Skip to main content

AI Risk Assessment

Your AI tools
are touching ePHI.
Do you know where?

Most healthcare organizations deploying AI have no inventory of which tools access patient data, no governance framework, and no documentation. That is a HIPAA problem — and an OCR enforcement problem — waiting to happen.

Book a Conversation
Shadow
AI used without IT knowledge is the fastest-growing source of ePHI exposure in healthcare
16+
Years operating at the intersection of healthcare cloud security and emerging technology risk
Zero
Reportable breaches across all client engagements over 16 years as a practicing CISO
Fixed
Fixed-scope engagement — cost, timeline, and deliverables defined before we start

The Problem

AI adoption
outpaced governance.

Healthcare organizations are deploying AI faster than they are governing it. Ambient scribes, clinical decision support tools, AI-powered billing platforms, and general-purpose tools like ChatGPT and Microsoft Copilot are being used daily by clinical and administrative staff — often without formal approval, security review, or any assessment of whether they create HIPAA obligations.

Every AI tool that touches ePHI creates a compliance obligation. If that tool is a vendor, they are likely a Business Associate and require a BAA. If the tool is processing clinical data, it is subject to the HIPAA Security Rule. If staff are using it without authorization — shadow AI — the organization has an unauthorized disclosure problem.

The 2026 HIPAA Security Rule updates make this more urgent. The proposed changes explicitly address AI-related risk in their commentary, and OCR has signaled that AI governance will be an area of enforcement focus. Organizations that cannot demonstrate they have assessed and governed their AI stack are exposed.

Common AI risk scenarios we find

  • Staff using ChatGPT or Copilot to draft clinical notes containing patient identifiers
  • Ambient scribe tools deployed without a BAA or security review
  • AI billing platforms processing claims data without documented risk analysis
  • Clinical decision support tools with direct EHR integration and no governance framework
  • AI summarization tools processing discharge summaries or referral letters
  • Vendor AI tools with opaque data retention and training policies
  • No inventory of which AI tools are in use across the organization

Who This Is For

If you deploy AI
in a clinical context,
you need this.

Built for healthcare organizations and Business Associates deploying AI tools that touch patient data — at any scale.

Common target

Health systems & hospitals

Deploying ambient scribes, clinical AI, and administrative automation at scale — often without a centralized governance framework or AI risk inventory.

Common target

AI ambient scribe vendors

Your product processes real-time clinical conversations and generates documentation inside EHRs. That is ePHI — and your governance documentation needs to reflect that clearly.

Common target

Healthcare SaaS with AI features

You've added AI capabilities to your platform — summarization, automation, decision support. Those features change your risk profile and your HIPAA obligations.

Common target

Medical billing & RCM platforms

AI-powered claims processing, prior auth automation, and coding tools are processing ePHI at high volume. The governance gap is frequently invisible until it isn't.

Common target

Telehealth platforms

AI triage, symptom checkers, and session summarization tools are creating new ePHI pathways that your original HIPAA SRA did not account for.

Common target

PE-backed healthcare groups

Post-acquisition AI tool consolidation across practice groups creates new ePHI exposure that existing compliance programs were not designed to cover.

The Assessment

What we assess.
What you receive.

  • 01

    AI Tool Inventory

    A complete inventory of every AI tool in use across the organization — approved and shadow — mapped to the ePHI it accesses, the workflows it touches, and the vendor relationships it creates.

  • 02

    ePHI Exposure Mapping

    A detailed map of how ePHI flows into, through, and out of each AI system. Identifies unauthorized disclosures, unreviewed integrations, and data retention risks specific to AI environments.

  • 03

    BAA Gap Analysis

    Review of existing Business Associate Agreements against the actual AI tools in use. Identifies vendors operating without a BAA, BAAs that don't cover AI-specific data processing, and subcontractor exposure.

  • 04

    Governance Baseline Assessment

    Evaluation of your AI governance posture against emerging frameworks — HHS AI guidance, NIST AI RMF, and the 2026 HIPAA Security Rule commentary. Identifies structural gaps before they become enforcement gaps.

  • 05

    Remediation Roadmap

    A prioritized action plan: which tools need BAAs, which need to be decommissioned, which governance policies need to be written, and in what order — based on risk, not alphabetical order.

Why practitioner judgment matters here

AI risk in healthcare is not a checklist problem. The tools are changing faster than the frameworks. What matters is the judgment to understand which AI deployments create real HIPAA exposure versus which create theoretical risk — and being honest about the difference.

I built and operated the security program at ClearDATA for 16 years — a company whose entire business was running HIPAA-compliant cloud infrastructure for major health systems. I have watched the threat landscape evolve from basic data center security to cloud-native architecture to AI-powered workflows. The governance principles are the same. The attack surface is not.

What you're buying is not a framework application. It's the judgment of someone who has operated at this intersection and knows where the real exposure lives.

— Chris Bowen, Founder & CEO

Integrated Offering

Most organizations
need both.

An AI Risk Assessment and a HIPAA SRA address different but overlapping obligations. For organizations deploying AI that touches ePHI, we deliver them as a single integrated engagement.

HIPAA Security Risk Assessment

Your full ePHI environment

Required under 45 CFR 164.308(a)(1). Covers all systems, all workflows, all safeguards.

  • ePHI asset inventory across all systems
  • Threat and vulnerability analysis
  • Risk ratings using NIST SP 800-30
  • OCR-defensible documentation
  • Remediation roadmap

AI Risk Assessment

Your AI-specific risk surface

Focused on the tools, workflows, and governance gaps specific to AI deployment in your environment.

  • AI tool inventory including shadow AI
  • ePHI exposure mapping through AI systems
  • BAA gap analysis for AI vendors
  • Governance baseline assessment
  • Prioritized remediation roadmap

Common Questions

What organizations
ask us first.

Yes. If an AI tool creates, receives, maintains, or transmits electronic protected health information — either directly or through integration with clinical systems — HIPAA applies. This includes ambient scribes, clinical decision support tools, AI-powered billing platforms, and general-purpose AI tools like ChatGPT when used with patient data. The tool vendor may be a Business Associate, and your organization has an obligation to assess the risk and document the relationship.
Shadow AI refers to AI tools being used by employees without formal organizational approval, security review, or governance oversight. In healthcare, this frequently includes staff using consumer AI tools to draft clinical notes, summarize patient records, or process billing data — all of which may expose ePHI to unauthorized third-party systems. Under HIPAA, an unauthorized disclosure of ePHI is a potential breach regardless of intent. Shadow AI is one of the fastest-growing sources of HIPAA exposure we see across organizations of all sizes.
No. A HIPAA Security Risk Assessment covers your entire ePHI environment under 45 CFR 164.308(a)(1) — all systems, all safeguards, all workflows. An AI Risk Assessment is a focused evaluation of your AI-specific risk surface: the tools, integrations, vendor relationships, and governance gaps specific to your AI deployment. For organizations deploying AI that touches ePHI, both are needed. Bowen & Company delivers them as an integrated engagement.
Yes — and organizations with fewer AI tools are often more exposed, not less, because they are less likely to have governance infrastructure in place. One ambient scribe without a BAA, one clinical AI tool with opaque data retention, or one staff member using ChatGPT with patient data is enough to create a material HIPAA exposure. The number of tools is less relevant than whether you have documented what they are, what they touch, and what your obligations are.
The 2026 proposed updates explicitly address technology risk in ways that apply directly to AI deployments — particularly the requirements for annual asset inventories, network segmentation for ePHI systems, and enhanced vendor oversight. OCR's commentary accompanying the proposed rule signals that AI-related risk will be an enforcement focus. Organizations that cannot demonstrate a documented AI governance posture will be at a disadvantage in any audit or enforcement action.

Get Started

Know what your
AI stack is touching.

A 30-minute conversation is enough to scope your AI environment and tell you what you need. No sales process. No proposal theater. We either fit or we don't — and we'll tell you which.

01

Book a conversation. 30 minutes to understand your AI environment and confirm fit.

02

Receive a fixed-scope proposal. Price, timeline, and deliverables defined upfront. No surprises.

03

Complete the assessment. Typically 2–3 weeks. Documented AI inventory, exposure map, and remediation roadmap delivered.

Book a Conversation

Need ongoing coverage after this assessment?

Bowen & Company delivers the one-time assessment. Named CISO picks up from there with a retained CISO relationship.

Explore Named CISO →