SAFE AI Adoption Assessment

We have a current inventory of all AI in use: tools we sanctioned, AI embedded in the clinical and operational systems we purchased, and tools staff use on their own devices.

When staff use an approved AI tool, PHI is automatically detected and protected before it reaches the model.

We can block or limit unapproved AI tools on our network, not just recommend against them.

We continuously detect new and unapproved AI as it appears, rather than relying on a point-in-time inventory.

We know which AI can access PHI and what each does with that data, and no new AI reaches a clinical or operational setting without a formal approval.

Before we sign or renew with a vendor, we review specifically for AI features: what data they use, model transparency, and BAA coverage.

We are notified when a vendor switches on a new AI feature inside a product we already own, which re-triggers our BAA and privacy review.

We review P-card and AP spend to catch AI tools that were purchased without going through procurement.

We require BAA flow-down to our AI subprocessors, including the model providers themselves, not just the vendor we contract with.

We require vendors to disclose any AI feature that processes PHI, and procurement, IT, legal, and compliance all weigh in before the contract is signed.

We have a written AI Acceptable Use Policy that covers clinical and operational staff, not just IT.

Staff have received training on what AI tools are approved, how to use them safely, and what to do if they are unsure.

We have approved AI tools that solve the problems staff are already trying to solve, so the sanctioned path is easier than reaching for a personal-device or consumer-AI workaround.

Compliance is involved in AI policy decisions before incidents occur, not only after.

We have a clear escalation path for staff who encounter an AI-related situation they are unsure how to handle.

A single person or function is accountable for AI governance across all departments, not just IT or compliance in isolation.

Our board or executive team receives regular reporting on AI that covers both risk and value: governance status and the measurable return our approved AI tools deliver.

We measure the value our approved AI delivers (time saved, cost avoided, capacity gained), and our AI roadmap weighs expected return alongside risk tolerance and organizational goals.

IT, legal, HR, and compliance coordinate on AI decisions rather than each managing their piece independently.

A current board-level report exists that shows, on one page, our AI governance status and the measured return our AI delivers, and we could hand it over today.