Here’s an uncomfortable exercise.
Tomorrow morning, walk through your sleep lab or practice and ask one question:
“Has anyone here ever used ChatGPT, Claude, Gemini, or another AI tool for work?”
If the answer is no, chances are someone isn’t being completely honest.
Artificial intelligence has become part of the modern workplace. Microsoft’s Work Trend Index found that 75% of knowledge workers are already using AI at work, and most are bringing their own tools rather than waiting for their employer to provide them.¹
For sleep practices and labs, the implications are significant. Whether leadership realizes it or not, AI is likely already being used somewhere in the organization. The real question is not whether AI is being used. It’s what information is being shared and whether those workflows expose the practice to compliance risks.
Consider a few common scenarios:
- A front desk coordinator drafts a patient response.
- A lab manager summarizes a referral packet.
- A biller asks an AI assistant to explain an insurance denial.
- A clinician summarizes notes from a consultation.
- A technologist creates educational materials for patients struggling with CPAP adherence.
These tasks can save time and improve productivity. However, depending on the information entered into the AI tool, it can also raise HIPAA concerns.
That tension sits at the center of healthcare’s AI challenge.
The Compliance Gap Nobody Planned For
Artificial intelligence is delivering real productivity gains across nearly every industry. Healthcare is no exception. Yet unlike many industries, healthcare must operate within strict privacy requirements that fundamentally change how these tools can be used.
HIPAA is clear on one point: if a vendor creates, receives, maintains, or transmits protected health information (PHI) on your behalf, that vendor is considered a business associate and a signed Business Associate Agreement (BAA) is required before PHI enters the system.³
Now consider the AI tools most people are using today.
The free and consumer versions of major AI assistants generally do not include BAAs. Some vendors offer them through enterprise agreements, but many individual users and small businesses are operating outside those protected environments.
This creates a difficult reality for sleep medicine organizations. The most popular AI tools are often the easiest to access and the fastest to adopt, yet they may be unsuitable for workflows involving patient information.
Patient names, sleep study results, referral documents, insurance information, email addresses, and clinical notes can all qualify as protected information. Once that information is entered into a non-covered system, the compliance issue has already occurred.
Large healthcare organizations often have legal teams, compliance officers, and IT departments evaluating these risks. Most sleep practices and laboratories do not. As a result, many organizations find themselves caught between two undesirable choices: avoid AI entirely and risk falling behind, or use it without clear safeguards and assume the risk.
Neither approach is sustainable.
What the Risk Actually Costs
The financial consequences of data breaches continue to grow.
According to IBM’s 2025 Cost of a Data Breach Report, healthcare remained the most expensive industry for data breaches for the 14th consecutive year, with an average cost of $7.42 million per incident.²
The same report identified “shadow AI” — employees using unsanctioned AI tools — as a factor in one out of every five breaches studied. Organizations affected by these incidents incurred an average of $670,000 in additional breach-related costs.²
Perhaps even more concerning, roughly two-thirds of organizations reported having no formal AI governance policy.
Taken together, these findings reveal an important reality: the greatest risk is not AI itself. The greatest risk is AI adoption without policies, oversight, and education.
Why “Just Be Careful” Isn’t a Strategy
Many organizations assume the solution is simple.
Train employees not to enter patient information into AI tools and remind them to be careful.
Unfortunately, real-world workflows rarely cooperate with good intentions.
Busy employees move quickly. A staff member handling dozens of emails, referrals, prior authorizations, and patient questions each day may forget to remove identifying information. It only takes one mistake.
More importantly, compliance is not solved by a prompt.
Even if an AI assistant refuses to repeat patient identifiers or follows instructions not to use certain information, the data has already left your environment. The disclosure occurred the moment the information was submitted.
If your AI strategy depends on every employee making the correct decision every single time, it is not a strategy. It is a risk management problem waiting to happen.
The Education Gap May Be the Bigger Problem
While compliance concerns are important, the lack of education around AI may be even more troubling.
Many AI training programs focus on productivity, automation, marketing, content creation, or workflow efficiency. Few spend meaningful time discussing HIPAA, PHI, or healthcare-specific compliance requirements.
As a result, healthcare professionals often receive guidance from people who understand AI but have never worked inside a healthcare practice.
The message frequently becomes one of two extremes:
“Use AI for everything.”
Or:
“Don’t use AI at all.”
Neither position reflects reality.
The truth is that AI can provide tremendous value to sleep medicine organizations when used appropriately. The goal is not to prohibit adoption. The goal is to implement it responsibly.
Because let’s be honest: telling employees not to use AI in 2026 is unlikely to work. Most have already experienced how much time these tools can save.
Without practical alternatives and clear guidance, AI use simply moves underground where leadership cannot see it, train it, or manage it.
How Sleep Practices Can Use AI Responsibly
When speaking with healthcare organizations, we generally recommend three approaches.
1. Use BAA-Covered Tools for PHI Workflows
Any workflow involving protected health information should be handled only through systems covered by a signed BAA.
That may include AI features embedded within an EHR, sleep software platform, or enterprise AI solution that has been properly vetted.
If a vendor will not provide a BAA, PHI should not enter the system.
2. Remove PHI Before AI Enters the Workflow
Many valuable AI use cases do not require patient identifiers.
Referral summaries, educational content, policy development, operational planning, and administrative workflows can often be performed using de-identified information.
Whenever possible, organizations should build systems that automatically remove PHI rather than relying on individuals to manually redact information each time.
The safeguard should exist within the workflow itself, not in someone’s memory.
3. Focus on High-Value Work That Doesn’t Involve Patient Data
Some of the most productive AI applications in sleep medicine involve no patient information at all.
Examples include:
- Creating patient education materials.
- Drafting website content.
- Developing referral marketing campaigns.
- Summarizing journal articles.
- Building staff training resources.
- Writing standard operating procedures.
- Conducting insurance and reimbursement research.
- Creating conference, webinar, and continuing education materials.
Organizations that focus AI efforts in these areas can capture much of the productivity benefit while minimizing compliance exposure.
Where to Start This Month
If you’re a practice owner, administrator, lab manager, or clinical leader, consider taking these five steps:
Ask your team how they’re already using AI.
Approach the conversation with curiosity rather than enforcement. You cannot manage risks you cannot see.
Inventory every AI tool currently in use.
Determine which tools have BAAs and which do not. Identify workflows that need to be redesigned.
Create a simple AI policy.
It doesn’t need to be a lengthy document.
A straightforward framework often works best:
- Green: No PHI involved. Approved use.
- Yellow: De-identified information only. Follow established procedures.
- Red: PHI involved. Approved BAA-covered tools only.
Train using real-world examples.
Show employees actual tasks from your practice and discuss where they fit within the framework. Practical examples are far more effective than policy documents alone.
Review policies regularly.
AI platforms evolve rapidly. Terms of service, privacy policies, and data handling practices can change quickly. Revisit your approach at least quarterly.
The Bottom Line
The tension between AI and HIPAA is real, but it is not a reason to ignore one of the most transformative technologies of our time.
It is simply a design constraint.
The organizations that succeed will not be the ones that avoid AI altogether. They will be the ones who learn how to adopt it safely, intentionally, and compliantly.
Your team is likely already using these tools. The question is whether your practice or lab will establish the guardrails needed to harness their benefits while protecting patients, staff, and the organization.
AI adoption in sleep medicine is no longer a future consideration. It’s already here.
Now is the time to decide how you’ll use it.
By Chadd Wooters, MBA
References
- Microsoft, LinkedIn. AI at Work Is Here. Now Comes the Hard Part. 2024 Work Trend Index Annual Report. May 8, 2024.
- IBM. Cost of a Data Breach Report 2025. July 2025.
- U.S. Department of Health and Human Services. Business Associate Contracts. HHS.gov.
- Anthropic. Business Associate Agreements (BAA) for Commercial Customers. Claude Help Center.
