HIPAA’s “minimum necessary” standard now applies to AI — what mental-health practices need to know

Every time PHI moves to a new system, HIPAA asks the same question: is that the minimum information necessary to accomplish the task? AI tools — especially the general-purpose assistants your team may already be using — force you to answer that question honestly.

The Minimum Necessary Standard, in plain English

Covered entities must make reasonable efforts to limit the use, disclosure, and request of PHI to the minimum needed. “Reasonable effort” is the operative phrase — and with AI tools, it has a specific meaning.

Why AI changes the calculus

Dropping a full intake note into a consumer AI tool to “summarize it” is a disclosure of PHI to a business associate — except most consumer AI tools are not business associates and have not signed a BAA. That is a breach.

What a compliant AI workflow looks like

A signed BAA. PHI redacted before it ever reaches the model. Role-based access controls on any AI system integrated with your EHR. Audit logs the Compliance Officer can review. De-identification before model training is a non-negotiable.

The practical checklist

Inventory every AI tool your team is using. Obtain or terminate based on BAA availability. Publish a written AI-use policy. Train every clinician and admin on what can and cannot be pasted into a chatbot.