HIM Briefings - Questions HIM leaders must ask before approving AI

HIM Briefings - Questions HIM leaders must ask before approving AI

HIM leaders who ask the right questions early, demand transparency, and favor controlled infrastructure will help their organizations innovate safely while maintaining compliance and trust, according to Jeremy Shiner, founder and CEO of Myriad Systems.

Shiner catches up with HIM Briefings for a Q&A on how to put this into action.

Q: Many HIM leaders are being asked to approve or evaluate artificial intelligence (AI) tools quickly as organizations push for efficiency. What early warning signs should HIM leaders look for during vendor evaluations that indicate an AI product may create hidden exposure risks for protected health information (PHI)?

Shiner: Overreliance on the label of HIPAA compliance—often just a 10-minute course companies are taking—and a business associate agreement (BAA), which simply means they can access the technical information, is a warning sign.

You need to dig deeper. Any vendor unwilling to disclose which large language model (LLM) they are using, how it’s connected, or who owns the parent company is a big “no.”

Be cautious of companies with limited healthcare experience or those that are primarily transcription tools attempting broader functions. Pay attention to their background and whether they have a solid understanding of HIPAA, and don’t be afraid to ask tough questions.

Finally, if there is no mention of de-identifying patient data, or if the LLM is using PHI for model training, that is unacceptable. Full transparency on data handling is essential before any patient information is shared.

Q: You note that AI tools operating outside the electronic health record (EHR) should be treated as higher risk by default. From a governance perspective, how should HIM departments structure a formal review process before these tools are approved for use?

Shiner: Start by having a conversation with your certified EHR vendor. Many of these tools use screen scraping or application programming interface (API) connections that aren’t approved vendors within the EHR system. Ask the vendor if they are familiar with the company, and review the company’s history, ownership, location, and funding. This gives you a clear picture of who you’re dealing with and helps ensure the tool is safe, compliant, and appropriate before it’s ever implemented. HIM departments should implement ongoing monitoring, including audit logs, periodic reviews, and clear accountability for any issues that arise.

Q: In many organizations, AI adoption is being driven by clinical operations, revenue cycle teams, or IT rather than HIM. How can HIM leaders position themselves as central decision-makers in AI governance rather than being brought in after tools are already deployed?

Shiner: Collaboration is key. HIM leaders should recognize that providers and billing departments may be drawn to AI tools that promise immediate automation. Rather than simply accepting the most impressive demo, focus on identifying solutions that deliver accurate results, sustained efficiency, and compliance, not just reduced administrative burden.

There are a lot of options out there; it’s in your best interest to carefully vet the solutions to find the best one that will make your life easier.

Q: Vendors often claim HIPAA compliance without explaining the underlying architecture. What specific documentation or technical details should HIM leaders require from vendors to validate those claims?

Shiner: Start by asking about their security and compliance setup. How do they handle access—like dual-factor authentication—and who else might touch your data downstream? It’s not just their system you’re trusting.

Find out how they connect to LLMs and which ones they’re using. You’ll also want to know about encryption, backups, and other cybersecurity measures like redundancies in case of an attack. Finally, ask where the data lives, whether on local servers, in the cloud, or a mix. Covering these points will definitely give you some confidence that the system is safe, compliant, and reliable.

Q: You highlight the importance of understanding downstream subcontractors and cloud providers. In practical terms, what questions should HIM leaders ask vendors to uncover these hidden layers of data processing?

Shiner: Ask vendors how they are connected to the LLM, what LLM it is, and what server is the data being hosted on. Clarify who stores, processes, or transmits PHI at each step, and whether BAAs are in place with all parties.

Question how long data is retained, whether it is reused for training or analytics, and how access is controlled. Confirm whether any external systems can see or log PHI and whether monitoring or auditing exists for all downstream processes.

Q: As more AI tools rely on LLMs, many organizations are unclear about whether their vendors are using PHI for model improvement or logging. What safeguards should HIM leaders insist on to prevent patient data from being reused in training or analytics pipelines?

Shiner: The starting point is to make it contractually impossible for patient data to be reused. Any agreement should clearly state that PHI cannot be used for model training, analytics, or “service improvement,” and that data must be deleted or returned once the task is complete.

If that language is not explicit, there is exposure. While the safest approach is to limit where the data can go in the first place, a system that relies on third-party LLMs or shared infrastructure increases risk significantly.

There also needs to be visibility, auditability, and traceability to see exactly how data is being used, where it is flowing, and whether it is being logged at any point. Once patient data enters a training or analytics pipeline outside your control, you have effectively lost control of it, so set strict contractual and technical boundaries up front.

Q: Some organizations are experimenting with AI tools that summarize clinical documentation or assist with coding and billing. What governance or monitoring processes should HIM leaders implement after deployment to ensure these tools remain compliant over time?

Shiner: AI does not stay static after deployment, so governance cannot stop at approval. There needs to be a process to continuously validate outputs against real-world use, to see if the notes are accurate, the codes are appropriate, and anything is being introduced that could create compliance or billing risk.

It is also essential to monitor consistency over time. If the system starts producing different patterns in documentation or coding, that is a signal that something has changed, whether in the model, data, or workflow. Any updates should be treated as a new risk point.

Changes to the model, integrations, or data inputs should be reviewed with the same level of scrutiny as the initial rollout. There needs to be full visibility into how the system is performing, with the ability to trace outputs back to inputs so you can identify issues or maintain compliance as the system evolves.

Q: Education is another role you highlight for HIM leaders. What are the most important concepts that frontline staff, coders, and clinical teams need to understand about AI and PHI before they begin using these tools in daily workflows?

Shiner: For staff using AI, the message is simple: Don’t trust it blindly. They need to understand that AI should be used according to internal standard operating procedures. They must be trained on proper use, ensure input is complete and correct, and use AI to enhance formatting and operations, not to replace their own review and judgment.

AI should help with work, not replace thinking. People still need to review notes, check codes, and make sure everything is correct before anything is submitted.

Q: In your experience, where do healthcare organizations most commonly underestimate the risks associated with API-based AI integrations, and how can HIM leaders help close those gaps before implementation?

Shiner: The areas most underestimated are AI tools operating outside the EHR, particularly API-based integrations that move PHI through multiple systems.

HIM leaders can close these gaps by treating non-EHR tools as higher risk by default, requesting full data flow diagrams, confirming BAAs exist at every level, and verifying that PHI is not retained or reused beyond its intended purpose. It’s important for staff to know the risks of hidden black box processes, watch for bias in outputs, and make sure all handling of PHI stays fully HIPAA compliant, including proper retention, access controls, and de-identification.

Q: Looking ahead, how do you see the role of HIM leaders evolving as AI adoption accelerates across healthcare organizations? What new governance responsibilities or skill sets will become essential over the next few years?

Shiner: AI is being used more across healthcare, and when paired with humans monitoring its use, it can achieve remarkable results. AI can streamline workflows, reduce repetitive tasks, and make documentation and coding more accurate and consistent. It also helps teams access and analyze data faster, supporting better decision-making and improving overall efficiency.

But at the same time, it brings new risks. Hackers can use AI to launch faster and more frequent attacks. As AI use grows, HIM teams will need stronger skills in cybersecurity and vendor management to see what redundancies, protections, and cybersecurity [vendors] have in place.

It is important that you are not creating back doors, such as standard reporting libraries your AI vendor and EHR are using for basic functions. Are vendors hosting those libraries on their own servers, or are they tapping into the libraries, which creates a back door to the software if they get hacked?

In health IT, the standard is to host it yourself. In common software networks, they're tapping into it. Ask these new AI pop-ups about taking that extra cost to host the libraries and everything internally, as well as to vet it and look for vulnerabilities themselves.

How are you protected, and what is your contingency planning in the case of a breach? How quickly can you spin up on another server? How quickly can you shut that down, and how quickly can your vendors do that? If you do these things quickly but your vendors don't, you are still vulnerable.

So, HIM leaders will need to carefully select trusted vendors and ensure strong data protection, with plans in place to respond quickly to any breaches. Not only will embedding vendors become more important, but vetting vendor cybersecurity protocols becomes more crucial than ever.

"Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent of HCPro, or the Copyright Clearance Center at 978-750-8400. Opinions expressed are not necessarily those of RCA. Mention of products and services does not constitute endorsement. Advice given is general, and readers should consult professional counsel for specific legal, ethical, or clinical questions."


Proud Partners

Proud Partners

To embed a website or widget, add it to the properties panel.
To embed a website or widget, add it to the properties panel.
 (edited)