Healthcare
HIPAA, 42 CFR Part 2When clinicians paste notes, labs, or chart data into generative AI tools, PHI can cross the boundary to an outside provider with no record it happened. Under HIPAA, each exposure carries breach-notification, OCR enforcement, and per-record penalties. Without a record of what data left and what policy did, the institution cannot answer the first question a HIPAA audit asks.