After reviewing compliance documentation from hundreds of medical practices using AI scribes, we've identified five common HIPAA gaps that appear in approximately 90% of cases. Here's what they are and how to fix them.
Gap #1: Missing AI-Specific Usage Policy
The Problem
Most practices have generic HIPAA policies but lack a specific policy addressing AI scribe usage, oversight requirements, and review procedures. OCR expects written policies that specifically address how your practice uses AI tools.
The Solution
Create an AI Usage Policy that documents:
- When AI scribes are appropriate to use
- Who is authorized to use AI tools
- Required oversight and review procedures
- How to handle AI-generated errors or hallucinations
- Data retention and deletion policies for AI-generated content
Gap #2: Inadequate Training Documentation
The Problem
Practices train staff on AI tools but don't document who was trained, when, and on what topics. OCR requires role-based training documentation that shows compliance with HIPAA training requirements[1].
The Solution
Maintain training records that include:
- Employee name and role
- Training date and duration
- Topics covered (AI tool usage, PHI handling, review procedures)
- Training materials used
- Attestation of completion
Gap #3: No Documented Audit Procedures
The Problem
Many practices review AI-generated notes but don't have written procedures for how audits are conducted, what's reviewed, and how findings are documented. OCR expects documented audit procedures as part of reasonable safeguards.
The Solution
Create an Audit Checklist that specifies:
- How often audits are conducted (e.g., quarterly)
- Sample size and selection criteria
- What to review (accuracy, completeness, PHI handling)
- How to document findings
- Remediation procedures for identified issues
Gap #4: Missing Risk Assessment for AI Tools
The Problem
Practices conduct general HIPAA risk assessments but don't specifically assess risks introduced by AI tools, such as:
- AI hallucinations or errors in clinical documentation
- Data retention by AI vendors
- Training data exposure risks
- Inadequate oversight of AI-generated content
The Solution
Conduct an AI-Specific Risk Assessment that:
- Identifies risks unique to AI tool usage
- Documents likelihood and impact of each risk
- Outlines mitigation strategies
- Assigns ownership for risk management
- Establishes review frequency
Gap #5: Incomplete BAA Documentation
The Problem
While most practices have BAAs with AI scribe vendors, they often lack:
- Documentation of BAA review and renewal dates
- Verification that all required vendors have signed BAAs
- Procedures for handling BAA violations or breaches
- Documentation of sub-vendor BAAs (when AI vendors use third-party services)
The Solution
Maintain a BAA Register that tracks:
- All vendors that handle PHI (AI scribes, cloud storage, etc.)
- BAA execution dates and renewal schedules
- Key BAA terms (data retention, breach notification, etc.)
- Sub-vendor relationships and their BAAs
- Annual BAA review procedures
Why These Gaps Matter
These gaps aren't just paperwork issues—they represent real compliance risks:
- During OCR Reviews: Missing documentation can result in findings and corrective action plans
- During Breach Investigations: Inadequate policies can suggest lack of reasonable safeguards
- Civil Monetary Penalties: Per-violation amounts can exceed $70,000, with annual caps over $2 million for repeated violations[2]
How to Fix These Gaps
If you're using AI scribes and haven't addressed these gaps, consider:
- Using our Compliance Wizard: Generate AI-specific policies, procedures, and training materials in about 45–60 minutes
- Conducting a Gap Analysis: Review your existing documentation against these five areas
- Creating an Action Plan: Prioritize fixes based on risk and OCR expectations
Next Steps
Our Compliance Wizard is designed to help practices create OCR-ready documentation that addresses all five of these common gaps. The wizard generates:
- AI Usage Policy
- Training documentation templates
- Audit checklists and procedures
- Risk assessment frameworks
- BAA tracking templates
Remember: HIPAA requirements apply now, not when OCR announces formal audits. Addressing these gaps proactively protects your practice and demonstrates reasonable safeguards.
Sources:
- HIPAA Journal. "HIPAA Training Requirements: What Covered Entities Need to Know." Overview of role‑based training requirements and documentation expectations. HIPAA Journal
- U.S. Department of Health and Human Services, Office for Civil Rights. "HIPAA Enforcement: Civil Money Penalties and Settlement Amounts." Summary of civil monetary penalty tiers. HHS OCR