other place PHI lives. "We didn't realize our staff was doing that" has never been a strong position with HIPAA, and it won't be here either.
The good news: getting ready is not complicated. It's a series of plain questions you can work through. Here's the checklist.
1. Know where AI already touches PHI
You can't govern what you can't see. Before anything else, find out how AI is actually being used across your practice today — the sanctioned tools and the unofficial ones. Front desk, billing, clinical notes, scheduling, marketing. Most practices are surprised by how much "shadow" usage turns up. You're not hunting for someone to blame; you're drawing an honest map.
2. Separate the compliant tools from the casual ones
Not all AI is a problem. The question for each tool is simple: does it have the right protections and a business associate agreement in place for handling PHI? A vendor built for healthcare that signs a BAA is one thing. A free consumer chatbot with terms that let it train on whatever you paste is another. Sort your list into "appropriate for PHI" and "never for PHI," and make the line obvious to staff.
3. Give staff a tool they're allowed to use
This is the step most practices skip, and it's the most important. People reach for ChatGPT because it helps them work faster, and telling them "stop" without an alternative just drives the behavior underground. The durable fix is to give them an approved tool that does the job and keeps information protected — so the easy path and the compliant path are the same path. Policy without a sanctioned tool is a sign on the wall everyone walks past.
4. Write the policy in language people follow
Your AI policy should fit on a page and answer the questions staff actually have: which tools are approved, what you may never put into a non-approved tool, who to ask when unsure. Skip the legalese. A policy people understand is a policy people follow.
5. Train, briefly and concretely
A short session that shows real examples — "this is fine, this is not, here's the tool we use instead" — does more than a thick binder nobody opens. Make sure new hires get it on day one, because the front desk is where most exposure begins.
6. Keep a record
If a question ever comes, you want to show that you assessed your AI use, made deliberate choices, put protections in place, and trained your people. That documentation is the difference between "we govern this" and "we had no idea." It's also just good practice management.
Why this is an opportunity, not just a burden
It's easy to read all this as one more compliance headache. Look again. A practice that gets ahead of AI governance ends up with faster, safer workflows and peace of mind — while the practice down the street is still pasting patient messages into a consumer chatbot and hoping nobody asks. One of those practices is ready for what's coming. The other is exposed and doesn't know it.
How TechFides helps
Our AI Governance Sprint and HIPAA AI Readiness work is built to take a practice through this checklist quickly — usually in a couple of weeks, not a couple of quarters. We map where AI touches your information, sort the safe tools from the risky ones, give your team a sanctioned tool that keeps PHI protected and under your control, and leave you with the policy, training, and record that show you're ready.
That last point is the heart of how we work: we'd rather you own a compliant, private setup than rent your way into exposure. The new rules are coming. Be the practice that's ready for them.
This article is general information, not legal advice. For how these requirements apply to your specific situation, consult qualified counsel.
Want a readiness check for your practice? Talk to TechFides and we'll walk the checklist with you.
Like this? Get the next one Wednesday.
One email per week. No marketing filler. Unsubscribe anytime.