Cybersecurity

AI Tools for Florida Medical Practices in 2026 — Which Are HIPAA-Compliant, Which Will Get You Fined

May 26, 20269 min readSteve Condit — Founder, Simply IT

Cybersecurity

Generative AI use in Florida medical practices is no longer hypothetical. Providers are dictating into ambient scribes during patient visits. Office managers are pasting denial letters into ChatGPT to draft prior-authorization appeals. Front-desk staff are summarizing after-visit messages with AI. The clinical productivity gains are real — 10 to 15 hours per provider per week is a number we see consistently. And almost none of the practices we audit can answer the question their compliance officer should be asking: “Does the AI tool your team is using have a Business Associate Agreement?”

For a HIPAA-covered medical practice, every prompt that contains protected health information sent to an AI service without a BAA is a potential reportable breach under the HIPAA Breach Notification Rule. The proposed HIPAA Security Rule update expected May 2026 is likely to make AI governance an explicit technical control — not a maybe-someday addressable specification. Here is the May 2026 BAA status for the major AI vendors, the four governance controls Simply IT deploys before any AI tool touches PHI in a Florida practice, and the realistic path to capturing the productivity gains without the compliance trap.

63%

Workers using AI at work without IT approval

10–15h

Per provider per week saved

60 days

HIPAA breach notification clock

$50K

Average HIPAA fine per violation

What “HIPAA-Compliant AI” Actually Requires

HIPAA does not have a label called “HIPAA-compliant AI.” Vendors that use the phrase are usually marketing — sometimes accurately, sometimes not. The actual test for using any AI tool with PHI rests on four things:

A signed Business Associate Agreement with the AI vendor, executed under HIPAA’s Privacy Rule. The BAA must cover the specific AI service tier you are using, not just the vendor’s other products.
Training opt-out — your practice’s prompts and uploaded data must not be used to train future models. This is contract language, not a setting toggle.
Audit logging showing who accessed which AI session with what data, retained on the timeline HIPAA requires (6 years for documentation).
Reasonable technical safeguards — access controls, encryption in transit and at rest, audit controls. These are Security Rule basics that apply to any system handling ePHI.

BAA Status Across Major AI Vendors — May 2026

Status changes monthly. This is what we see today on actual deployments at Simply IT’s Florida medical clients:

OpenAI ChatGPT (Free / Plus)

NO BAA

Consumer tiers. Prompts may be retained and used for training under default settings. Off-limits for PHI.

OpenAI ChatGPT Team / Enterprise

BAA AVAILABLE

Enterprise and Team plans support BAAs on request, with zero data retention configurable. Requires explicit BAA execution and tenant-level controls.

Microsoft Copilot for M365 (Business/Enterprise)

COVERED BY M365 BAA

Tenant-level BAA already in place if practice has Microsoft 365 Business / Enterprise. Copilot inherits. Verify your tenant has the BAA executed — many practices that bought M365 through a reseller find theirs was never activated.

Microsoft Copilot Chat (free / consumer)

NO BAA

The standalone consumer Copilot app is not covered by M365 BAA. Different product.

Google Gemini (Workspace Business/Enterprise)

BAA AVAILABLE

Workspace tenants can execute a BAA covering Gemini. Default training opt-out must be confirmed.

Google Gemini (gemini.google.com consumer)

NO BAA

Free / personal Gemini is consumer-tier. No BAA. Off-limits for PHI.

Anthropic Claude (API for Business)

BAA AVAILABLE

Anthropic offers BAAs for API access tier with appropriate enterprise contract.

Anthropic Claude.ai (consumer)

NO BAA

The consumer claude.ai site is not BAA-covered. Off-limits for PHI.

Ambient scribe vendors (Abridge, Augmedix, Suki, DeepScribe, etc.)

VARIES BY VENDOR

Most established clinical-AI ambient scribes execute BAAs as standard. Always verify the BAA is signed before go-live. Newer / lower-cost vendors may not.

Free third-party AI summarizers / writing tools

ASSUME NO BAA

Most free Chrome extensions, browser-based summarizers, “HIPAA-compliant” chat apps from random vendors do not have actual BAAs. Treat as off-limits unless you have a signed BAA in your records.

// The Microsoft 365 BAA Gotcha

The Microsoft 365 BAA must be explicitly activated in the M365 admin console. Most Florida practices that bought M365 directly from a reseller never had it activated. The reseller doesn’t sign the BAA — Microsoft does, and the practice has to accept it. Until that’s done, your tenant has no BAA in force, which means Copilot has no BAA coverage either. Verify this first.

Why Banning AI Is Not the Answer

The instinctive response — ban AI tools in the practice — doesn’t work. Staff use AI on their personal phones anyway, where the practice has zero visibility. The risk doesn’t disappear; it moves into the shadows. The right answer is to give your team the AI tools that actually deliver clinical and operational productivity, but route them through a governed gateway with BAA coverage, audit logging, PII redaction, and per-role permissions.

"Every practice we audit has staff using AI without IT’s knowledge. The question isn’t whether AI is in the building — it is. The question is whether the practice can prove it’s audited, BAA-covered, and HIPAA-aligned when OCR knocks."

Steve Condit, Simply IT

The Four Governance Controls Simply IT Deploys

Identity-bound access

Every AI session is tied to a named user account — never a shared login. When a clinical staff member offboards, their AI access is offboarded with the rest of their identity. Audit trails actually identify the human.

Audit logging retained 6 years

Every prompt, every model used, every token spent is logged with immutable timestamp and user attribution. Retention matches HIPAA documentation requirements. Required for any OCR audit, also useful for internal incident review.

Automatic PHI redaction at the gateway

Patient names, dates of birth, SSNs, account numbers, and clinical identifiers are stripped or tokenized before prompts reach any AI model. The model gets enough context to be useful but cannot retain PHI. Tokens are re-substituted in the response so the user experience stays smooth.

Vendor training opt-out enforced contractually

Every AI vendor in scope is configured so the practice’s data is never used to train future models. Enterprise contracts only, with explicit BAA + zero-retention configuration verified annually.

What the 2026 HIPAA Security Rule Update Likely Means for AI

The HHS OCR final rule expected May 2026 is the first major update to the HIPAA Security Rule in 20+ years. The NPRM published December 2024 proposes that all implementation specifications become required (eliminating the “addressable” flexibility) and introduces explicit technical controls including encryption, MFA, and network segmentation. AI governance is not yet called out as a named control — but the audit trail, access control, and documentation requirements all apply to any system handling ePHI, which now includes AI.

Practical implication: the practices that already have audited, BAA-covered AI governance will pass the new rule’s technical control review without changing anything. The practices that have shadow ChatGPT use on personal accounts will not.

For the full context, see our HIPAA cybersecurity guide for Florida medical practices and our AI for small business policies pillar. For the deployment side, our AI for Business solution provides the multi-vendor governed gateway with BAA coverage, audit logging, and PHI redaction out of the box.

// Key Takeaway

Every Florida medical practice already has AI in the building — whether through Microsoft Copilot, a sanctioned ambient scribe, or staff on personal ChatGPT accounts. The choice isn’t whether AI happens; it’s whether the practice can prove it’s BAA-covered, audited, and HIPAA-aligned when the compliance question arrives. Get the BAAs in writing. Route everything through a governed gateway. Log every session. The productivity gains are real and worth capturing, but only with the governance underneath.

Get an AI Compliance Assessment →

// Written By

STEVE CONDIT

Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience

Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.

Full Bio →LinkedIn →About Simply IT →