Tendril — AI Lessons for Real Life

Tendril

The HIPAA and AI collision

HIPAA was enacted in 1996, long before consumer AI tools existed. Its Privacy Rule and Security Rule still govern any PHI processed by a covered entity or business associate — including, now, AI tools used by healthcare workers. A nurse using ChatGPT to summarize a patient note without a BAA is committing a HIPAA violation, regardless of whether data is shared further.

The 18 PHI identifiers

HIPAA's Safe Harbor method for de-identification requires removing 18 specific identifier categories. AI tools are only safe to use with patient data when all 18 are removed or the data has been certified as de-identified by a statistical expert. The 18 categories include: name, geographic data below state level, dates (except year) for individuals over 89, phone numbers, fax numbers, email, SSN, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photos, and any other unique identifier.

Consumer AI tools (ChatGPT free tier, Claude.ai standard) are not BAA-covered by default

Enterprise tiers with BAAs exist — confirm with your vendor before clinical use

De-identification does not mean 'remove the name' — all 18 identifiers must go

Geographic data below state level includes city, county, ZIP code, and address

Small cell sizes (fewer than 3 patients per demographic group) can be re-identified even without explicit identifiers

The big idea: the prompt window is part of your documentation environment. HIPAA applies.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-healthcare-hipaa-ai-tools-adults

What is the main idea of "HIPAA Considerations for AI Tools: Protecting Patient Privacy in the Prompt"?

Every healthcare worker using AI tools must understand when patient data becomes PHI, what constitutes a HIPAA violation.
Use AI as the final authority for the whole decision
Avoid checking the answer once it sounds polished
Focus only on speed instead of judgment

Which concept is most central to "HIPAA Considerations for AI Tools: Protecting Patient Privacy in the Prompt"?

PHI
HIPAA
BAA
de-identification

Which use of AI fits this topic best?

Let the AI decide what matters without your review
Use the answer before checking whether it fits the situation
Consumer AI tools (ChatGPT free tier, Claude.ai standard) are not BAA-covered by default
Treat the AI output as automatically correct

What should a careful learner remember about "Safe AI use policy checklist"?

Use AI to organize questions, then involve a qualified adult or clinician before acting.
Skip the context so the tool can guess faster
Treat the output as private even after sharing it online
Use the answer without checking the source

You want to use AI after this lesson. What is the safest next step?

Act immediately because the AI answer is written clearly
AI cannot replace a clinician, emergency service, or trusted adult in medical decisions.
Hide uncertainty so the final answer looks cleaner
Use private or sensitive details before checking permission

How should AI output about HIPAA be treated?

As proof that no other source is needed
As a replacement for context, consent, or expert review
As a draft or helper output that still needs human judgment and verification
As something that becomes correct when it sounds confident

Name one way to verify an AI answer about HIPAA.

Which action would help you apply "HIPAA Considerations for AI Tools: Protecting Patient Privacy in the Prompt" responsibly?

Use the tool to avoid thinking through the tradeoff
Keep going even if the output conflicts with a trusted source
Treat the AI output as automatically correct
Enterprise tiers with BAAs exist — confirm with your vendor before clinical use