Every AI Prompt Is a Disclosure: What Healthcare Organizations Need to Know Right Now

If you work in healthcare and your team is using AI tools, there are a few things you need to hear — and one of them might make you rethink how you talk about “anonymized data.” 

HIPAA Was Not Written for This 

Let’s be honest. Regulations like HIPAA have always lagged a little behind technology. That gap is not new. But the speed at which AI has entered clinical and administrative workflows has made that gap significantly more dangerous. HIPAA was not written with large language models in mind, and the updates needed to account for AI-driven data use are still catching up. That means the responsibility to protect patient information right now falls on your policies and your people, not the regulations. 

Removing Names Does Not Mean Anonymous 

Here is the piece that catches most organizations off guard: every AI prompt is a disclosure. 

A lot of people believe that removing a patient name from a query makes the data anonymous. It does not. There is often enough identifiable information in the details of a query that if it were combined with another data set containing similar information, the two could be linked together to identify a specific individual. This is not a new technique. Researchers and investigators have been cross-referencing databases for years. AI just makes the problem larger and faster. 

Think of it the way we have been thinking about Google for a long time: just because you cannot see the people on the other side does not mean they cannot see you. The same principle applies to AI. When information goes in, it gets used in ways that are not always visible or predictable. 

Shadow AI Is Already In Your Building 

When we ask healthcare organizations about their AI policies, we hear the same answer over and over: “I know my people are using it. I cannot track it. I have no idea what they are putting in there.” 

That is shadow AI, and it is operating in most organizations right now whether leadership has acknowledged it or not. 

The answer is not to ban AI. People are using these tools because they are genuinely useful productivity tools, not because they are trying to cause harm. The answer is to take a position, communicate it, and start building visibility into usage — even if the policy is not perfect yet. There is no perfect AI policy right now. But having something in place, and making sure your team knows what acceptable use looks like, makes a meaningful difference. 

Start there. Be prepared for it to change. 

There Is No Such Thing as Free AI 

The last thing worth pushing back on is the idea of free professional AI tools. There is no such thing as free, especially in a clinical context. 

A tool like Open Evidence does not charge clinical professionals or physicians to use it. But it has to pay for itself somehow. Right now that comes through advertising, endorsements, and venture capital funding. When a tool is funded that way, the question you have to ask is whether the outputs are truly neutral, or whether there is influence baked in somewhere. Is it auditable? Can you trust but verify? These are not hypothetical questions. They are operational ones that healthcare organizations need to be asking before they rely on AI-generated clinical guidance. 

The Bottom Line 

AI in healthcare is not going away and the benefits are real. But so are the risks. The organizations that are going to navigate this well are the ones that get informed, take a position, and start building governance now rather than waiting for the regulations to catch up. 

If you want help thinking through what an AI use policy looks like for your organization, or how to assess where your current exposure is, reach out to the LMG Security team.