Using AI Safely and Responsibly in Health Care and Research

Using AI tools in health care and research requires careful attention to privacy, security, and ethical considerations. The following principles help ensure that AI is used safely, responsibly, and in ways that protect patient privacy and research data integrity.

Minimum Necessary Principle

No matter the platform or tool, the Minimum Necessary principle always applies:

  • Enter only the information needed for the AI task.
  • Whenever possible, use de-identified or synthetic data instead of actual patient data.
  • Avoid including more detail than required for the use case.
  • Never submit direct identifiers (e.g., names, addresses, medical record numbers, contact information) unless absolutely necessary.
  • When unsure, leave it out.

Standards for Using AI Tools Responsibly

  • Use tools as intended: Each University-approved AI platform is designed for a specific purpose. Using a tool outside its intended use can create legal, ethical, or clinical risks, and may compromise patient safety, privacy, or research integrity or quality.
  • Security comes first: Any new AI tool must undergo a Security Planning Assessment to ensure it handles data safely and meets University standards before it is used. Tools intended for use in both University and Health System settings may be routed to a Security Design Review by the Health System Office of Information Security.
  • Match tools to tasks: Always use each AI tool for its approved purpose. Following the “fit-for-purpose” principle helps maximize benefits while reducing risks.
  • Check back frequently: The tools and regulations are evolving rapidly, so stay up to date on the latest policies and approved tools/use cases.

Guidance for using AI in different contexts

Clinical Use Guidance

AI chatbots can support documentation, clinical decision-making, and patient engagement, but only when using tools specifically approved for clinical use (e.g., Epic chatbots and predictive or generative AI models).

Clinical Use: Approved for specific, authorized use cases. HIPAA compliance is something determined by the relevant University and Health System committees on a case-by-case basis. Vendor claims of  “HIPAA-compliance” do not meet these standards.

Important: AI tools are not authorized to provide diagnoses, treatment recommendations, or risk stratification unless formally approved through clinical governance channels. 

For clinical AI use case implementations, please submit a ticket. Presubmission consultations with a Medical Information Officer may be helpful for more complex use cases or informatics research grants.

Allowed:

  • Using deployed AI tools for clinical practice and decision support such as Abridge and EPIC applications for activities such as ambient note drafting, denial letter support, or clinical summarization and documentation tasks.
  • Entering minimum necessary PHI only when using approved, HIPAA-compliant clinical tools, as defined by HIPAA, IRB, and Yale data governance requirements. For clinical use cases, tools must be approved through the Enterprise Healthcare AI Governance process.

Not Allowed:

  • Using Clarity or general-purpose AI for clinical decision support without humans in the loop. 
  • Uploading clinical notes or PHI into unapproved and unsupported platforms or experimental tools, especially on external, cloud-hosted environments
  • Using AI for unsupervised diagnostic reasoning or prescribing decisions
Close up of a stone carving of Yale's coat of arms features an open book and Yale's motto, Lux et Veritas

Clinical decision support must be evidence-based, unbiased, auditable, and HIPAA-compliant. Use only approved tools for these workflows and always personally review the outputs for accuracy.

Research Use Guidance

AI can support research design, data summarization, and hypothesis generation, but must align with IRB protocols and platform capabilities.

Allowed:

  • Using Clarity to draft abstracts, summarize articles, or explore synthetic datasets
  • Entering PHI into the ePHI-approved Clarity agents only when essential and covered by an IRB protocol

Not Allowed:

  • Using clinical AI tools for general research or experimentation
  • Unintended uses of tools (e.g., using Epic or Abridge for non-clinical research)

Key Reminders:

  • De-identify whenever possible. Use synthetic or de-identified data to reduce privacy and regulatory risk. Please refer to HIPAA Procedure 5039 PR.1 for more information.
  • If identifiable data is absolutely necessary, ensure proper approval and oversight (IRB protocol or data use agreement).
  • The standards for achieving deidentification are quite strict and are not accomplished by simply removing obvious patient identifiers, especially when dealing with clinical notes or images.

Educational Use Guidance

AI can enhance learning, simulation, and critical thinking in Undergraduate Medical Education and Graduate Medical Education. Tools like Clarity are ideally suited for non-clinical academic use.

Allowed:

  • Explaining medical concepts, summarizing articles, or simulating clinical conversations (using fictional or synthetic data)
  • Testing prompts, exploring reasoning patterns, or co-developing training materials
  • Supporting curriculum development, flashcards, or feedback loops

Not Allowed:

  • Generating answers for graded assignments or exams without permission
  • Uploading real patient data or PHI
  • Misrepresenting AI content as human work product

Learn More:

Learn more about collaboration for educational AI use cases:

Poorvu Center for Teaching and Learning AI Guidance

Simulation and Assessment Lab, School of Nursing

Yale Center for Healthcare Simulation, School of Medicine

Handsome Dan at Ben Franklin

Clarity is a sandbox for learning. Keep educational activities separate from real patient care or protected data.

Administrative Use Guidance

AI can help with letters, forms, messages, and workflows, but data boundaries and access controls still apply.

Allowed:

  • Refining internal communications, policy summaries, or outreach drafts
  • Generating scheduling reminders, FAQs, or training materials

Not Allowed:

  • Uploading internal documents containing PHI or sensitive personnel data into non-approved AI tools
  • Using AI-generated text for public communications without review
  • Mixing administrative content with clinical datasets in unapproved tools

AI can save time, but final review is your responsibility. Always verify content before publishing or sharing.

Tool Selection Guidance by Use Case

User Type Scenario Recommended Tool Justification
Clinical Research Faculty Writing a study progress report Clarity Under an IRB approved protocol, a researcher enters clinical notes extracted from Epic into a PHI-approved Clarity - Health agent and generates a concise narrative summary of the patient’s encounters 
Clinical Faculty Writing a manuscript or grant Clarity No PHI involved; suitable for drafting and editing scholarly text
Medical Student Studying for board exams Clarity Allows conceptual clarification and studying assistance without PHI
Faculty Researcher Designing an AI model using synthetic patient data Clarity Synthetic data permitted under research guidance

Key Contacts and Links

Area Contact / Request Form
Questions and guidance on AI tools and usage for use cases hsit-software@yale.edu
Initiate a request for a new AI tool hsit-software@yale.edu
Request access to PHI agents in Clarity hsit-software@yale.edu
HIPAA Privacy Policy HIPAA Privacy Policy
Data Classification Standard Data Classification
Security Planning Assessment (SPA) Cybersecurity