What Healthcare Staff Paste into ChatGPT (And Why IT Can't See It)

A nurse drafts a referral letter in ChatGPT. She pastes the patient's name, date of birth, MRN, diagnosis, medication list, and the referring physician's contact details. ChatGPT produces a clean, professional letter in 15 seconds. She copies it into the EMR, sends it, and moves to the next patient.

Everything she pasted is now stored on OpenAI's servers. She doesn't know that. Neither does her IT department.

This is happening across hospitals every day. Not because staff are careless, but because AI tools save real time on documentation that would otherwise take 20 minutes. According to the American Medical Association, 66% of US physicians used AI for at least one clinical or administrative task in 2024, up from 38% the year before. Nearly half of US nurses now use AI tools weekly, according to data cited in a January 2026 OpenAI report. And a Netskope Threat Labs study found that 88% of healthcare organisations have integrated cloud-based generative AI tools into their operations.

The adoption is real. What's missing is a technical control between the clipboard and the chatbot.

What healthcare staff actually paste

The scenarios below are based on common healthcare AI usage patterns. Each one involves data types that qualify as protected health information under HIPAA's 18 identifiers.

Referral letters and discharge summaries

Clinical correspondence is one of the most time-consuming documentation tasks in healthcare. Staff paste a block of patient information into ChatGPT and ask it to draft a professional letter. A single paste can contain the patient's full name, date of birth, medical record number (MRN), home address, phone number, one or more diagnosis codes, current medications, and the receiving physician's name and email address.

That's eight or more PHI identifiers in one copy-paste action.

Clinical notes

Residents and physicians use ChatGPT to structure SOAP notes, progress notes, and H&P documentation. The prompt typically includes the chief complaint, history of present illness (with the patient's name and age), vitals, lab results, assessment, and plan. This is some of the most detailed clinical data a hospital generates, and it gets pasted into an uncontrolled third-party system in a single action.

Patient communication

Staff draft patient-facing emails, portal messages, appointment reminders, and phone scripts using AI. These naturally include the patient's name, their condition, upcoming appointment dates, and sometimes insurance details. The intent is efficiency. The effect is PHI leaving the organisation's controlled systems.

Medical coding and billing

Billing staff paste claim details to ask ChatGPT about correct ICD-10 codes, CPT codes, or denial appeal language. These queries often contain MRNs, diagnosis codes, procedure descriptions, dates of service, and insurance policy numbers.

Research and case study drafts

Clinicians use ChatGPT to help structure case studies, conference abstracts, or research summaries. Even when they believe they have anonymised the content, they often leave in specific dates, facility locations, rare diagnoses (which can be identifying in small populations), or attending physician names.

Why staff use AI despite the risk

The short answer: it saves them time, and time is the resource healthcare workers have the least of.

Documenting a single patient encounter can take 15 to 20 minutes. ChatGPT cuts that to two or three. For a physician seeing 25 patients a day, that difference adds up to hours of recovered time per week. The productivity gain is real, and it explains why adoption has grown so fast.

Most staff are not aware of how AI platforms handle their input. The opt-out toggles and privacy settings on ChatGPT, Claude, and Gemini are designed for individual consumers, not for someone pasting patient data between tasks in a 12-hour shift. The settings exist, but the workflow does not encourage anyone to find them.

Blocking access to AI tools is the obvious reaction, but it rarely works in practice. Samsung Electronics banned internal use of ChatGPT in 2023 after employees pasted proprietary source code, internal meeting notes, and semiconductor testing data into the tool. The ban came after three separate leaks within three weeks. Healthcare organisations report similar patterns: staff use personal devices, switch to mobile browsers, or find alternative AI platforms when their primary one is blocked.

A growing number of hospital IT teams are shifting their approach. Instead of trying to prevent access entirely, they are looking for ways to let staff use AI tools while intercepting sensitive data before it leaves the browser.

What happens to that data once it's sent

Once a message is submitted to an AI chatbot, the data is outside the organisation's control. What happens next depends on the platform, but none of the major providers offer the protections healthcare organisations need on their consumer or professional tiers.

OpenAI (ChatGPT)

OpenAI's standard policy deletes user conversations from their systems within 30 days of deletion by the user. However, the company is currently subject to a federal court preservation order in the New York Times copyright lawsuit. Under this order, OpenAI has been required to retain consumer ChatGPT conversation logs from a historical window (December 2022 through November 2024), and in January 2026, District Judge Sidney Stein ordered OpenAI to produce 20 million anonymised conversation logs to the plaintiffs.

The court explicitly noted that ChatGPT users "voluntarily submitted their communications" to OpenAI, which weakened privacy objections. For healthcare organisations, the implication is clear: conversation data submitted to ChatGPT can become part of a legal proceeding the organisation has no connection to.

ChatGPT's default setting opts users into allowing their conversations to be used for model training. The opt-out exists but must be manually enabled. ChatGPT Enterprise and Team tiers offer different retention and training policies, but the majority of healthcare workers using ChatGPT are on personal Free or Plus accounts.

Anthropic (Claude)

In October 2025, Anthropic introduced a significant change to its consumer privacy policy. Users on Free, Pro, and Max plans are now prompted to choose whether their conversations can be used for model training. If they opt in, data retention extends from 30 days to five years. Multiple independent analyses have noted that the opt-in prompt uses a large, prominent "Accept" button and a smaller toggle, and that many users clicked through without understanding they were extending their data retention by a factor of 60.

For new users, the training option is enabled by default. Enterprise and API tiers are excluded from these changes.

Google (Gemini)

Google's own guidance on Gemini includes this statement: "Do not enter anything you would not want a human reviewer to see or Google to use." Human reviewers at Google may read Gemini conversations, and that content may be used to improve their AI models. For consumer users, there is no BAA and no HIPAA-compliant configuration available.

The HIPAA dimension

None of these platforms are HIPAA-covered entities on their consumer tiers. No Business Associate Agreement exists for ChatGPT Free, ChatGPT Plus, Claude Free, Claude Pro, or Gemini consumer. Using any of these with protected health information is technically an impermissible disclosure under HIPAA.

In practice, enforcement is complaint-driven. No hospital has been publicly fined by OCR specifically for AI chatbot PHI exposure as of this writing. But that is partly because these incidents are almost never detected. The staff member who pastes a patient's MRN into ChatGPT does not file a breach report. IT does not see the event. The exposure happens silently and leaves no internal trace.

Why IT can't see it

This is the part that hospital IT teams already know intuitively but rarely see written down.

AI chatbot usage happens over standard HTTPS in the browser. When a user submits a message to ChatGPT, the data leaves as a legitimate HTTPS POST request to api.openai.com. From the network's perspective, it looks the same as any other encrypted web traffic. There is no file upload, no attachment, no anomalous traffic pattern for a firewall or proxy to flag.

Network-level DLP tools can theoretically inspect this traffic through TLS interception, but that requires decrypting and re-encrypting all browser traffic at a proxy. It is invasive, it breaks certificate pinning on some sites, and it is expensive. Solutions from vendors like Cisco, Netskope, and Zscaler exist, but they start at price points that put them out of reach for most community hospitals and mid-size healthcare organisations.

According to Netskope's 2026 healthcare threat report, DLP adoption in healthcare has jumped from 31% to 54% over the past year. That's progress, but it still means nearly half of healthcare organisations have no DLP in place at all. And of those that do, many are not configured to inspect browser-level paste events into AI chatbots in real time.

Meanwhile, 71% of healthcare workers are still using personal AI accounts for work tasks. That number is down from 87% the previous year, which indicates awareness is growing, but the gap remains wide. IT security teams are left in a position where they know the risk exists, they suspect it is happening, but they have no technical mechanism to confirm or prevent it.

For a detailed comparison of DLP and browser-level PII masking approaches, including deployment models and cost differences, see our technical comparison.

What actually works

Three approaches are available, each with real tradeoffs.

Policy alone

Every healthcare organisation should have an AI acceptable use policy. It establishes expectations, provides a basis for enforcement, and satisfies compliance documentation requirements. But a policy does not prevent PHI from being pasted into a chatbot. It tells people not to. The Netskope data showing that 81% of data policy violations in healthcare involve regulated data like PHI suggests that policies alone are not changing behaviour at the scale needed.

For more context on documented incidents where policies failed to prevent data exposure through AI chatbots, see our writeup of five real-world AI data leak cases.

Network-level DLP

Enterprise DLP solutions from Cisco, Netskope, Palo Alto, and Zscaler provide network-wide traffic inspection, content policies, and centralised audit logging. They are the right choice for large health systems with dedicated security teams and the budget to support them.

For smaller organisations, the cost and deployment complexity are prohibitive. And even well-configured DLP may not inspect browser-paste events into AI chatbot input fields in real time. The detection happens at the network edge, often after the data has already left the browser. If your DLP vendor claims AI chatbot coverage, the specific question to ask is: does the tool inspect the content of browser input fields on ChatGPT, Claude, and Gemini before the HTTP request is sent?

Browser-level PII masking

Browser extensions that detect and mask PII before it leaves the browser address the gap that both policy and network DLP leave open. The extension runs locally, scans the text in the chat input field, identifies PHI types (names, MRNs, SSNs, dates of birth, phone numbers, diagnoses, and others), and replaces them with safe placeholders before the message is submitted. The AI provider receives the placeholder, responds using it, and the extension swaps the real data back in on the user's screen.

No data leaves the browser. No server is involved. The AI provider never receives the original PHI.

PiiBlocker, which I built, takes this approach. It recently added MRN and Patient ID detection specifically for healthcare environments, and supports admin deployment via GPO with a toggle-lock that prevents users from disabling the protection. For a comparison of browser-based PII masking tools, including detection scope and processing model, see our extension comparison.

The realistic answer for most healthcare organisations is layered: policy to set expectations, browser-level masking to enforce them at the point of use, and DLP for organisations that can afford the additional audit and inspection layer.

A starting point for hospital IT

Five steps, none of which require a large budget or a dedicated security team.

1. Find out which AI platforms your staff actually use. Most hospital IT teams do not have this visibility today. Check DNS logs for chatgpt.com, claude.ai, and gemini.google.com. Survey clinical and administrative departments directly. You may be surprised by the breadth of usage.

2. Publish an AI acceptable use policy if you don't have one. Keep it short. State which platforms are approved, what types of data must not be entered, and what happens if the policy is violated. A one-page document is more likely to be read than a ten-page manual.

3. Deploy browser-level PII masking for the staff who use AI. Not every employee needs it. Target the 10 to 20 staff members who routinely use AI chatbots for documentation, billing, coding, or correspondence. Chrome extensions can be force-installed and locked via GPO, meaning users cannot remove or disable them.

4. Evaluate whether your existing DLP covers AI chatbot paste events. If you already run a DLP solution, ask the vendor the specific question: does it inspect text pasted into ChatGPT, Claude, and Gemini input fields before the request is sent? If the answer is no, the browser-level masking layer fills that gap.

5. Review quarterly. New AI platforms appear regularly. Grok, DeepSeek, Perplexity, and Copilot are all gaining adoption. Whatever controls you deploy today need to keep pace with the platforms your staff adopt tomorrow.

For organisations operating under GDPR in addition to HIPAA, our compliance guide for AI chatbot usage covers the regulatory framework in more detail.

The real question

Healthcare workers will keep using ChatGPT. It saves them time on work that desperately needs it, and the adoption numbers confirm it is already embedded in clinical and administrative workflows across the industry. Blocking it creates workarounds. Ignoring it creates liability.

The question for hospital IT is not whether staff are pasting patient data into AI chatbots. They are. The question is whether anything is catching it before it leaves the building.

---

PiiBlocker is a free Chrome extension that detects and masks personal data before it reaches AI chatbots. 100% local processing, no servers, no data collection. Install from the Chrome Web Store