The Shadow AI Crisis
Healthcare Shadow AI Use Cases
The most common ways healthcare staff use ungoverned AI—and why each one creates compliance risk
What We’ve Discovered
After conducting Shadow AI Risk Checks for 50+ healthcare organizations, we’ve identified patterns in how staff use ungoverned AI tools:
75%
Healthcare staff using AI tools
63%
Have pasted PHI into ChatGPT
8-12
Different shadow AI tools per organization
Top 10 Healthcare Shadow AI Use Cases
Ranked by frequency and PHI exposure risk
1
Clinical Documentation & Discharge Summaries
Used by: Physicians, NPs, PAs
Extreme PHI Risk
How It Works:
Copy patient info from EHR, paste into ChatGPT, ask AI to write discharge summary / H&P / progress note
Why They Do It:
Saves 15-30 minutes per note. Reduces documentation burden that’s a leading cause of physician burnout.
PHI Exposure:
Patient names, MRNs, diagnoses, medications, test results, treatment plans—full clinical context
Compliance Issue:
No BAA with OpenAI, PHI shared with consumer tool, no audit logs, likely HIPAA violation
Governed Alternative
Governed AI with automatic PHI redaction, clinical note templates, EHR integration, complete audit logs
2
Patient Education Materials & Communication
Used by: Nurses, MAs, patient coordinators
Moderate PHI Risk
How It Works:
Ask AI to create patient education materials in plain language, draft discharge instructions, explain procedures
Why They Do It:
Faster than finding existing materials. AI adapts content to patient literacy level and specific conditions.
PHI Exposure:
Diagnosis, treatment details if staff include patient context in prompt
Compliance Issue:
Even without patient names, diagnosis + demographics can be identifying. Still needs governance.
Governed Alternative
Pre-approved patient education templates, PHI-free prompt guidance, output reviewed before sharing
3
Insurance Appeals & Denial Letters
Used by: Revenue cycle staff, billers, coding specialists
High PHI Risk
How It Works:
Copy denial reason and patient info, ask AI to draft appeal letter with medical justification
Why They Do It:
Turns 45-minute task into 10 minutes. AI writes better medical justifications than many staff can.
PHI Exposure:
Patient demographics, diagnosis codes, procedure codes, insurance details, medical necessity arguments
Compliance Issue:
Appeals contain PHI. Shadow AI = no BAA, no security controls, HIPAA violation.
Governed Alternative
Revenue cycle AI module with automatic PHI handling, appeal templates, outcome tracking
4
Medical Coding Assistance
Used by: Coders, billing specialists
Moderate to High PHI Risk
How It Works:
Paste procedure notes or diagnoses, ask AI to suggest ICD-10 or CPT codes
Why They Do It:
Faster code lookups than manual searching. AI understands medical terminology better than keyword search.
PHI Exposure:
Procedure details, diagnoses, patient conditions (often identifiable even without names)
Compliance Issue:
Coding requires clinical context = PHI exposure. Shadow AI creates compliance gap.
Governed Alternative
Governed coding assistant that strips identifiers, validates codes, maintains audit trail
5
Prior Authorization Justifications
Used by: Nurses, utilization review staff
High PHI Risk
How It Works:
Copy denial reason and patient info, ask AI to draft appeal letter with medical justification
Why They Do It:
Turns 45-minute task into 10 minutes. AI writes better medical justifications than many staff can.
PHI Exposure:
Diagnosis, treatment plan, medication details, medical history to justify necessity
Compliance Issue:
Full clinical context = significant PHI. Shadow AI = HIPAA violation.
Governed Alternative
Prior auth templates with PHI protection, auto-populated from EHR (future integration)
6
Email & Administrative Writing
Used by: All staff (clinicians, admin, leadership)
Low to Moderate PHI Risk
How It Works:
Draft professional emails, policy memos, meeting summaries, committee reports
Why They Do It:
Faster writing, better grammar, professional tone. Reduces time on non-clinical admin tasks.
PHI Exposure:
Usually no PHI, but staff sometimes reference patients in emails
(‘regarding the patient in room 4’)
Compliance Issue:
Even low-risk use needs governance to prevent accidental PHI exposure.
Governed Alternative
Governed AI for admin tasks, PHI detection catches accidental inclusions, policy-compliant
7
Clinical Decision Support & Research
Used by: Physicians, specialists, researchers
Low to Moderate PHI Risk
How It Works:
Ask AI about differential diagnoses, latest treatment guidelines, drug interactions, medical research
Why They Do It:
Faster than literature searches. AI synthesizes info from multiple sources. Supports evidence-based care.
PHI Exposure:
Typically no direct PHI, but staff may include patient details for context (’65yo male with chest pain…’)
Compliance Issue:
Low risk if queries are hypothetical. High risk if patient details included. Needs clear guidance.
Governed Alternative
Clinical knowledge base with PHI-free query guidelines, peer-reviewed content sources
8
Staff Meeting Notes & Summaries
Used by: Managers, department leads
Moderate PHI Risk
How It Works:
Transcribe or paste meeting notes, ask AI to create clean summary with action items
Why They Do It:
Saves 30+ minutes per meeting. AI creates better-organized summaries than most people.
PHI Exposure:
Clinical case discussions often happen in meetings. Notes may reference specific patients.
Compliance Issue:
Meeting notes about patient cases = PHI. Needs governance even for ‘internal’ use.
Governed Alternative
Governed meeting assistant, PHI detection for case discussions, secure sharing
9
Quality Improvement & Data Analysis
Used by: Managers, department leads
Variable PHI Risk
How It Works:
Ask AI to analyze clinical data, suggest QI initiatives, interpret outcome metrics
Why They Do It:
AI spots patterns humans miss. Makes data analysis accessible to non-technical staff.
PHI Exposure:
Depends on data shared. Aggregate data = low risk. Patient-level data = high risk.
Compliance Issue:
De-identification required for patient-level analysis. Shadow AI can’t ensure proper de-ID.
Governed Alternative
Governed analytics with automatic de-identification, aggregate data handling
10
Job Descriptions & HR Documents
Used by: HR, managers, recruiters
Low PHI Risk
How It Works:
Draft job postings, offer letters, performance reviews, policy documents
Why They Do It:
Faster hiring process. AI writes better JDs than most managers. Ensures consistent language.
PHI Exposure:
Typically no PHI unless staff reference patient care scenarios in performance reviews
Compliance Issue:
Low risk but still needs governance framework for organizational AI use.
Governed Alternative
Governed HR writing assistant, templates for common documents, no PHI risk
Shadow AI Risk Matrix
PHI exposure vs. usage frequency
CRITICAL RISK
High PHI + High Frequency
- Clinical documentation
- Insurance appeals
- Prior authorizations
Address immediately
High Risk
Moderate PHI + High Frequency
- Patient education materials
- Medical coding
- Meeting notes with case discussions
Priority governance needed
High Risk
Moderate PHI + High Frequency
- Patient education materials
- Medical coding
- Meeting notes with case discussions
Priority governance needed
You Can’t Ban These Use Cases
Staff are using AI because it makes them more effective at their jobs. Documentation takes less time. Appeals are better written. Patients get clearer explanations.
The solution isn’t to ban AI—it’s to govern it.
Give staff governed access to AI tools that protect PHI, maintain audit logs, and comply with HIPAA—while delivering the productivity gains they need.
Discover Your Shadow AI Use Cases
Book a Shadow AI Risk Check and we’ll identify exactly how your staff are using AI, which use cases involve PHI, and how to govern each one safely.