
Every staff member at a regen clinic uses AI now. Most do not know the HIPAA line. This is a printable reference on HIPAA, AI, ChatGPT, and your healthcare clinic: what you can never paste into a consumer AI tool, and the quick test to apply before you type. Keep it by every workstation.
TLDR: If a prompt identifies a patient and involves their health, it is PHI, and it cannot enter a consumer AI tool like ChatGPT or Claude without a signed BAA. Most marketing prompts are safe, because they hold no patient data. The danger is patient-specific prompts: names, conditions, procedures, dates, and reviews from your records. Apply a two-question test before every prompt. When in doubt, leave the patient out.
Important Note This article is for educational purposes only and does not constitute legal, medical, or regulatory advice. Marketing strategies discussed should be reviewed by qualified legal counsel before implementation. Regen Portal is a marketing company, not a law firm or compliance consultancy.
This one is for the whole team, not just the owner. Anyone at a regen clinic who opens ChatGPT or Claude needs to know one line. Cross it, and the clinic has a HIPAA problem. Stay on the right side of it, and AI is a safe, useful tool.
The rule is short. The mistakes are common. A staff member drafts a patient follow-up and pastes in the chart note. A coordinator asks AI to clean up reviews from the records. None of it feels risky. All of it can be a HIPAA violation. HIPAA is the federal law that protects patient health information.
Print this page. Keep it by the workstations. It gives you the one rule, the two-question test, and a clear table of what is safe and what is not.
The One Rule
If it identifies a patient and involves health information, it is PHI, and it cannot enter a consumer AI tool without a signed BAA.
That sentence is the whole policy. PHI is protected health information. A BAA, or Business Associate Agreement, is the contract that lets a vendor handle that data. The free and consumer versions of ChatGPT, Claude, and Gemini have no BAA. So patient data cannot go into them.
Everything else here explains how to apply that one rule. The HHS HIPAA overview is the source for what counts as protected.
What this means for your practice: Memorize the rule. It covers every AI prompt anyone on the team will ever type.
What Counts As PHI In A Marketing Context
PHI is any health detail tied to a patient who can be identified. The test is a combination: a patient identity plus a health context. Either one alone may be fine. Together, they are protected.
A name by itself is not PHI in most marketing. A condition described in general is not PHI. But a name attached to a condition, a procedure, or a visit date is PHI. So is anything pulled from your records or your EMR (your electronic medical record system). The HHS marketing guidance explains how this applies when you market.
What this means for your practice: Watch for the combination. Patient identity plus health context equals PHI. That is the pattern that turns a safe prompt into a violation.
The Practical Test
Before you type any AI prompt, run a two-question test. It takes five seconds, and it catches almost every mistake.
Question one: does this prompt identify a specific patient? A name, initials, a chart number, or details that point to one person all count. Question two: does this prompt involve health information? A condition, a procedure, a result, or a visit all count.
If the answer to both is yes, stop. That prompt holds PHI, and it cannot go into a consumer AI tool. If the answer to either is no, the prompt is usually safe. When you are not sure, treat it as PHI and leave the patient out.
What this means for your practice: Two questions, every time. Identity and health. If both are yes, do not paste it.
Safe And Unsafe: The Reference Table
Here is the line drawn across common prompts. The safe prompts hold no patient data. The unsafe ones add a patient to a health detail.
| Prompt or Input | Safe? | Reason |
|---|---|---|
| “Write a blog post explaining how PRP injections work” | Safe | No patient data |
| “Draft a follow-up email template for post-PRP consultation, generic, no patient info” | Safe | De-identified template |
| “Write 5 Instagram captions for a regen clinic, educational, no claims” | Safe | No patient data |
| “Create an FAQ page about exosome procedures for our website” | Safe | Educational, no PHI |
| “Write a follow-up for John Smith who had PRP on June 15 for his knee” | PHI | Name, date, procedure, health context |
| “Here are 20 reviews from our EMR, make them sound better” | PHI | Patient identifiers and health records |
| “My patient has lumbar pain and asked about stem cells, help me respond” | PHI | Health condition and identifiable clinical context |
| “Analyze our intake form data and write demographic-targeted content” | PHI | Patient health records |
| “Summarize this patient consultation note for our email sequence” | PHI | PHI plus marketing equals a HIPAA violation |
What this means for your practice: When a prompt looks like the bottom rows, stop. Strip out the patient, or move the task to a tool with a BAA.
The Safe Regen Marketing AI Workflow
Here is a simple workflow that keeps AI useful and patient data out. Follow these steps for any marketing task.
- Decide if the task needs patient data. Most do not.
- If it does not, write a generic, de-identified prompt and proceed.
- If it does, stop and route it to a BAA-covered tool, or do it by hand.
- Keep all names, conditions, and records out of the consumer tool.
- Have a human review the output for FDA and FTC compliance. The FTC’s health products guidance sets the bar for any health claim.
- Publish only after that review.
This is the same workflow we build for clinics. Our HIPAA marketing guide and the prior post in this series, on HIPAA-safe AI tools, give the full picture.
What this means for your practice: The workflow protects you by default. Patient data never reaches a tool that cannot hold it.
The Three Workflow Types And Their Risk
Most regen marketing work falls into three buckets. Each carries a different level of risk. Knowing which bucket you are in tells you what is safe.
Content creation covers blog posts, social captions, and email templates. This is safe with consumer tools, because it holds no patient data. Generic patient communication covers templates a clinic sends to many people. This is safe if it is de-identified, with no real patient in it. Patient-specific communication covers a message about one named person and their care. This needs an enterprise tool with a BAA. Our email marketing guide shows how to build templates that stay in the safe buckets.
What this means for your practice: The first two buckets are most of your work, and they are safe. The third bucket is where you need a BAA-covered tool.
How This Looks In Practice
Picture a front-desk staff member at a regen clinic in the Southeast. She wanted to save time on a patient email. Here is what went wrong, and how the clinic fixed it.
The Challenge: She opened a free ChatGPT account and pasted in a patient’s chart note to draft a follow-up email. The note had the patient’s name, knee condition, and PRP procedure date. She did not know the tool had no BAA.
The Approach: Her manager caught it and walked the team through the two-question test. They built a set of generic, de-identified email templates that AI could help write safely. For any message about a specific patient, they used a tool with a BAA.
The Compliance Check: They removed all patient data from the consumer tool. They added the safe workflow to the team’s internal policy. They kept using AI for templates and content, because that work has no PHI.
The Result: The clinic turned a near-miss into a clear policy. The team still uses AI every day. Patient data now stays out of any tool that cannot hold it.
Frequently Asked Questions
Can I paste a patient’s name into ChatGPT? A name with no health context may not be PHI on its own. But a name plus a condition, procedure, or visit is PHI, and it cannot go into a consumer tool. The safe habit is to leave patient names out entirely.
Is it safe to ask AI to write a generic patient email? Yes, if it is truly generic. A template with no real patient, no name, and no health detail is safe. The moment you add a specific patient, it becomes PHI.
What about reviews from our records? Reviews pulled from your EMR carry patient identifiers and health data, so they are PHI. Do not paste them into a consumer AI tool. Also remember that AI cannot rewrite the content of a review under FTC rules.
Does de-identifying really make it safe? If the prompt has no patient identity and no link back to a person, it is not PHI. True de-identification removes names, dates, and any detail that points to one patient. When in doubt, treat it as PHI.
Which tools can hold patient data? Only an enterprise tool that has signed a BAA with your clinic. The free and consumer versions of ChatGPT, Claude, and Gemini have not. Check your plan before assuming.
What do I do if I already pasted PHI into a consumer tool? Stop, and tell whoever handles compliance at your clinic. Do not keep using that workflow. Then move the task to a safe tool, and update your team policy so it does not happen again.
Key Takeaways
- If a prompt identifies a patient and involves health, it is PHI.
- PHI cannot enter a consumer AI tool without a signed BAA.
- Run the two-question test before every prompt: identity and health.
- Content creation and generic templates are safe with consumer tools.
- Patient-specific messages need an enterprise tool with a BAA.
- Reviews and notes from your EMR are PHI, so keep them out.
- When in doubt, leave the patient out.
Your Next Step
PS: This is the kind of compliance detail that should live in your team’s internal policy document, not get discovered after the fact. We help regen practices build AI workflows that don’t create HIPAA exposure. Reach out at [email protected], or subscribe for weekly insights on YouTube at https://www.youtube.com/@oatellez.
Compliance Disclaimer This article is educational and does not constitute legal, medical, or regulatory advice. It reflects publicly available information that can change as regulations, enforcement priorities, and platform policies evolve. It does not promise any marketing outcome or specific compliance result. Before acting on anything here, have your own marketing reviewed by qualified legal counsel familiar with FDA, FTC, HIPAA, and the advertising rules in your state.
About Regen Portal: Regen Portal is a marketing company serving the regenerative medicine industry. We provide SEO, content creation, social media management, paid advertising, website development, and branding services for clinics, manufacturers, distributors, and independent providers. Some strategies discussed in our educational content align with services we offer. For more on how we work, contact us.
About Oscar Tellez: Oscar Tellez is the founder of Regen Portal, a marketing company built for the regenerative medicine industry. With over 15 years of experience spanning clinical operations, product distribution, and digital marketing, Oscar has helped hundreds of practices, manufacturers, and distributors grow through compliant, high-performance marketing strategies. He holds a B.S. in Exercise Physiology and Health Promotion from Florida Atlantic University.


