AI Chat for Healthcare Practices
Use cases for small practices (intake, notes, patient comms), the BAA + ZDR requirement, and a 30-minute setup walkthrough that holds up in an audit.
What a small healthcare practice can actually use AI for
Most clinicians hear "AI in healthcare" and picture diagnostic models or radiology software. That's the wrong frame for a small practice. The wins are smaller, closer, and immediate. They're the parts of the day that aren't medicine: typing, chasing, summarizing, drafting.
Here's where AI earns its keep in a 1- to 10-clinician practice:
- Patient intake summarization. Long forms in, three-bullet summary out. Saves five minutes per new patient.
- Clinical note drafting. SOAP, DAP, BIRP, whatever your specialty uses. The AI listens or reads, drafts the note, the clinician reviews and signs.
- Patient communications. Follow-up messages, appointment reminders, post-visit care instructions, plain-language explainers for diagnoses or procedures.
- Prior authorization letters. Feed the AI the diagnosis, the requested treatment, and the payer's criteria. Get a draft letter back. Edit and send.
- Billing code suggestions. Paste the visit summary, get suggested ICD-10 and CPT codes. Coder verifies.
- Internal documentation. SOPs, onboarding checklists, training materials, policies. Boring to write, fast to draft.
- Training materials. New hire walkthroughs, refreshers on intake procedures, HIPAA reminders.
Every item on this list saves time. None of it replaces clinical judgment. The clinician still reviews, edits, and signs everything that touches a patient.
Why ChatGPT and Claude.ai don't qualify by default
This is the part most practices get wrong. Someone on staff opens ChatGPT, pastes in an intake form to get a quick summary, and just committed a HIPAA breach. They didn't know. The tool didn't warn them. The breach is real.
Consumer-tier ChatGPT (Free, Plus, Team) and consumer Claude (Free, Pro, Team) don't sign Business Associate Agreements. Without a BAA, the vendor isn't a permitted recipient of PHI under HIPAA. Period.
What happens to anything you paste into those tools:
- Stored on vendor servers, attached to your account, indefinitely by default.
- Used to train future models on consumer plans (with manual opt-out, which is not the default).
- Subject to subpoena. The chat is a record.
- Available to anyone who breaches the user's account.
The fix isn't "tell staff to be careful." Staff get busy. The fix is to give them a tool that's actually compliant, so the careful version and the convenient version are the same version. Our deeper write-up is at HIPAA-Compliant AI Chat.
The HIPAA bar a practice must clear
Whatever AI tool you pick, here's the checklist. If a vendor can't answer yes to all of these, they don't get PHI.
- Signed BAA. The vendor signs a Business Associate Agreement that binds them to HIPAA's privacy and security rules. Get the actual signed document. Save it.
- Encryption in transit and at rest. TLS 1.2 or higher in transit, AES-256 at rest. Standard, but verify it's in the BAA or the vendor's security documentation.
- Audit logs. Who accessed what, when. Available to you on request, retained for at least 6 years.
- Retention policy. How long the vendor keeps data, and what happens when you cancel. You want short retention and clean deletion.
- Breach notification SLA. How fast the vendor tells you if they're breached. HIPAA requires you to notify patients within 60 days; you can't do that if your vendor sits on it for 90.
- Sub-processor disclosure. Who else touches the data (cloud providers, monitoring tools). Listed in the BAA or DPA.
- Staff training on file. Your team has been trained on what goes into the AI and what doesn't.
- Written workflow. One page describing how AI fits in your practice, who uses it for what, and what guardrails are in place.
Eight items. None of them take long once you know to ask. For more on the BAA-backed vendor question, see BAA-Backed AI Chat.
The vendor options for small practices
The BAA-backed AI vendor list isn't huge, but it's enough. Here's how the main options break down by use case:
| Vendor | Best for | BAA | Notes |
|---|---|---|---|
| Heidi | Real-time clinical scribing | Yes | Popular with small primary care, multi-specialty. Per-clinician pricing. |
| Suki | Real-time clinical scribing | Yes | Voice-first, EHR integrations. Common in primary care, urgent care. |
| DAX (Nuance / Microsoft) | Ambient scribing, enterprise | Yes | Heavier-weight, deep Epic and Cerner integration. Pricey for solo practices. |
| Augmedix | Live scribing with human review | Yes | Hybrid AI plus human scribe model. Higher cost, lower error rate. |
| Mentalyc | Mental health session notes | Yes | Built for therapists. DAP, SOAP, BIRP, GIRP formats. |
| Upheal | Mental health session notes | Yes | Therapy-specific, with treatment planning support. |
| Private Claude Business | General-purpose Claude chat | Yes | Intake summaries, prior auth, internal docs, drafting. $1,449/year. |
| Hathr | General Claude chat, BAA-backed | Yes | Healthcare-focused Claude wrapper. Per-seat pricing. |
| OpenAI Enterprise | General GPT chat | Yes | BAA available on Enterprise tier only. Not Plus, not Team. |
| Anthropic Enterprise | General Claude chat | Yes | BAA on Enterprise tier. Higher minimums, designed for larger orgs. |
| Microsoft Azure OpenAI | Custom GPT deployments | Yes | If you're already on Azure, the BAA covers it. |
For a small practice, the practical short list is: Heidi or Suki for scribing, Mentalyc or Upheal for therapy, Private Claude Business or Hathr for everything else. That covers 90% of what a 1- to 10-clinician practice needs.
Specialty-specific notes
What you pick depends heavily on what you do.
Primary care, urgent care, internal medicine. You want real-time ambient scribing. The clinician talks to the patient, the AI captures and structures the note. Heidi and Suki are the right calls. Both integrate with the major EHRs. Pricing runs $99 to $300 per clinician per month.
Mental health (therapists, counselors, psychologists). You want narrative session notes, not bullet-point SOAPs. Mentalyc and Upheal are built specifically for this. They handle treatment planning, progress notes, and the longer-form documentation therapy requires. We have a deeper breakdown at HIPAA AI for Therapists and Counselors.
Specialty practices (derm, ortho, cardiology). Mixed bag. Suki and DAX both have specialty-specific templates. If your specialty has heavy procedure documentation, ask the vendor for specialty-tuned demos before you sign.
General practice administrative work. If you mostly need help with prior auths, intake summaries, internal SOPs, training materials, and patient communications drafts, you want a flexible general-purpose AI chat. Private Claude Business or Anthropic Enterprise. Cheaper than a clinical scribe, and it handles a wider mix of work.
The 30-minute compliant setup
Here's the actual sequence to get a small practice from "nothing" to "compliant and using AI" in half an hour. We've watched practices drag this out for months. It doesn't have to.
- Minutes 0 to 5: Pick the vendor. Use the table above. Match to your specialty. Pick one. Don't shop forever.
- Minutes 5 to 10: Sign the BAA. Most BAA-backed vendors have a self-serve BAA in their admin panel or a quick request form. Sign it. Save the PDF to a folder named "Compliance" in your practice's drive.
- Minutes 10 to 25: Train staff (15 minutes). One meeting. Three points: (1) what goes in the AI (allowed tasks, approved data), (2) what doesn't (any PHI in non-BAA tools), (3) where to send anything sensitive (the approved tool, no exceptions). Have everyone sign an acknowledgment.
- Minutes 25 to 28: Document the workflow on one page. "We use [vendor] for [tasks]. PHI is permitted because we have a signed BAA dated [date]. Staff trained on [date]. Audit reminder set for [90 days out]." That's it. Save it next to the BAA.
- Minute 28 to 30: Set the 90-day audit reminder. Calendar event. Re-read the workflow doc, check audit logs, confirm BAA still in place, retrain anyone new.
That's the whole compliant rollout. Anyone telling you it has to be more complicated is either selling consulting hours or scared of the wrong things.
Patient consent for AI scribing
If audio is recorded for AI scribing, you need written patient consent. That's not optional. Add a paragraph to your intake forms:
"This practice uses AI-assisted note-taking software during visits to help your clinician document our conversation accurately. Audio is processed securely under HIPAA and is not retained beyond what's required to generate your visit notes. You may decline at any time without affecting your care."
For text-based AI use (the clinician types notes into the AI, no audio), written consent isn't strictly required, but it's still standard HIPAA practice and we recommend documenting it. It costs nothing and it's the answer to "did the patient know" in any complaint.
Some practices add a poster in the waiting room and a one-line callout on the intake form. Belt and suspenders, but cheap insurance.
What an auditor or payer will ask
If your practice gets audited, or a payer asks about your AI use, here's what they actually want to see. Have these four things ready and you're done:
- The signed BAA. Dated, both signatures. PDF in the Compliance folder.
- Staff training records. Who was trained, when, what they were trained on. Signed acknowledgments.
- Audit logs from the AI vendor. Who accessed what, when. Most BAA-backed vendors expose these in the admin panel. Pull a sample on request.
- The one-page workflow document. What you use AI for, what data is allowed, who's authorized, when you re-audit.
That's the whole audit packet. Most practices think they need a 40-page policy document. They don't. Auditors want the four items above and evidence you take it seriously.
Use cases to avoid or pause
A few things AI shouldn't do in a small practice, even with a signed BAA:
- Anything where the AI's output is a clinical decision. Diagnoses, treatment plans, dose calculations. The AI drafts. The clinician decides and signs. If your workflow lets the AI's output go straight to a patient or chart without clinician review, fix the workflow before fixing anything else.
- Anything where consent wasn't documented. If a patient hasn't signed the intake form with the AI clause, don't run their visit through an AI scribe. Pause until consent is on file.
- Any tool without a BAA. No exceptions, no "just this once," no "I removed the names first." De-identification is harder than it looks and you don't get to decide what counts.
- Auto-sending AI-generated patient communications. Drafting is fine. Sending without a human review step is asking for the day a hallucinated dosing instruction goes out.
- Anything billable that wasn't reviewed. AI-suggested billing codes need a coder or clinician verifying them before they go on a claim. Otherwise you're one audit away from a fraud allegation, even if the AI was probably right.
What Private Claude Business offers a healthcare practice
If your practice needs a flexible Claude chat for the wide range of non-scribing work (intake summaries, prior auth letters, internal SOPs, patient comms drafts, training materials), here's what Private Claude Business gives you:
- Signed BAA. Standard. Required.
- BYOK or VPC deploy. Bring your own Anthropic key, or we deploy in your VPC if you want the data path inside your own cloud account.
- Zero application chat history. We don't store conversations. The model provider's operational logs auto-delete on a 7-day window. There's nothing to subpoena and nothing to breach on our side.
- Audit logs. Who used the tool, when, for what. Exportable.
- EHR integration potential. For practices that want Claude to read structured patient data from their EHR with proper auth and consent. Available on the VPC tier.
- $1,449 per year. Flat. No per-seat tax until you scale beyond a small practice.
It's not a clinical scribe. If you need real-time visit transcription, use Heidi or Suki. Private Claude Business is the everything-else tool: the intake summary, the prior auth, the internal doc, the patient email draft, the training material. The work that eats hours and doesn't need a specialty-built tool.
Frequently asked questions
Can a small healthcare practice use ChatGPT or Claude.ai?
Not with PHI. Consumer ChatGPT, ChatGPT Plus, ChatGPT Team, Claude Free, Claude Pro, and Claude Team don't sign BAAs. Pasting any patient identifier into them is a HIPAA breach. You need an Enterprise tier with a signed BAA, or a vendor that's healthcare-specific.
What is a BAA and why do I need one?
A Business Associate Agreement is a contract HIPAA requires between a covered entity (your practice) and any vendor that handles PHI. It binds the vendor to the same privacy and security rules you follow. No BAA, no PHI. That's the rule.
Do I need patient consent to use AI for note-taking?
Yes, in writing. If audio is recorded for AI scribing, written consent is required. Even for text-based use (typing notes into an AI to clean up), document consent in your intake forms. It's standard HIPAA practice and protects you in an audit.
Which AI scribe is right for primary care?
Heidi, Suki, DAX (Nuance/Microsoft), and Augmedix are the main BAA-backed options for real-time clinical scribing. Heidi and Suki tend to fit small practices on price. DAX and Augmedix lean enterprise. Pick based on EHR integration and per-clinician cost.
What about mental health and therapy?
Mentalyc and Upheal are built for narrative session notes (DAP, SOAP, BIRP) for therapists, counselors, and psychologists. Both sign BAAs. We have a longer breakdown at HIPAA AI for Therapists and Counselors.
Can I use AI for patient communications?
Yes, with the right vendor. Drafting follow-up messages, appointment reminders, post-visit instructions, all fine if the AI vendor signs a BAA and your workflow keeps the clinician as the final reviewer. Don't auto-send AI-generated patient comms without human review.
What does a HIPAA auditor actually want to see?
The signed BAA. Staff training records. Audit logs from the AI vendor showing who accessed what. A one-page workflow document describing how AI fits in your practice. Evidence of patient consent. That's the package.
Is Private Claude Business HIPAA-ready?
Yes. Private Claude Business is $1,449 a year, includes a signed BAA, BYOK or VPC deploy, zero application chat history, and audit logs. It's a general-purpose Claude chat for small practices that need flexibility (intake summaries, prior auth letters, internal docs) rather than a specialty scribe.
Private Claude for healthcare practices.
BAA available. Zero application chat history. BYOK or VPC deploy. Talk to us about your practice and we'll have you set up the same week.
Contact sales