What to know before your practice commits to an AI tool

Read the fine print

Artificial intelligence (AI) adoption in physician practices has accelerated sharply over the past two years. In a January 2025 Stat poll by the Medical Group Management Association, AI tools displaced electronic health record usability as the top technology priority for practice leaders for the first time, with 32% naming them as their leading focus — up from just 13% in a similar poll conducted in late 2023. But adoption often outpaces due diligence, and for many practices, the most consequential decision is not which AI tool to choose, but what they agreed to when they signed the contract.

The legal landscape around health care AI remains unsettled. Federal regulatory guidance has been limited, leaving states to fill the gap with their own laws and requirements, creating a patchwork of compliance obligations that vary significantly by jurisdiction.

"We're still waiting for action from the federal government to define the limits to which AI can be utilized in health care," said Dan Silverboard, a partner at law firm Holland & Knight and a health care attorney with more than 20 years of experience in regulatory compliance, speaking to Healthcare Dive in January 2026. "In the interim, the states really have been taking the lead in making these decisions."

That regulatory uncertainty makes the vendor contract itself one of the most important risk management documents a practice will sign. The questions are not theoretical. Who owns the patient data that the tool processes? What happens if an AI recommendation contributes to a clinical error? What are the practice's documentation obligations, and what does exiting the relationship look like?

Many practices are signing agreements without clear answers to any of them.

The liability question

The most commonly misunderstood aspect of AI vendor contracts is what they do and do not transfer in terms of legal responsibility. Broad disclaimers from vendors are standard. But those disclaimers do not change the fact that, under current law in most states, the physician remains responsible for any recommendation that makes it into patient care. State medical boards and legislatures have been moving toward formalizing that responsibility, and several have already done so.

Silverboard, speaking to Medical Economics in February 2026, described the risk for practices as running in two directions.

First, the majority of health care AI investment is going to start-ups — many of which lack the operational history, validation track record and demonstrated HIPAA compliance infrastructure of more established technology vendors.

Second, clinicians and administrators who passively accept AI outputs, whether clinical recommendations or ambient documentation, without reviewing them carefully are accepting liability for whatever those outputs contain. That second risk may be more consequential in the near term precisely because it is easy to overlook. A well-marketed AI scribe or coding tool can generate significant trust quickly, and the danger is complacency.

"Artificial intelligence holds great promise for the future of health care, but it is still early days," Silverboard said. "Health care providers need to be vigilant about the vendors they contract with and conduct periodic auditing and monitoring, especially for programs that generate billing codes and clinical recommendations, and include those compliance checks in their compliance programs."

Data, the BAA and what the contract actually says

Any AI vendor that creates, receives, maintains or transmits protected health information on behalf of a covered entity is, under HIPAA, a business associate. A signed Business Associate Agreement (BAA) is legally required. Using a tool that handles patient data without one is a direct violation, regardless of whether a breach actually occurs.

Practices should also review what the BAA actually says, because standard agreements are frequently not tailored to AI. Specific provisions — prohibiting the vendor from using your patients' data to train its general model for other clients, for example — may need to be negotiated and added to default terms.

Some categories that AI-specific BAA clauses should explicitly address: permissible data use, prohibited secondary uses, security controls and subcontractor compliance obligations if the vendor relies on third-party services.

Data ownership, retention and portability terms deserve equal scrutiny. Contracts sometimes include language permitting vendors to retain patient data after a contract ends or to use de-identified data for model development without restriction. HIPAA's de-identification standards require either the Safe Harbor or Expert Determination method, but de-identification is not a permanent protection — re-identification risk increases as data is combined with other datasets.

After the signature

Signing a vendor agreement is not the end of the procurement process. Practices using AI for clinical decision support or administrative functions should build audit procedures into their compliance programs: periodic review of AI-generated billing documentation, clear protocols for documenting AI use in the medical record and written policies governing which tools staff are permitted to use and under what circumstances.

California's Assembly Bill 2013, effective Jan. 1, 2026, requires developers of publicly available generative AI systems to disclose training data on their websites — a disclosure that practices can use to scrutinize vendors before contracting with them. North Carolina's medical board has issued guidance on documenting AI use in the clinical record. Other states are actively developing similar frameworks, and the regulatory environment is likely to become more demanding over time.

For practices that have not yet reviewed their AI vendor agreements with legal counsel, that review is worth beginning now — before adoption deepens and before any of these questions must be answered under less favorable circumstances.