AI tools are showing up in every corner of practice management: phone answering, chat widgets, scheduling, documentation, marketing. For healthcare practice owners, every one of those tools raises the same question: what does this mean for HIPAA? This article walks through the practical considerations to think about before adding AI tools to a therapy or counseling practice. It is informational only and is not legal advice; for decisions about your specific obligations, consult a healthcare attorney or compliance professional.

Start with the core question: does the tool touch PHI?

HIPAA obligations attach to protected health information, or PHI: individually identifiable health information held or transmitted by a covered entity or its business associates. The single most useful question to ask about any new tool is whether it will create, receive, store, or transmit PHI as part of what it does for you.

This is less obvious than it sounds, because the same category of tool can sit on either side of the line depending on how you use it. A website chat widget that answers questions about your hours and parking is handling marketing conversations. The same widget, if patients start describing their symptoms and treatment history in it, is now holding health information connected to an identifiable person. Your evaluation has to consider not just what the tool is designed to do but what information will realistically flow through it.

Front-office AI versus clinical AI

A helpful way to sort the landscape is by how close the tool sits to clinical care.

Front-office tools handle scheduling, reminders, missed call text back, review requests, and general inquiries. These typically process names, contact details, and appointment logistics. Names and phone numbers connected to the fact that someone is a patient of a healthcare practice can still constitute PHI, so these tools are not automatically exempt from consideration, but the information is narrow and the risk surface is comparatively small and manageable.

Clinical tools touch treatment itself: AI scribes that record and summarize sessions, documentation assistants, tools that analyze assessment results. These handle rich clinical detail and deserve your most careful scrutiny, including where recordings and transcripts are stored, how long they are retained, and whether the vendor uses your data to train its models.

The business associate question

When a vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity, HIPAA generally treats that vendor as a business associate, and a business associate agreement, or BAA, is the standard mechanism for that relationship. As you evaluate AI vendors, three patterns show up:

  • Vendors that offer a BAA. Common among tools built for healthcare. Get the BAA in place before PHI flows, not after.
  • Vendors that explicitly decline BAAs. Many general-purpose AI services state they are not intended for PHI. Using them with patient information is a risk you are taking alone, whatever the tool’s marketing implies.
  • Vendors that are vague. Treat vagueness as a no. A vendor that cannot answer “will you sign a BAA and where does our data live?” in one email is telling you something about their healthcare readiness.

Note that some service providers structure their offerings so that they do not handle PHI at all, keeping their role limited to marketing and front-office functions that can be configured to avoid clinical information. Understanding exactly which side of that line each of your tools sits on, and configuring them accordingly, is the practical heart of compliance-aware adoption.

Practical questions to ask any AI vendor

  1. What data does the tool collect, and where is it stored?
  2. Will you sign a business associate agreement? If not, what uses do you consider appropriate?
  3. Is our data used to train your models, and can we opt out?
  4. How long is data retained, and can we delete it?
  5. Who at your company can access our data, and under what controls?
  6. What happens to our data if we cancel?

You do not need to be a lawyer to ask these, and the quality of the answers is itself a signal. Established healthcare-focused vendors answer them routinely.

Configuration matters as much as selection

Two practices can deploy the same tool with very different risk profiles. Some concrete configuration habits that keep front-office AI on the safe side of the line:

  • Scope chat widgets and voice assistants to logistics: services offered, insurance accepted, scheduling, directions. Configure them to redirect clinical questions to a human conversation.
  • Keep appointment reminder messages minimal. “You have an appointment Tuesday at 3” reveals less than a message that names the service and the clinician.
  • Do not paste session notes or patient details into general-purpose AI chatbots, and make sure your staff knows not to. A one-page staff policy on what goes into which tool prevents the most common mistakes.
  • Review what your tools log. Call summaries and chat transcripts are records; know where they live and who can see them.

Train the humans

Most AI-related privacy incidents in small practices will not come from a vendor breach. They will come from a staff member putting the wrong information in the wrong place: a full patient history typed into a consumer chatbot, a screenshot shared for troubleshooting, a transcript forwarded without thinking. When you introduce any AI tool, spend thirty minutes with your team covering what the tool is for, what must never go into it, and who to ask when they are unsure. That half hour is the highest-return compliance investment available to a small practice.

A sensible adoption path

None of this argues against using AI in your practice. The efficiency gains are real, and patients increasingly expect the responsiveness these tools provide. The sensible path is deliberate: start with front-office tools where the information involved is narrow, choose vendors who answer compliance questions plainly, configure conservatively, document your decisions, and bring in qualified legal or compliance help when a tool moves closer to clinical information. Practices that follow that path get the benefits without collecting unpleasant surprises.

This article is provided for general informational purposes and does not constitute legal advice. Consult a qualified attorney or compliance professional regarding HIPAA obligations specific to your practice.