Good morning,
Let me ask you something uncomfortable.
Do you know which employees on your staff are using personal AI tools — ChatGPT, Google Gemini, Microsoft Copilot — at work right now?
Not your organization's approved tools. Personal ones. On personal phones. During a shift. On a patient.
Because they are. And if protected health information is entering those systems, your organization has a HIPAA problem that no vendor contract can fix.
This week's issue is about AI — where it's going in healthcare, what the compliance risks look like right now, and what your state may already be requiring of you.
Let's get into it.
⚡ ALERT 01 — Shadow AI Is a HIPAA Time Bomb in Healthcare
Source: HIPAA Security Rule / Privacy Rule — OCR Enforcement
More than 60% of healthcare workers report using personal AI tools for work-related tasks. Fewer than 20% of their organizations have a formal policy addressing it.
When a nurse uses ChatGPT to draft a care summary, that tool receives protected health information. OpenAI has no Business Associate Agreement with your organization. The data may be used to train AI models. Under HIPAA, your organization may have just experienced a reportable breach.
The Office for Civil Rights has signaled that AI-related HIPAA violations are a growing enforcement priority. Fines range from $100 to $50,000 per violation — with a maximum annual penalty of $1.9 million per violation category.
What to do this week:
→ Survey your department heads: are staff using personal AI tools for work?
→ Issue an interim AI use policy immediately — what's approved, what's forbidden, what happens if violated
→ Add shadow AI to your next all-staff training — frame it as a patient privacy issue, not a technology issue
→ Request a BAA inventory from IT — every AI tool in use that has a signed Business Associate Agreement
→ Notify your compliance and legal team if you suspect shadow AI use has already occurred
⏱ Deadline: No regulatory deadline — OCR enforcement is active and the risk is present in your organization right now
⚡ ALERT 02 — Healthcare AI Is Scaling Faster Than Regulation
Source: Butler Snow LLP / JD Supra — May 14, 2026
Major health care organizations are expanding AI use beyond pilot programs while federal and state policymakers struggle to keep up. The White House released a National AI Policy Framework in March 2026 urging federal preemption of state laws — but until Congress acts, the current patchwork of state requirements remains fully enforceable.
The practical takeaway is blunt: do not wait for comprehensive regulation before strengthening your internal AI controls.
What to do this week:
→ Establish a cross-functional AI governance committee — HR, legal, IT, and clinical leadership
→ Document every AI tool in use: date deployed, vendor, intended use case
→ Create an AI incident log so when something goes wrong, there's a record
→ Ensure vendor agreements address AI use, data handling, and liability
→ Use AtSa's free Workforce Readiness Assessment at upliftstrategysolutions.com/atsa to score your AI governance posture
⏱ Deadline: No single deadline — governance infrastructure should be in place before your next AI tool deployment
⚡ ALERT 03 — State AI Hiring Laws Are Now in Effect
Source: DarrowEverett LLP / JD Supra — May 12, 2026
As of spring 2026, healthcare HR leaders face a patchwork of state laws imposing distinct obligations around bias audits, impact assessments, employee notice, and anti-discrimination enforcement tied to AI hiring tools.
Illinois — in effect now. New York City — in effect now. California — in effect now. Colorado — June 30, 2026.
For organizations that recruit clinical staff across multiple states, this is no longer optional. It is a core compliance requirement.
What to do this week:
→ Inventory every AI tool involved in your hiring process — sourcing through candidate ranking
→ Implement candidate notice workflows for Illinois compliance — already required
→ Conduct bias impact assessments on AI hiring tools before Colorado's June 30 deadline
→ Negotiate vendor contracts to include bias audit rights and indemnification
→ Design your AI governance program to meet California's standards — the most stringent — and you'll be compliant everywhere
⏱ Deadline: Illinois, NYC, California — in effect now. Colorado — June 30, 2026.
That's your week in AI compliance for healthcare HR.
The common thread across all three alerts is simple: AI is already in your organization. The question is whether your governance is keeping up.
Visit upliftstrategysolutions.com/rodah for our live regulatory dashboard, or use AtSa's free AI workforce tools at upliftstrategysolutions.com/atsa.
See you tomorrow.
— Macrine Hamilton
Founder, Uplift Strategy Solutions LLC
Healthcare HR built for the age of AI.
RoDaH Weekly Digest — informational purposes only. Not legal advice. Unsubscribe anytime. © 2026 Uplift Strategy Solutions LLC