Montana AI.Consulting · 406

Healthcare Compliance Guide

HIPAA-compliant AI for Montana clinics.

A practical 2026 guide for Montana clinics, critical-access hospitals, and rural practices that want to use AI without violating HIPAA, BAA, or the trust of the people they treat.

7 min read·Updated 2026-05-30·By Aaron Whitfield
Book a free 30-min call See pricing

TL;DR

Summary

There is no such thing as a 'HIPAA-compliant AI tool' by itself — HIPAA compliance is about how you configure and contract for it. The three tools most Montana clinics can safely deploy in 2026 are Microsoft 365 Copilot (with a signed BAA), ChatGPT Enterprise (with a signed BAA), and Nuance DAX or Abridge for ambient scribing. Consumer ChatGPT, Claude, and Gemini are not compliant for PHI and never will be on free or personal-paid plans.

01

What 'HIPAA-compliant AI' actually means

HIPAA-compliant AI means an AI service whose vendor has signed a Business Associate Agreement (BAA) with you, configured the service so your inputs and outputs aren't used to train their models, kept logs, and accepted liability for breaches. The tool itself is just software — compliance is the contract and configuration around it.

If a vendor won't sign a BAA, the tool is not compliant for PHI no matter what their marketing says. End of discussion.

02

Tools that can be deployed compliantly in 2026

Short, current list. Versions and BAA availability change — confirm before signing.

  • Microsoft 365 Copilot — Microsoft signs a BAA; covered when used with an M365 tenant under your existing HIPAA agreement.
  • ChatGPT Enterprise (and ChatGPT Edu) — OpenAI signs a BAA; data is not used to train models.
  • Claude for Work (Team or Enterprise) — Anthropic offers a BAA on Enterprise.
  • Google Workspace + Gemini — covered under Google's HIPAA Implementation Guide once you accept the BAA addendum.
  • Nuance DAX Copilot — Microsoft-owned ambient scribe, BAA included, EHR integrations.
  • Abridge — ambient clinical documentation, BAA included, growing EHR integrations.
  • AWS Bedrock / Azure OpenAI — for custom builds, both covered under their respective BAAs.

03

Where Montana clinics actually start

For most Montana primary care, behavioral health, and dental practices the first move is ambient scribing — Nuance DAX, Abridge, or DeepScribe — because it returns 1–2 hours per provider per day with the cleanest compliance story. The pilot is one provider for 30 days; budget is roughly $200–$400/provider/month.

Critical-access hospitals usually pair scribing with a Microsoft 365 Copilot rollout for the admin side — prior auth letters, discharge summaries, meeting notes. That's where the office hours go.

  • Ambient scribing — 1–2 hrs/day per provider returned, ROI usually inside 60 days.
  • Prior authorization drafting — Copilot or Claude over a redacted template library.
  • Patient FAQ chat on the public website — never PHI, no BAA needed since no patient data flows in.
  • Schedule and intake optimization — done in your EHR vendor's AI features, which already sit under your existing BA chain.

04

What to never do

These will get you fined or sued. We've seen every one of them at Montana clinics in the last two years.

  • Paste a patient note into ChatGPT Free, Plus, or Team. None are covered.
  • Use a personal Gmail or @gmail Claude account for clinical work.
  • Sign up for a transcription service without a BAA because it's free.
  • Build a public chatbot that asks for date of birth, insurance, or symptoms before triage.
  • Skip the security risk analysis required under the HIPAA Security Rule.

05

A 30-day compliant pilot

Week 1: BAA in place, single provider or single admin workflow chosen, written AI use policy signed. Week 2: training session and first live use under supervision. Week 3: full use, daily check-ins. Week 4: measure hours saved, error rate, and provider satisfaction; decide whether to expand.

Frequently asked

Is ChatGPT HIPAA-compliant?
Only ChatGPT Enterprise and ChatGPT Edu are eligible for a BAA from OpenAI. ChatGPT Free, Plus, and Team are not HIPAA-compliant and must not be used with PHI.
Is Microsoft 365 Copilot HIPAA-compliant for a Montana clinic?
Yes, when used inside an M365 tenant covered by Microsoft's BAA, configured to keep data inside your tenant, with the standard organization-level controls applied. The BAA is part of Microsoft's existing healthcare cloud agreements.
What about Nuance DAX or Abridge for ambient scribing?
Both sign BAAs and are designed for clinical use. Most Montana primary-care practices we work with pilot one of them on a single provider first. Cost is roughly $200–$400/provider/month.
Do we need a HIPAA Security Rule risk analysis before deploying AI?
Yes. The Security Rule's risk analysis requirement applies to any new system that creates, receives, maintains, or transmits ePHI. Most clinics update their existing SRA to add the new AI tool — we can help.
What if our EHR vendor already has AI features?
If they're delivered inside the EHR under your existing Business Associate chain, they're typically covered. Ask your vendor for written confirmation that the AI feature falls under their existing BAA — many do.
Can we use AI on the patient-facing website if no PHI is collected?
Yes. A chatbot that answers 'What insurance do you take?' or 'What are your hours?' and never collects PHI is outside HIPAA's scope. The moment it asks for date of birth, symptoms, or insurance ID, it falls under HIPAA and needs a BAA.
Do you sign a BAA with us as the consultant?
Yes. We sign a Business Associate Agreement before any engagement that touches PHI.
How long does a compliant first deployment take?
30 days for a single workflow with a single tool. Multi-tool rollouts (scribing plus admin Copilot plus patient chat) run 8–12 weeks.

Keep reading

Want this dialed in for your business?

Free 30-minute call. We listen, we tell you whether AI is the right call, and we quote a flat fee if it is. No decks, no pressure.

Start the conversation