Tendril — AI Lessons for Real Life

Tendril

The HIPAA and AI collision

HIPAA was enacted in 1996, long before consumer AI tools existed. Its Privacy Rule and Security Rule still govern any PHI processed by a covered entity or business associate — including, now, AI tools used by healthcare workers. A nurse using ChatGPT to summarize a patient note without a BAA is committing a HIPAA violation, regardless of whether data is shared further.

The 18 PHI identifiers

HIPAA's Safe Harbor method for de-identification requires removing 18 specific identifier categories. AI tools are only safe to use with patient data when all 18 are removed or the data has been certified as de-identified by a statistical expert. The 18 categories include: name, geographic data below state level, dates (except year) for individuals over 89, phone numbers, fax numbers, email, SSN, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifier.

Consumer AI tools (ChatGPT free tier, Claude.ai standard) are not BAA-covered by default

Enterprise tiers with BAAs exist — confirm with your vendor before clinical use

De-identification does not mean 'remove the name' — all 18 identifiers must go

Geographic data below state level includes city, county, ZIP code, and address

Small cell sizes (fewer than 3 patients per demographic group) can be re-identified even without explicit identifiers

The big idea: the prompt window is part of your documentation environment. HIPAA applies.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-healthcare-hipaa-ai-tools-adults

A registered nurse wants to use ChatGPT to summarize a patient discharge summary for a family meeting. Before pasting any patient information, which question must the nurse first answer?

Does my organization have a Business Associate Agreement with this AI vendor?
Will the AI tool store this data on my local computer?
Is the patient's insurance information included in the summary?
Has the patient signed a release for AI-generated communications?

Under HIPAA's Safe Harbor de-identification method, how many specific identifier categories must be removed from protected health information?

14 categories focused on direct identifiers
22 categories including technological identifiers
18 categories covering all potential re-identification factors
10 categories of major identifiers

A healthcare system subscribes to the enterprise tier of an AI chatbot service specifically designed for healthcare. What must be confirmed before entering any patient data?

A signed Business Associate Agreement exists between the vendor and the healthcare system
The AI tool automatically deletes data after 24 hours
The patient's primary care physician has approved AI usage for their care
The AI model has been certified by the FDA as clinically accurate

Which scenario represents a potential HIPAA violation involving AI tools?

A medical coder uses an AI tool with synthetic (fictional) patient data to practice coding workflows
A billing specialist uses an approved AI tool with de-identified claims data for revenue cycle analysis
A physician enters a patient's symptoms into a free consumer AI chatbot to get diagnostic suggestions
A receptionist uses AI to generate an appointment reminder template without any patient-specific data

Which of the following is considered a geographic identifier under HIPAA's 18 identifier categories?

The name of the hospital where treatment occurred
The patient's country of origin
The patient's ZIP code combined with the first three digits of their phone number
The patient's state of residence

A research dataset contains patient outcome data grouped by age range and diagnosis. The smallest group contains only two patients. Despite removal of names and direct identifiers, what risk remains?

The data must be reported to HHS immediately
The data is automatically HIPAA-compliant since identifiers were removed
The AI tool used to create the groups has violated HIPAA
Small cell sizes create re-identification risk even without explicit identifiers

What is the maximum annual penalty for HIPAA violations within a single violation category?

$1.9 million annually per violation category
$500,000 annually
$100,000 per violation
$5 million in total lifetime penalties

According to HIPAA guidelines, what is the appropriate use of AI tools in clinical workflows?

Use AI to diagnose conditions and recommend treatments without physician oversight
Use AI to make treatment decisions while the physician is unavailable
Use AI to directly modify patient medical records based on AI suggestions
Use AI to organize information, summarize notes, and draft options for clinical consideration

A healthcare worker removes a patient's name from a clinical note before entering it into an AI tool. Is this sufficient for HIPAA-compliant use?

No, all 18 identifier categories must be removed under Safe Harbor
No, only AI tools with BAAs can process any patient data regardless of de-identification
Yes, removing the name is sufficient since names are the primary identifier
Yes, as long as no other obvious identifiers like photos or dates are included

Which party is considered a covered entity under HIPAA regulations?

A software company selling AI tools to hospitals
A health insurance company processing claims
A pharmaceutical company advertising medications
A patient advocacy nonprofit providing counseling

Why is the AI prompt window considered part of the documentation environment under HIPAA?

Because the prompt window is hosted on government-regulated servers
Because any patient data entered into a system becomes part of the medical record
Because healthcare workers are required to print and file AI conversations
Because AI companies are required to maintain documentation for HIPAA compliance

What does the lesson advise about using de-identified examples when uncertain about AI compliance?

De-identified examples are not useful for healthcare AI applications
De-identified examples should only be used with written patient consent
De-identified examples are always safe to use in any AI tool
Use de-identified examples or stop if any of four key questions cannot be answered affirmatively

Which of the following is NOT one of the 18 HIPAA Safe Harbor identifiers?

The patient's blood type and Rh factor
Biometric identifiers such as fingerprints
Medical record numbers
Full-face photographs and comparable images

A healthcare worker claims, 'I didn't know this was a HIPAA violation' after entering patient data into an AI tool without a BAA. How does this impact penalty assessment?

It converts the violation into a warning rather than a citation
It automatically reduces the penalty to the minimum $100
It eliminates any penalty because intent is required for violations
It is not a mitigating defense and may result in lower-tier penalties

Before using any AI tool with patient-related work, a healthcare worker must confirm which of the following?

The AI tool has won industry awards for accuracy
The patient has given verbal consent for AI analysis
The tool is covered by a BAA, all 18 identifiers are removed, the tool is IT-approved, and the worker knows the acceptable use policy
The AI tool can be accessed from personal smartphones

The HIPAA and AI collision

The 18 PHI identifiers

Consumer AI tools (ChatGPT free tier, Claude.ai standard) are not BAA-covered by default

Enterprise tiers with BAAs exist — confirm with your vendor before clinical use

De-identification does not mean 'remove the name' — all 18 identifiers must go

Geographic data below state level includes city, county, ZIP code, and address

Small cell sizes (fewer than 3 patients per demographic group) can be re-identified even without explicit identifiers

The big idea: the prompt window is part of your documentation environment. HIPAA applies.

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-healthcare-hipaa-ai-tools-adults

A registered nurse wants to use ChatGPT to summarize a patient discharge summary for a family meeting. Before pasting any patient information, which question must the nurse first answer?

Does my organization have a Business Associate Agreement with this AI vendor?
Will the AI tool store this data on my local computer?
Is the patient's insurance information included in the summary?
Has the patient signed a release for AI-generated communications?

Under HIPAA's Safe Harbor de-identification method, how many specific identifier categories must be removed from protected health information?

14 categories focused on direct identifiers
22 categories including technological identifiers
18 categories covering all potential re-identification factors
10 categories of major identifiers

A healthcare system subscribes to the enterprise tier of an AI chatbot service specifically designed for healthcare. What must be confirmed before entering any patient data?

A signed Business Associate Agreement exists between the vendor and the healthcare system
The AI tool automatically deletes data after 24 hours
The patient's primary care physician has approved AI usage for their care
The AI model has been certified by the FDA as clinically accurate

Which scenario represents a potential HIPAA violation involving AI tools?

A medical coder uses an AI tool with synthetic (fictional) patient data to practice coding workflows
A billing specialist uses an approved AI tool with de-identified claims data for revenue cycle analysis
A physician enters a patient's symptoms into a free consumer AI chatbot to get diagnostic suggestions
A receptionist uses AI to generate an appointment reminder template without any patient-specific data

Which of the following is considered a geographic identifier under HIPAA's 18 identifier categories?

The name of the hospital where treatment occurred
The patient's country of origin
The patient's ZIP code combined with the first three digits of their phone number
The patient's state of residence

A research dataset contains patient outcome data grouped by age range and diagnosis. The smallest group contains only two patients. Despite removal of names and direct identifiers, what risk remains?

The data must be reported to HHS immediately
The data is automatically HIPAA-compliant since identifiers were removed
The AI tool used to create the groups has violated HIPAA
Small cell sizes create re-identification risk even without explicit identifiers

What is the maximum annual penalty for HIPAA violations within a single violation category?

$1.9 million annually per violation category
$500,000 annually
$100,000 per violation
$5 million in total lifetime penalties

According to HIPAA guidelines, what is the appropriate use of AI tools in clinical workflows?

Use AI to diagnose conditions and recommend treatments without physician oversight
Use AI to make treatment decisions while the physician is unavailable
Use AI to directly modify patient medical records based on AI suggestions
Use AI to organize information, summarize notes, and draft options for clinical consideration

A healthcare worker removes a patient's name from a clinical note before entering it into an AI tool. Is this sufficient for HIPAA-compliant use?

No, all 18 identifier categories must be removed under Safe Harbor
No, only AI tools with BAAs can process any patient data regardless of de-identification
Yes, removing the name is sufficient since names are the primary identifier
Yes, as long as no other obvious identifiers like photos or dates are included

Which party is considered a covered entity under HIPAA regulations?

A software company selling AI tools to hospitals
A health insurance company processing claims
A pharmaceutical company advertising medications
A patient advocacy nonprofit providing counseling

Why is the AI prompt window considered part of the documentation environment under HIPAA?

Because the prompt window is hosted on government-regulated servers
Because any patient data entered into a system becomes part of the medical record
Because healthcare workers are required to print and file AI conversations
Because AI companies are required to maintain documentation for HIPAA compliance

What does the lesson advise about using de-identified examples when uncertain about AI compliance?

De-identified examples are not useful for healthcare AI applications
De-identified examples should only be used with written patient consent
De-identified examples are always safe to use in any AI tool
Use de-identified examples or stop if any of four key questions cannot be answered affirmatively

Which of the following is NOT one of the 18 HIPAA Safe Harbor identifiers?

The patient's blood type and Rh factor
Biometric identifiers such as fingerprints
Medical record numbers
Full-face photographs and comparable images

A healthcare worker claims, 'I didn't know this was a HIPAA violation' after entering patient data into an AI tool without a BAA. How does this impact penalty assessment?

It converts the violation into a warning rather than a citation
It automatically reduces the penalty to the minimum $100
It eliminates any penalty because intent is required for violations
It is not a mitigating defense and may result in lower-tier penalties

Before using any AI tool with patient-related work, a healthcare worker must confirm which of the following?

The AI tool has won industry awards for accuracy
The patient has given verbal consent for AI analysis
The tool is covered by a BAA, all 18 identifiers are removed, the tool is IT-approved, and the worker knows the acceptable use policy
The AI tool can be accessed from personal smartphones

HIPAA Considerations for AI Tools: Protecting Patient Privacy in the Prompt

The HIPAA and AI collision

The 18 PHI identifiers

End-of-lesson check

HIPAA Considerations for AI Tools: Protecting Patient Privacy in the Prompt

The HIPAA and AI collision

The 18 PHI identifiers

End-of-lesson check