Originally posted on the Darkhorse Tech blog.

AI tools like ChatGPT, Gemini, Grok, Grammarly, and free note-taking or transcription apps are everywhere — and they’re incredibly useful. But there’s a growing problem most dental practices don’t realize they have:

Your staff may already be using AI tools with e-PHI…without knowing they’re creating a HIPAA violation.

At Darkhorse Tech, we’re seeing this more and more across dental offices and DSOs. The risk isn’t theoretical anymore — it’s happening right now.

How This Is Actually Happening in Dental Offices

Most of the time, this isn’t malicious. It’s convenience.

Here are real-world examples we’re seeing:

• A team member pastes patient notes into ChatGPT to “clean them up”
• An office manager uses an AI tool to summarize emails with patient info
• Someone uploads a document with names, DOBs, or insurance data to an AI assistant
• A  dentist uses a free transcription AI to turn voice notes into chart entries
• Staff uses Grammarly or browser AI extensions on emails containing PHI

The intention is productivity.
‍
The result can be unauthorized disclosure of e-PHI.

Why Free AI Tools Are a HIPAA Problem

Most free AI tools:

❌Do not sign Business Associate Agreements (BAAs)
❌May store or retain submitted data
❌May use inputs to train their models
❌Do not guarantee data residency or deletion
‍

That means if e-PHI is entered, uploaded, or processed, you may have just shared patient data with a third party that is not HIPAA-compliant.

HIPAA doesn’t care that it was “just AI” or “just testing.”
If PHI leaves your controlled environment improperly, it’s a violation.

“But It Wasn’t a Hack…” — Why That Doesn’t Matter

This is the part many practices miss.

HIPAA violations don’t require:

• A ransomware attack
• A malicious hacker
• A breach headline

Improper disclosure alone is enough.

Using an unapproved AI tool with e-PHI can trigger:

• Compliance violations
• Reportable incidents
• Regulatory scrutiny
• Loss of patient trust

And yes — it can still happen even if no data was “stolen.”

Why This Risk Is Growing in 2025+

AI adoption is exploding faster than policies can keep up.

• Built-in AI is now embedded in browsers, email clients, and operating systems
• Staff may not even realize when AI is “on”
• Younger employees assume AI tools are safe by default
• There is very little training around AI + HIPAA in most practices

The reality: AI is becoming shadow IT.

And shadow IT is one of the fastest ways practices lose control of sensitive data.

What Dental Practices Should Do Right Now

You don’t need to ban AI — but you do need guardrails.

1. Create an AI Usage Policy

Staff should clearly know:

• What AI tools are approved
• What data is never allowed to be entered
• That PHI and AI don’t mix unless explicitly approved
  ‍

2. Disable or Restrict AI Where Appropriate

This may include:

• Browser AI features
• Free AI extensions
• Built-in OS assistants
• Unapproved transcription tools

3. Train Your Team

Most violations happen because people don’t know better.
A short, clear training can eliminate a massive amount of risk.

4. Use HIPAA-Safe Alternatives

There are AI-enabled tools designed for healthcare —but they must be:

• Properly vetted
• Covered by BAAs
• Configured correctly

5. Monitor for Data Leakage

At Darkhorse Tech, we monitor endpoint behavior and application usage to identify risky tools before they become incidents.

How Darkhorse Tech Helps

Darkhorse Tech helps dental practices and DSOs:

• Identify AI tools currently in use (even ones leadership doesn’t know about)
• Lock down risky apps and browser extensions
• Create AI + HIPAA policies that actually work
• Train staff in real-world, non-technical language
• Implement secure, compliant alternatives where appropriate

AI can be powerful — but only when used responsibly.