Skip to main content
AI and HIPAA Compliance for Florida Medical Practices — Which Tools Are Safe and Which Are Not
← Back to Blog
Healthcare IT

AI and HIPAA Compliance for Florida Medical Practices — Which Tools Are Safe and Which Are Not

July 7, 20268 min readSteve Condit — Founder, Simply IT
Healthcare IT
AI and HIPAA Compliance for Florida Medical Practices — Which Tools Are Safe and Which Are Not

Florida medical and dental practices are adopting AI tools faster than their compliance programs can keep up. Ambient documentation AI that transcribes patient visits. AI coding assistants that suggest billing codes. AI scheduling tools that handle patient communication. AI writing tools that draft referral letters and care summaries. Most of these tools are genuinely useful. Several of the most popular ones are not HIPAA compliant — meaning practices that use them with patient data are creating unauthorized PHI disclosures every time a staff member types a patient name into the interface. The question is not whether AI is allowed under HIPAA. The question is whether the specific tool you are using right now has a signed BAA and does not use your patients' data for model training.

BAA
Required before any AI tool touches PHI
$50K-1.9M
OCR fine range per HIPAA violation category
0
HIPAA exemptions for AI — existing rules apply fully
60 days
Breach notification deadline after PHI disclosure

AI Tool Compliance Status for Florida Healthcare

ToolBAA available?PHI use guidance
ChatGPT (free / Plus)NoCannot be used with PHI — no BAA, may train on inputs
ChatGPT Enterprise / APIYes (enterprise)BAA available; disable training on data; requires enterprise contract
Microsoft Copilot (M365 add-on)Yes (Microsoft HIPAA BAA)Covered under Microsoft's standard HIPAA BAA — sign before use
Google Gemini (consumer)NoCannot be used with PHI — no BAA for consumer tier
Google Workspace + Gemini (Business/Enterprise)Yes (Google HIPAA BAA)Google HIPAA BAA covers Workspace; verify Gemini is included
Epic/Athena AI featuresYes (in EHR BAA)Covered under existing EHR Business Associate Agreement
Nuance DAX (ambient documentation)YesHIPAA-designed product with BAA — purpose-built for clinical use
Claude (Anthropic — consumer)NoCannot be used with PHI — no BAA for consumer tier

The 4-Step HIPAA AI Adoption Checklist

01
Verify the BAA before any PHI is entered
The BAA must be signed before the tool is used with any patient data — not after. Contact the vendor's enterprise or healthcare sales team to request the BAA. If the vendor cannot produce a BAA, the tool cannot be used with PHI, regardless of how the vendor describes their data handling in marketing materials. 'We take security seriously' and 'We are HIPAA compliant' are not substitutes for a signed BAA.
02
Confirm training on PHI is disabled
The BAA establishes the vendor's legal obligations, but you must also confirm the specific configuration setting that prevents the tool from using your patients' data to train its AI models. This setting may be on by default or off by default depending on the tool and tier. For Microsoft Copilot, Microsoft's standard M365 tenant configuration does not train on your data. For other tools, check the vendor's data processing documentation and confirm the configuration in writing.
03
Update your HIPAA risk analysis
HIPAA requires that the risk analysis be updated when technology changes occur in the environment. Adding an AI tool that processes PHI is a qualifying change. Update the risk analysis to include the new tool, document the BAA status, the data it accesses, the access controls in place, and any residual risk. This documentation is what OCR requests in an audit and what your cyber insurance carrier requests when reviewing healthcare coverage.
04
Train staff on appropriate use before go-live
Staff training on AI tools in HIPAA-covered contexts must cover: which tools are approved and which are not; what patient data can and cannot be entered into each approved tool; how to verify the accuracy of AI-generated clinical content before use; and what to do if PHI is accidentally entered into a non-approved tool. This training must be documented, with completion dates recorded by employee.
// Did You Know?
OCR's 2024 guidance on AI and HIPAA explicitly states that existing HIPAA rules apply to AI tools without modification — there is no AI exception. The guidance notes that covered entities are responsible for ensuring that any AI tool that accesses, processes, or generates PHI meets the Security Rule's technical safeguard requirements, and that Business Associate Agreements must be in place. OCR has not yet brought AI-specific enforcement actions, but has signaled that AI-related PHI disclosures will be investigated under existing HIPAA enforcement authority.
// Key Takeaway
The most common AI HIPAA compliance failure at Florida medical and dental practices is not malicious — it is staff using ChatGPT or Google Gemini consumer tier to help draft clinical documents, not realizing these tools do not have BAAs and may train on the data entered. A written AI policy, an approved tools list with BAA status for each tool, and 30 minutes of staff training eliminates most of this risk. Simply IT helps Florida healthcare practices implement HIPAA-compliant AI tools and document the compliance program that protects them if OCR comes looking.
Schedule a Free HIPAA AI Compliance Review →
Steve Condit — Founder of Simply IT, Ocala FL
// Written By
STEVE CONDIT
Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience

Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.

// More From Healthcare IT

KEEP READING

Blog Article · Healthcare IT
HIPAA-Compliant VoIP for Florida Medical Practices — What Qualifies and What Doesn't
Not every VoIP system marketed to healthcare is actually HIPAA compliant. Florida medical and dental practices that sign a cont...
July 12, 2026 · 8 min read
Read →
Blog Article · Healthcare IT
Cyber Insurance for Florida Medical and Dental Practices — What HIPAA Doesn't Cover (and Cyber Insurance Does)
Many Florida healthcare practices assume HIPAA compliance means they're covered. It doesn't. HIPAA and cyber insurance cover co...
June 30, 2026 · 8 min read
Read →
Blog Article · Healthcare IT
HIPAA Secure Texting for a Florida Medical Practice — What's Allowed, What's a $50K Violation, and the Tools That Actually Work in 2026
Patient texting is now table stakes at every Florida medical and dental practice — appointment reminders, lab-result alerts, bi...
April 3, 2026 · 8 min read
Read →
// Continue Reading

RELATED SOLUTIONS & SERVICE AREAS

IndustryIT for Medical PracticesIndustryIT for Dental PracticesService AreaManaged IT in Ocala, FLService AreaManaged IT in Gainesville, FL

READY TO SOLVE YOUR IT CHALLENGES?

Get a free technology assessment and find out exactly where your business stands.

Get a Free Assessment →See Our Pricing →