What you'll accomplish
By the end of this guide, you'll understand exactly what you can and can't do with free AI tools like ChatGPT (without violating HIPAA) and how to get set up with a HIPAA-compliant AI option for workplace use. You'll be able to use AI confidently for drafting appeal letters and PA narratives — with or without patient identifiers.
What you'll need
- A computer with internet access
- Time needed: 20-30 minutes
- Cost for de-identified approach: Free
- Cost for BastionGPT: Contact vendor for healthcare pricing
How-To Guide: HIPAA-Compliant AI for Medical Billing
Step 1: Understand the HIPAA rule for AI tools
Before using any AI tool with patient information, you need to know one key rule: you cannot send Protected Health Information (PHI) to consumer AI tools like ChatGPT, Claude, or Gemini without a Business Associate Agreement (BAA).
PHI includes:
- Patient names
- Dates of birth, dates of service
- Social Security numbers, Medicare/Medicaid IDs
- Addresses, phone numbers
- Any account or claim numbers linked to a specific patient
What you can do with free AI: Use de-identified information only — describe the billing scenario without any of the above identifiers.
What you should see: When you look at a free AI tool's terms of service, it will not include healthcare BAA provisions.
Troubleshooting: If your employer has a Microsoft 365 agreement with a healthcare BAA for Microsoft Copilot, you may be cleared to use it with PHI. Check with your IT department or compliance officer.