BCL Consulting

HIPAA & AI · Hospice and Home Health

Your staff are already using AI.
Here is the HIPAA risk.

The exposure most agencies cannot see, and what to do about it.

By Brooke Lemchak · June 24, 2026

Your staff are already using AI. Someone in the office is pasting a patient narrative into ChatGPT to clean it up. A nurse practitioner is summarizing visits with the free version of a chatbot. It is making their work faster, so it is spreading. Most of it is happening without a policy, without training, and without anyone tracking which tools touch patient information.

For most agencies right now, this is the Wild West. The staff who have figured out AI are quietly doing more of it. Administrators often know it is happening. They cannot say who, what, or how exposed they are.

Where the exposure actually is

The moment protected health information goes into a public AI tool, it is gone. It is out of your control, with no record of where it went.

If that surfaces in an audit or a complaint, "we did not have a policy for that" is not an answer you want to give a surveyor, an attorney, or a hospital-system compliance officer.

Your EMR is adding AI. That is not governance.

Most EMRs are adding AI features now. Ambient charting. Coding help. Risk flags. They make documentation faster, which matters. Faster charting is not a policy. It is not an audit of what your staff use, a vetted tool list, or the documentation a surveyor would ask for. That part is still yours.

Your EMR only sees what happens inside it. The harder problem is the tools your staff use on their own. One 2025 study put it at 71 percent of healthcare workers still using personal AI accounts for work. No one approved those accounts. No one is watching them.

Source: Netskope Threat Labs, Healthcare 2025.

What a surveyor would ask

Three questions, most likely. Do you have a written policy? Have your staff been trained? Can you show which tools touch patient information? The goal is to answer all three with a document in hand.

What governance actually looks like

It does not require a big platform purchase. For most agencies it is four things.

  • A written AI use policy your staff can be held to. What is appropriate, what is prohibited, what is compliant.
  • A staff-use audit that shows what tools your people use today and where they touch patient data. It produces evidence either way. Confidence if you are clean, a map if you are not.
  • A PHI-safe tool list. A short, vetted set of AI tools with HIPAA protections and a business associate agreement available, so you stop evaluating proposals one inbox demo at a time.
  • A short staff training, so the policy lands with the people who have to follow it.

Where I fit

I am a PhD clinician who has worked inside interdisciplinary care teams. I help hospice, home health, and palliative care agencies put a policy around the AI their staff already use, written for the people who have to live with it. If this sounds like your agency, I am happy to talk it through.

The AI Governance Pack

A written policy, a staff-use audit, a PHI-safe tool list, and a one-hour training. Tiers from $1,800. See what is included and what it costs.

View the governance pack →

Related reading

CMS is using AI to audit hospice and home health billing →