How Health Care Practices Can Use AI While Staying Compliant

July 13, 2026

Artificial intelligence (“AI”) is rapidly finding its way into health care practices, helping teams automate tasks, analyze information, and improve workflows. While AI offers significant benefits, its use in health care raises important questions regarding compliance, documentation, and patient care. To leverage these tools effectively and responsibly, practice owners must understand how existing health care laws apply to AI.

This article explores how AI is being used in health care settings, the risks surrounding it, and best practices for implementing these tools compliantly.

How Is AI Being Used by Health Care Practices?

AI is increasingly being adopted across health care practices, often in ways that are informal or unplanned. Many software platforms now include built-in AI features, and employees may use AI tools without formal approval or oversight. This is often referred to as “shadow AI,” where AI technology is used within a practice without clear policies governing its use.

When implemented appropriately, AI can help practices operate more efficiently, streamline administrative tasks, and reduce operational burdens. Common applications include:

Documentation and Transcription

Generates visit notes, summarizes patient visits, and supports medical record documentation.

Administrative Support

Manages scheduling, assists with billing tasks, and streamlines patient intake.

Patient Communications

Supports patient outreach, manages appointment reminders, responds to common practice questions, and automates patient follow-up.

Marketing

Develops website content, drafts social media posts, and creates patient education materials.

While these uses can improve efficiency, they also introduce legal and operational risks that require careful oversight.

What Are the Compliance Risks of Using AI in a Health Care?

The legal and regulatory framework surrounding AI continues to evolve, while its adoption in health care is advancing rapidly. As a result, uncertainty remains regarding how existing laws and regulations apply to AI, particularly when it is used in patient care, documentation, billing, and marketing. While regulators continue to develop guidance, health care practices should remain grounded in established legal and professional obligations when evaluating and implementing AI tools.

Scope of Practice and Standard of Care

Using AI to influence clinical decisions raises questions about whether the standard of care is being met and whether use falls within a physician’s scope of practice. Even when AI is used as a support tool, the responsibility for medical judgment remains with the physician.

Relying on an AI-generated recommendation without verifying the results may raise concerns about whether reasonable clinical judgment was exercised and whether the applicable standard of care was met.

Regulatory Oversight

AI use in health care can involve multiple regulatory bodies. Depending on how the technology is used, this can include:

  • The FDA, particularly when AI functions as software tied to clinical decision-making.
  • The FTC, especially in connection with advertising and consumer protection.
  • State medical boards, which oversee professional conduct and patient safety.

AI-generated marketing content, such as before-and-after pictures or outcome claims, may trigger scrutiny under FTC advertising standards if those materials are misleading. Navigating these issues can be challenging because regulatory guidance on AI in health care is still developing, and compliance expectations continue to evolve.

Billing and Coding Exposure

AI-assisted billing or coding tools can create risk under the False Claims Act and commercial payors repayments if claims are not backed by accurate documentation. This may occur when:

  • Codes do not align with the services provided.
  • AI-generated documentation does not fully support what is billed.
  • AI is providing insufficient documentation based on what is required by contract.

If an AI tool suggests a higher-level code based on incomplete documentation, submitting the claim without verification may put the practice at risk of an audit or enforcement action.

Data Privacy and Security

Some AI tools may involve patient information, recorded interactions, or third-party processing, which can raise concerns around data handling and security. These uses may raise concerns under HIPAA and broader cybersecurity expectations, particularly when sensitive information is shared with external platforms or stored outside of traditional systems. Uploading patient information into a third-party AI tool without a proper agreement in place may introduce risk if the platform does not meet HIPAA requirements.

Best Practices for Implementing AI in a Health Care

AI can offer significant benefits, but realizing those benefits requires more than simply adopting new technology. Health care practices should establish clear guidelines for how AI tools are selected, used, and monitored to help ensure compliance and reduce operational risk. The following areas provide a framework for implementing AI responsibly.

1. Maintain Clinical Oversight of AI Tools

Your medical license remains the foundation of your practice, regardless of the tools being used. AI can support operations, but it does not replace clinical judgment. Stated differently, a medical license grants the authority for a physician to treat patients and delegate those treatments. Physicians are responsible for meeting the standard of care and will be accountable to the patient for any use of AI to support patient care.

2. Create an AI Policy for Employees

A medical practice is heavily regulated, with laws affecting patient care, patient privacy and medical service marketing and advertising. A medical practice also has the traditional risk of employment laws designed to protect employees. How employees use AI can inadvertently expose the practice in any of these areas. They are commonly using AI tools to record conversations with supervisors and other employees. This creates a new dimension of risk, so it becomes imperative for a practice to determine its policy for recording conversations in the office.

Establish written guidelines early on to define:

  • Approved AI tools
  • Permitted AI use
  • Prohibited AI use

Finally, provide training to employees on proper use of AI in your practice. Clear rules help keep AI use consistent across your practice and reduce the risk of problems down the line.

3. Vet AI Vendors Before Implementation

Not all AI tools operate the same way, and bringing in a third-party vendor can create added risk. If that vendor handles patient information, the practice remains responsible for how the data is used, stored, and protected.

Before implementing any AI software, make sure you understand how patient data will be handled, what rights the vendor has to use it, and what protections are built into the contract. If the software handles protected health information, the vendor will also need to sign a business associate agreement.

Even popular AI tools can create risk if their terms allow broader data use, involve other vendors, or leave responsibility unclear.

4. Establish a Patient Recording Policy

Like employees, patients commonly use AI notetakers to record consultations. This creates risk because it introduces another piece of documentation that may conflict with the medical record. When developing a policy, practices should consider both legal risk and patient relationship concerns, including how much flexibility to allow patients in the consultation process. These considerations also overlap with Pillar #5, which focuses on how the practice handles its own recordings.

5. Update Patient Consents for AI Use

Practices may use AI in patient communications, intake, or visit documentation. Update consent forms and patient disclosures so patients understand when AI is used, if visits are recorded, how information is stored, and whether they can opt out or request an alternative. Clear communication reduces confusion, sets expectations, and lowers legal and reputational risk. Many states require consent of the patient before recording conversations (like use of an AI notetaker to chart a summary of the consultation).

6. Clarify Medical Record Retention and Documentation

Electronic medical records frequently offer an AI charting component that records the consultation and generates a summary for the patient record. That raises an important question: what happens to the raw recording of the conversation? Some companies delete this data after a short period, while others retain it indefinitely. Another key question is whether the recording could be treated as part of the medical record or become discoverable in a malpractice claim or medical board inquiry. Before adopting these tools, practices should evaluate how raw recordings are stored, retained, and treated for purposes of the medical record, litigation, and regulatory inquiries.

7. Review AI-Generated Marketing for Compliance

Practices should review all AI-generated marketing before it goes live to confirm that claims are accurate, supported, and consistent with FTC standards, HIPAA requirements, and state advertising rules.

This includes checking testimonials, before-and-after photos, AI-edited images, and outcome statements. If the content overstates results, uses patient information without proper authorization, or creates a misleading impression, it can create risk with regulators and licensing boards.

8. Address AI Cybersecurity Risks

Technological innovation, while amazing, introduces a new avenue for cyber criminals to attack a practice. A practice should maintain an active risk assessment for the security of its IT systems and provide cybersecurity training for its team. A great risk protection strategy is to maintain cybersecurity coverage.

Following these eight guidelines will allow a practice to embrace AI while managing AI compliance risk.

Key Takeaways for AI Compliance in Health Care Practices

As AI becomes more integrated into daily operations, health care practice owners should understand the key legal and compliance considerations that come with its day-to-day use.

AI Is Likely Already in Your Practice

Even without formal adoption, AI tools may already be used in day-to-day. operations.

Regulations Are Still Evolving

The legal and regulatory landscape continues to develop, creating uncertainty for practice owners.

A Structured Framework Supports Compliant AI Use

Establish an internal guide for consistent and compliant AI use.

Oversight and Policies Matter

Clear internal policies, employee oversight, and vendor diligence reduce compliance risk.

AI Implementation Should Be Intentional

Thoughtful use of AI allows practices to gain efficiency while protecting their license.

How ByrdAdatto Helps Health Care Practices Navigate AI Compliance

AI offers meaningful opportunities for efficiency and growth in health care practices, but only when it is supported by clear policies and oversight. As adoption increases, gaps in oversight, documentation, and vendor compliance can create risk that is often overlooked until problems arise.

ByrdAdatto works with health care practice owners who want proactive legal guidance as they evaluate opportunities, manage risk, and make informed business decisions. Whether you are exploring AI tools, implementing new systems, or developing internal policies, our team can help you create a framework that supports innovation while protecting your practice.

Contact ByrdAdatto to learn whether our approach is a good fit for your practice.

ByrdAdatto founding partner Michael Byrd

Michael S. Byrd

As the son of a doctor and entrepreneur, ByrdAdatto attorney Michael S. Byrd has a personal connection to both business and medicine.