Artificial intelligence tools have entered the home health agency in ways that are both obvious and invisible. Care coordinators are using ChatGPT to draft care plan summaries. Billing staff are experimenting with AI writing assistants to accelerate documentation. Administrators are exploring AI scheduling tools that promise to optimize visit routing.
Some of these uses are appropriate. Some are serious HIPAA violations in progress.
The challenge is that AI tools have outpaced the HIPAA guidance around them, leaving home health administrators to navigate the compliance question without clear regulatory direction. This guide provides the framework, based on existing HIPAA principles applied to AI tools, that every home health agency needs before any AI tool touches patient data.
The Core HIPAA Issue: What Happens to Data When You Use AI
The critical question for any AI tool is: where does the data go?
When a care coordinator types a patient's name, diagnosis, and care history into ChatGPT to generate a care plan summary, that data is transmitted to OpenAI's servers, processed by OpenAI's infrastructure, and depending on the account settings may be retained and used for model training.
This is a disclosure of ePHI to a third party. Under HIPAA, that disclosure requires either patient authorization or a Business Associate Agreement with the third party, OpenAI in this case.
OpenAI does not sign BAAs for consumer ChatGPT accounts. Microsoft Copilot in its consumer form does not sign BAAs. Without a BAA, using these tools with patient data is a HIPAA violation — not a technicality, but a disclosure of patient information to an entity that has no HIPAA obligations.
The BAA Requirement for AI Tools
For any AI tool to be used with patient data at a home health agency, the tool's provider must either:
Sign a Business Associate Agreement: Establishing that the AI provider will protect ePHI with HIPAA-required safeguards, will not disclose ePHI beyond what is necessary to perform the service, and will notify you of any breach involving ePHI.
Or: Be structured so that patient data never enters the tool at all, meaning the AI is used only with de-identified or non-patient information.
What this means in practice:
ChatGPT consumer/free: No BAA available. Cannot be used with any patient data under any circumstances.
ChatGPT Enterprise: OpenAI offers a BAA for enterprise customers. If your agency has a ChatGPT Enterprise agreement with a signed BAA, the tool can be used with appropriate data handling controls.
Microsoft 365 Copilot: Microsoft offers a HIPAA BAA through its Microsoft Online Services terms, which can extend to Copilot features in Microsoft 365. If your agency has a Microsoft 365 plan with an executed HIPAA BAA, Copilot usage within that environment may be covered, but verify the specific scope of your BAA.
Google Workspace with AI features: Google offers HIPAA BAAs for Workspace. The AI features integrated into Workspace may be covered under the Workspace BAA, but verify specifically.
Specialized healthcare AI tools: Platforms specifically designed for healthcare, such as AI-assisted clinical documentation tools from EHR vendors, typically offer BAAs and are designed to handle ePHI compliantly.
The Staff Training Problem
Even if your agency establishes the right BAA relationships for compliant AI tools, you have a staff training problem: staff who have already developed habits of using consumer AI tools for work tasks.
A billing staff member who has been using ChatGPT to draft billing correspondence and has included patient identifiers in her prompts has been making HIPAA violations for months — without knowing it, without any malicious intent, and without any protection from your existing security controls.
This is not hypothetical. It is happening at home health agencies across the country, invisibly, because no one told staff that typing patient information into a free AI tool is not different from emailing it to an unauthorized third party.
Your security awareness training must now include explicit, specific guidance on AI tools:
- Which AI tools are approved for use with patient data and require a BAA
- Which AI tools are not approved for use with patient data under any circumstances
- What patient data includes in the context of AI prompts. A patient name is ePHI, even without a diagnosis
- How to use approved AI tools appropriately
- What to do if you have already used an unapproved tool with patient data. Report it. There should be no punishment for honest disclosure, but there is significant risk from continued unreported use
What AI Can Do Compliantly in Home Health
With appropriate BAAs in place, AI tools offer genuine efficiency for home health agencies:
Clinical documentation assistance: AI tools integrated with your EHR can assist with care plan documentation, visit note completion, and clinical summary generation, reducing documentation burden on field nurses while maintaining the human review and clinical judgment requirement.
Scheduling optimization: AI-assisted scheduling that optimizes visit routing based on patient location, nurse skills, and time constraints, using operational data that may not include ePHI.
Billing and coding assistance: AI tools that review billing codes and identify potential errors or optimization opportunities, using billing data that is covered by an appropriate BAA with the tool provider.
Administrative correspondence: AI writing assistance for non-patient correspondence such as job postings, policy documents, and vendor communications, using no patient data whatsoever. Free consumer AI tools are appropriate for this use case.
The Emerging Regulatory Landscape
HHS has not yet issued specific HIPAA guidance on AI tools. The existing framework — BAA requirements for business associates, minimum necessary standards for ePHI access, and prohibition on unauthorized disclosures — applies directly to AI tools under current HIPAA principles.
Specific AI guidance from HHS or OCR is expected in 2026 or 2027. Until then, the BAA requirement is the operative standard. Any AI tool that processes ePHI must have a BAA in place before use, with no exceptions.
Navigate AI tool compliance at your home health agency with expert guidance.
ShieldForce's HIPAA compliance program includes technology use policy support, helping you determine which AI tools are appropriate for your agency and how to use them compliantly.
Explore Home Healthcare Cybersecurity →
Get a free HIPAA assessment that covers your current technology use policies.