What OpenAI’s ChatGPT Health Means for Small Clinics: A practical security checklist

OpenAI’s new ChatGPT Health feature — designed to analyse users' medical records to provide personalised responses — is a reminder that health data flows are changing fast. For small clinics that scan, sign, and share patient documents, that change means updating technical controls and vendor practices now. This hands-on guide translates the announcement into a practical security checklist focused on encryption, access controls, digital signing, and vendor vetting tailored to small healthcare providers.

Why this matters to your clinic

Healthcare data is among the most sensitive types of personal information. Regulators and watchdogs have already flagged privacy risks from AI tools that ingest health data. Even if you don’t plan to feed records into ChatGPT, patient documents move through the same processes — scan stations, document management systems, e-signature vendors and external partners. Each step is a potential exposure point for protected health information (PHI).

Quick context: ChatGPT Health and the privacy headlines

OpenAI says ChatGPT Health stores conversations separately and won’t use them to train models, and that it’s not for diagnosis. Nonetheless, campaigners stress the need for airtight safeguards. For small clinics, the immediate takeaway is operational: tighten the security of how you scan, store, sign, and share patient documents so they remain protected wherever they travel.

How to use this article

Treat the sections below as a checklist to review your current practices and vendor contracts. Each section ends with an actionable checklist you can use during a quick risk audit or vendor conversation.

Core security areas to cover

1. Encryption (at rest and in transit)
2. Access controls and authentication
3. Digital signing and audit trails
4. Vendor vetting and Business Associate Agreements (BAAs)
5. Secure scanning and OCR practices
6. Secure sharing and retention policies

1. Encryption: what to require and how to check

Encryption is non-negotiable for PHI. Make sure your devices and vendors encrypt data both in transit and at rest.

• At-rest encryption: Require AES-256 (or equivalent strong cipher) for servers and cloud storage containing PHI.
• In-transit encryption: Use TLS 1.2+ for web connections and SFTP/FTPS for file transfers. Turn off unencrypted protocols (FTP, HTTP, SMBv1).
• Key management: Ask vendors how encryption keys are created, stored and rotated. Prefer solutions where keys are managed separately from the data (HSMs or customer-managed keys).
• Device encryption: Laptops used for document review must have full-disk encryption enabled.

Checklist: Encryption

• Confirm encryption algorithm (AES-256) for data at rest.
• Confirm TLS 1.2+ for all web and API connections.
• Verify key management and backup encryption strategy with your vendor.

2. Access controls and identity

Limit who can view, edit, scan, or sign PHI. Implement least privilege and strong authentication.

• Role-based access control (RBAC): Define roles (front desk, clinician, billing) and assign minimal privileges.
• Multi-factor authentication (MFA): Enforce MFA for all accounts with access to PHI, including vendor admin consoles.
• Session & idle timeouts: Configure sessions to expire and require re-authentication after inactivity.
• Account lifecycle: Have a documented process to disable access immediately when staff leave or change roles.
• Audit logs: Ensure the system logs who accessed which document, when, and what changes were made.

Checklist: Access controls

• Map roles and privileges; remove unused accounts.
• Enable MFA on admin and clinician accounts.
• Review access logs monthly and after any incident.

3. Digital signing and audit trails

Digital signing is useful for consents and forms, but you need signatures that are tamper-evident and traceable.

• Choose e-signature vendors that provide a robust audit trail: signer identity, IP address, timestamp and document hash.
• Prefer certificate-based signatures where available; ensure the vendor stores the signed PDF in an immutable or versioned repository.
• Record consent: For patient authorisations, capture explicit consent language and a method to verify signer identity (ID check, challenge questions).
• Time-stamping: Use a trusted time-stamping authority so the signature time is verifiable if documents are later audited.

Checklist: Digital signing

• Use an e-sign vendor with detailed audit trails and tamper-evident signatures.
• Require signer identity verification for sensitive documents.
• Store signed records in a versioned, access-controlled repository.

4. Vendor vetting & BAAs

Vendors that touch PHI — scanning software, cloud storage, e-signature providers — must be vetted and contracted properly.

• Business Associate Agreement (BAA): Always obtain a BAA for vendors that handle PHI. No BAA = no PHI sharing.
• Security certifications: Ask for SOC 2 Type II reports, penetration test results, and evidence of HIPAA-focused policies.
• Data location & subprocessors: Know where the data is stored and whether subcontractors will have access.
• Incident response & notification: Require SLA timelines for breach notification and remediation.
• Right to audit: Include contractual rights to audit or request security evidence periodically.

Checklist: Vendor vetting

• Request a signed BAA before sending PHI.
• Collect SOC 2 reports, penetration test summaries, and incident response plans.
• Document data residency and subprocessor lists.

5. Secure scanning and OCR best practices

Scanning introduces unique risks: insecure scanner endpoints, misrouted files, or OCR leakage. Harden the process.

• Direct-to-DMS: Configure scanners to send files directly to a secure Document Management System (DMS) over encrypted channels. Avoid network folders without access controls.
• Disable local storage: Turn off local cache on multifunction devices to prevent PHI from being left on the device.
• OCR & redaction: Use OCR for indexing but implement manual review and redaction workflows before any document is shared externally or used for analytics.
• Image quality & DPI: Scan at appropriate DPI for clinical legibility while balancing file size and storage costs (usually 200–300 DPI for text documents).
• Metadata hygiene: Strip unnecessary metadata before sharing documents outside the clinic.

Checklist: Scanning

• Configure scanners to upload only to your secure DMS via TLS/SFTP.
• Disable local file cache on all scanners and MFDs.
• Implement a redaction/QA step after OCR and before sharing.

6. Secure sharing and retention

When you must share patient documents, choose secure channels and apply least-privilege sharing.

• Patient portals: Use a HIPAA-compliant patient portal for routine document sharing rather than email.
• Encrypted email: If you must email, use end-to-end encrypted email or secure link delivery with expiration and password protection.
• Temporary links: For large files, use expiring, single-use links that require authentication.
• Retention policy: Define retention periods for scanned records, backup retention, and secure deletion processes. Document retention should align with legal and clinical requirements.

Checklist: Sharing & retention

• Prefer secure portals over email for patient documents.
• Use expiring links with access control for external sharing.
• Publish and enforce a document retention schedule; securely delete files when retention ends.

Operational quick audit: 15-minute checklist

1. Do all vendors that touch PHI have a signed BAA? (Yes/No)
2. Are data-at-rest and in-transit encryption documented? (Yes/No)
3. Is MFA enforced for admin and clinician accounts? (Yes/No)
4. Are scanners configured to upload to a secure DMS over TLS? (Yes/No)
5. Does your e-sign vendor provide a tamper-evident audit trail? (Yes/No)
6. Are access logs reviewed at least monthly? (Yes/No)

Sample vendor questions to ask during procurement

• Do you sign a BAA covering all PHI processing? Please provide a template.
• What encryption algorithms do you use for data at rest and in transit?
• Can customers use their own encryption keys or HSM?
• Do you maintain SOC 2 Type II and can you share the report?
• How do you verify signer identity for e-signatures?
• What is your breach notification SLA?

Next steps for clinic owners

1. Run the 15-minute audit and document the yes/no answers.
2. Hold a vendor review for any "No" answers and request remediation timelines.
3. Update standard operating procedures for scanning, signing, and sharing to reflect the checklist above.
4. Train staff on new workflows and the importance of not uploading PHI to non-approved cloud tools (including consumer AI services).
5. Schedule a quarterly review of access logs and vendor security posture.

If you want a template checklist to embed in your policies, see our Essential Checklists for Effective Document Management. If you’re reworking contracts and worried about AI-related liability, our guide on AI Lawsuits and Your DMS covers how to update terms and consent language. And if you need practical, budget-friendly tech suggestions for upgrades, check Top Tech Deals for Small Business Owners.

Final note: risk reduction, not elimination

No checklist removes risk entirely, especially in an era of rapidly evolving AI services like ChatGPT Health. The goal for a small clinic is to make deliberate choices: limit PHI exposure, require contractual protections (BAAs), use encryption and strong access controls, and ensure your scanning and signing workflows are auditable. These steps will materially reduce risk and keep you on stronger footing for audits, patient trust, and regulatory review.

Disclaimer: This article provides practical security guidance but is not legal advice. Consult your compliance officer or legal counsel for HIPAA-specific decisions.