AI Compliance for Small Practices & Firms
Why enterprise AI tools are overkill for solo and small teams, the compliance basics you actually need, and a 30-minute setup that holds up in an audit.
Why this matters for solo and small
If you're running a solo practice or a small team, you've probably already had this conversation with yourself. AI is useful. Everyone's using it. The big platforms are everywhere. And somewhere in the back of your head there's a quiet voice asking, "wait, is what I'm doing actually okay?"
You're not paranoid. You're paying attention.
Small practices handle the same regulated data as large ones. A solo therapist sees PHI. A two-person dental office sees PHI. A small law firm sees privileged client information. A small RIA sees non-public financial data. The rules don't scale down with the size of the practice. What scales down is the budget for compliance, the IT team, and the time to figure all this out.
The "I'll just use ChatGPT for now" approach was defensible in 2023 when most people were figuring this out. In 2026, with state boards starting to ask explicit questions about AI use, with payer audits including AI workflow review, with at least three states having specific AI disclosure rules for healthcare, that approach is a real liability. Not "you'll definitely get caught" liability. The kind where if something does go wrong, you have nothing to show that you took reasonable steps.
The good news is the fix is small. Smaller than most solo practitioners think. This piece walks through what compliance actually requires at small scale, what the realistic options are, and a 30-minute setup that produces an audit-ready file at the end of it.
What "compliance" means for an AI tool at small scale
Compliance is one of those words that means something different to every regulator. For an AI tool used inside a small healthcare, legal, or financial practice, the substance comes down to four things.
Covered entity status applies regardless of size
HIPAA's covered entity definition doesn't care if you're a solo practitioner or a 500-bed hospital. If you're a healthcare provider who transmits health information electronically (and almost everyone does, through billing alone), you're a covered entity. Solo therapist who bills insurance? Covered. One-person clinic? Covered. The rules apply the same way they do for a hospital, with the same penalty structure.
The vendor needs a BAA
Anyone outside your practice who handles PHI on your behalf is a business associate. That includes the AI vendor whose tool processes patient information. The Business Associate Agreement is the contract that makes them legally accountable for that handling. Without one, two things are true at the same time: the vendor isn't on the hook if something goes wrong, and you've already committed a HIPAA violation by giving them PHI without the agreement in place.
This is the part that catches most small practices. ChatGPT, the consumer Claude.ai, Gemini, Copilot, none of them sign BAAs at the consumer or basic business tier. Using them with PHI is a violation by definition, regardless of whether anything bad ever happens.
Audit logs are required by the Security Rule
The HIPAA Security Rule requires audit controls (45 CFR 164.312(b)). For a small practice, this doesn't mean you build a logging infrastructure. It means your BAA-backed vendor logs access to PHI on your behalf, and you keep records of your own policies and training. The vendor handles the technical part. You handle the paper part.
Breach notification readiness
If a breach happens (your account is compromised, a vendor reports an incident, a laptop walks off), you have notification obligations. For small breaches, that's mostly to affected individuals and HHS. For breaches over 500 people, there's also media notification. A small practice is unlikely to ever hit that threshold, but the obligation to have a plan exists regardless.
That's the substance. Four things. None of them are giant. The trouble is figuring out what tool actually delivers all four without forcing you into an enterprise procurement cycle you don't have time for.
The three options for a small practice
For a solo or small team trying to use AI responsibly, there are really three paths. Each has tradeoffs.
Option A: Consumer AI plus a strict no-PHI rule
You can keep using ChatGPT, Claude.ai, or Gemini for genuinely non-sensitive work (drafting marketing copy, researching general topics, summarizing public articles) and never put PHI or privileged data into them. This works in theory. In practice, it relies on staff discipline being perfect every single day.
The failure mode is staff drift. Someone has a long day. They paste a chart note "just to summarize it real quick." Now PHI sits in a non-BAA tool, and that's already a violation. Most small practices find that policing this rule across staff is harder than just setting up one BAA-backed tool for everything.
Option B: BAA-backed AI for sensitive work
You sign up for a service that signs a BAA, train your staff to use that tool for anything client-facing or chart-related, and call it done. This is the path most small practices end up on once they think it through. There are several options here:
- Private Claude Business ($1,449 a year flat for small teams, BAA included, browser-only chat, no IT setup)
- Hathr (Claude on AWS GovCloud, BAA included, more enterprise-flavored)
- BastionGPT (multi-model with BAA)
- OpenAI's enterprise tier (BAA available but the per-seat math hits small practices hard)
Option C: On-prem self-hosted
You run an open-source model (Llama, Mistral) on hardware you own. The data never leaves your office. This is the gold standard for control and the absolute overkill standard for a solo practice. You need the hardware ($3,000 minimum for something that runs a useful model at decent speed), the IT skill to set it up, and the willingness to use a model that's genuinely a notch below what you'd get from Claude or GPT-4. For most small practices, this is solving the wrong problem with too much effort.
Most solo and small practices land on Option B. It's the lowest friction path that still produces a defensible compliance posture.
Why enterprise tools are usually overkill
The big enterprise AI platforms (OpenAI Enterprise, Microsoft Copilot for Microsoft 365, Google's Gemini for Workspace Enterprise, Anthropic's Claude for Enterprise) all have BAAs available. They all have proper compliance documentation. They're also all priced and built for organizations with 50 to 5,000 seats and a dedicated procurement function.
| Friction | Enterprise tool | Small-practice fit |
|---|---|---|
| Pricing | $30 to $60 per seat per month | $360 to $720 per person per year, with seat minimums |
| Procurement | SOW, security review, IT contact required | You don't have those functions |
| SSO requirement | Often required for BAA tier | Solo practices don't run SSO |
| Onboarding | Implementation team, weeks of setup | You needed it working yesterday |
| Admin overhead | Admin console, role management | Three people on the team |
None of this is wrong for a 200-person clinic or a regional law firm. For a solo therapist or a four-person practice, every one of those rows is friction with no payoff. You're paying enterprise prices for enterprise complexity you don't need, on top of a feature set that's mostly designed for problems you don't have.
The actual problem a solo practice has is straightforward. They want to use Claude or GPT-4 for drafting and summarization. They want a BAA. They want it to work in a browser. They want it to cost less than the IT consultant they don't have. That's the whole list.
The 30-minute compliant setup for a small practice
Here's the actual sequence. Time it. It really is about half an hour from "I have nothing in place" to "I have an audit-ready file on my desk."
5 min pick a BAA-backed vendor · 5 min sign the BAA · 10 min brief staff · 5 min write the workflow memo · 5 min set a 90-day calendar reminder. That's the whole thing.
Step 1 (5 min): Pick a BAA-backed vendor
For a small practice, the realistic shortlist is short. Private Claude Business ($1,449/year flat, browser-only, no per-seat tax), Hathr (Claude on AWS GovCloud), BastionGPT (multi-model). All three sign BAAs. All three handle the audit-control side. Pick one. Don't agonize. The differences matter less than getting started.
Step 2 (5 min): Sign the BAA
For Private Claude, this is a checkbox during business signup. The BAA is a standard template that's enforceable as written. You don't need a lawyer to review it (though you can if you want). Print it after signing and put it in the audit folder you're about to create.
Step 3 (10 min): Train staff
The training is a 10-minute conversation, not a course. Three rules:
- What goes in. The BAA-backed tool is for any work where PHI or privileged information might appear: drafting patient communications, summarizing chart notes, writing treatment plan drafts, working with intake forms.
- What doesn't go in. Personal stuff. Marketing fluff. Anything that would normally go in a personal ChatGPT belongs in personal ChatGPT, not the practice tool. Keep them separate.
- The password rule. Practice tool credentials never go in personal email, never get shared with non-staff, never get used on personal devices unless the device is being used for practice work.
That's the whole training. Have staff sign a one-line acknowledgment. That signed acknowledgment is now part of your audit pack.
Step 4 (5 min): Write the workflow memo
One page. Plain language. Cover these:
- Vendor name and what it's used for
- Date the BAA was signed
- Who has access (by name or role)
- What kinds of work the tool is approved for
- What kinds of work it's not approved for
- Who to tell if something seems wrong
Print it. Sign it. Put it in the folder. You now have a written workflow.
Step 5 (5 min): Set a 90-day reminder
Calendar reminder, 90 days out. When it fires, spend 10 minutes reviewing: is the tool still working? Has anything changed about how it's being used? Has staff turnover changed the access list? Anything that warrants updating the workflow memo? Adjust if needed, set another 90-day reminder, done.
That's the entire compliance setup for a small practice. About half an hour of real work, $1,449 a year, and a folder that holds up if anyone asks.
Industries: small medical, small legal, small RIA
The structure above works across industries, but each one has its own specifics worth knowing.
Small medical (solo therapist, small clinic, dental, chiropractic)
Primary regulator: HHS Office for Civil Rights (OCR), under HIPAA. The BAA is non-negotiable. State-specific add-ons matter: California, New York, and a few others have specific consumer privacy laws on top of HIPAA. Telehealth practices have additional rules under various state telehealth statutes. The workflow memo should explicitly mention that the AI tool is only used for permitted treatment, payment, and operations purposes, not for marketing without separate authorization.
Small legal (solo attorney, small firm)
Primary obligation: ABA Model Rule 1.6 (confidentiality) plus your state bar's specific rules. Several state bars (California, New York, Florida, Texas among others) have published advisory opinions specifically on AI use. Most require: vendor due diligence, written client consent in some circumstances, and supervision of AI output before it goes to clients or courts. The BAA equivalent in legal practice is sometimes called a confidentiality agreement or a vendor agreement, but the substance is identical: a written contract that the vendor handles confidential information appropriately.
Small RIA (registered investment advisor, small wealth management)
Primary regulator: SEC under Reg S-P, plus the SEC's 2024 cybersecurity rule and the upcoming AI rule. State regulators may also apply. The vendor needs a written agreement covering data handling. Communications with clients that touch on advice need additional review under recordkeeping rules. The workflow memo should specifically note that the AI tool is used for drafting and analysis, not for generating recommendations that go to clients without advisor review.
What still requires a human
AI is for drafting and summarization. It is not for terminal judgment. Clinical decisions, legal advice, and financial recommendations all require a licensed professional in the loop. The AI helps you get to a draft faster. The professional is still the one who signs their name to it.
The compliance side often gets framed as "is the data safe?" That's half of it. The other half is the practice-of-profession side. There are things AI cannot do, regardless of what tool you're using or what BAA you have.
Clinical decisions. A diagnosis. A treatment plan. A medication adjustment. A discharge call. None of these can be made by AI on behalf of a clinician. AI can summarize the chart, surface what's been tried, draft a note. The clinical judgment is the licensed clinician's.
Legal advice. Strategy. A binding interpretation of a contract. A motion that's about to go to court. AI can draft the first version, find prior cases, summarize a deposition. The advice is the attorney's.
Financial recommendations. Investment recommendations to clients. Suitability determinations. Tax positions. AI can draft language, summarize a position paper, run analysis. The recommendation is the advisor's, made under the fiduciary duty.
This isn't just about compliance. It's about what AI is good at versus what it isn't. Drafting and summarization are where it shines. Final judgment is where it doesn't, and the regulators agree with that distinction.
An audit-ready file
If a state board, payer, malpractice insurer, or regulator asks how you're using AI, here's what you want to be able to hand them. It's a single folder. Five things in it.
| Document | What it is | Where it comes from |
|---|---|---|
| Signed BAA | The contract with your AI vendor covering PHI handling | Vendor signup process |
| Written workflow memo | One page covering what tool, who has access, what it's used for | You write it (Step 4 above) |
| Training record | Signed acknowledgments from staff who completed the briefing | You collect them (Step 3) |
| Retention policy | Statement of how long records are kept and where | One paragraph, included in the workflow memo |
| Breach response plan | Who to call, what to say, in what order, if something goes wrong | One page, included in the workflow memo |
That's the whole pack. Five documents. Most of them fit on one page each. A solo therapist can build this folder on a Saturday morning and never have to touch it again, except for the 90-day check-ins.
The point of having the file isn't to satisfy a checklist. It's to be able to demonstrate, if asked, that you took reasonable steps. Reasonableness is what the regulators care about. A practice that has the file, has thought about it, and has trained staff is in a different posture than one that hasn't.
What Private Claude offers a small practice
This is the part where we make the pitch, but we'll keep it short because the rest of the article is the actual argument.
Private Claude Business is designed exactly for the gap this article is about: small practices that need a real BAA-backed tool but don't need (and can't justify) enterprise infrastructure.
- $1,449 a year flat for small teams. Not per seat. The per-seat math punishes small practices and we don't think that's the right shape.
- BAA included. Standard template, signed during signup, enforceable as written.
- No IT setup required. Browser-only chat. Nothing to install. Nothing to integrate.
- Same Claude on the inside. The model is Claude, the same one Anthropic ships through their API. The wrapper is the compliance posture (no training on your data, audit logging, BAA, no chat history that could be subpoenaed later).
- Designed for the audit pack. The tool produces what your folder needs. Vendor identity, BAA on file, access logging on the backend, no retained chat history on the client side.
If you're a solo practitioner or a small team and you've been kicking the can down the road on AI compliance, this is the lowest-friction way we know of to get it sorted. Half an hour, $1,449 a year, audit-ready file at the end. More on the HIPAA-specific side here.
Frequently asked questions
Does HIPAA apply if I'm a solo therapist or one-person clinic?
Yes. HIPAA applies to covered entities regardless of size. A solo therapist who bills insurance, a one-person clinic, a two-person dental office, all of them are covered entities with the same obligations as a hospital. The rules don't scale down with the practice.
Do I really need a BAA for AI tools as a small practice?
If protected health information will touch the AI tool in any way, yes. The BAA is the contract that makes the vendor legally accountable for handling PHI. Without one, you're the only one on the hook when something goes wrong, and using a non-BAA tool with PHI is itself a HIPAA violation.
Can I just use ChatGPT for non-PHI work and call it compliant?
You can, but only if you can hold the line strictly. The risk is staff drift. Someone pastes a chart note "just this once" to summarize it, and now PHI sat in a non-BAA tool. Most small practices find it easier to set up one BAA-backed tool for everything than to police what goes where.
What's the cheapest way for a solo practice to be AI-compliant?
Pick a BAA-backed AI chat tool with no per-seat tax (Private Claude Business is $1,449 a year flat), sign the BAA, train your staff in 10 minutes, and write a one-page workflow memo. Total time: about 30 minutes. Total cost: less than what one staff hour costs at most practices.
Do I need an audit log if I'm a small practice?
The HIPAA Security Rule requires audit controls regardless of size. The good news is that for a small practice, the BAA-backed vendor handles most of this for you. Their system logs the access. You just keep the BAA, your written workflow, and a training record on file.
What if I'm a small law firm or RIA, not medical?
The regulator changes but the structure is similar. Lawyers have ABA Model Rule 1.6 confidentiality obligations and state bar opinions on AI use. RIAs have SEC Reg S-P and the SEC's 2024 cybersecurity rule. In all cases, you need a vendor with proper data handling, a written policy, and a record that staff have been trained.
What does "audit-ready" actually mean for a small practice?
If a state board, payer, or regulator asks how you're using AI, you can hand them a folder with five things: your signed BAA, a one-page written workflow, a training record showing staff were briefed, your retention policy, and a breach response plan. That's the whole audit pack. It fits in a single folder.
Is Private Claude Business priced for small teams?
Yes. The Business plan is $1,449 a year flat for small teams. It's intentionally not priced per seat, because the per-seat model penalizes small practices. BAA included. No IT setup. Browser-only chat. It's the same Claude on the inside, with the compliance wrapper around it.
Private Claude for regulated teams.
BAA available. Zero data retention. Self-serve or deploy in your VPC. Talk to us about your compliance requirements.
Contact sales