A biller on a coding forum said the quiet part out loud: “I’m not particularly trusting of AI with anything HIPAA-protected, so I wouldn’t paste PHI. But if there was a way to generate appeals based on denial codes — I’d do that in a heartbeat.”
That’s the whole article, honestly. There is a way. And the line she drew — denial codes yes, patient data never — is exactly the right one.
Here’s the situation billers are in this year. Payers are running AI that denies claims in seconds; one category of automated “silent denials” reportedly claws back over $40 billion a year. Meanwhile you’re appealing those denials by hand, one letter at a time. AI for medical billing can even the odds on the writing — if you keep it strictly away from protected health information. Let’s do this carefully, because in healthcare the guardrail isn’t optional. It’s the whole job.
First, the hard line: ChatGPT is not HIPAA-compliant
Before any workflow, the rule that keeps you employed.
Standard ChatGPT — Free, Plus, even Team — is not HIPAA-compliant. OpenAI will not sign a Business Associate Agreement (BAA) for the consumer product, which means it’s not a HIPAA business associate, which means pasting protected health information into it is a violation. Claude is the same: not HIPAA-compliant by default, PHI only under a configured Enterprise plan with a signed BAA. This isn’t a gray area. The HIPAA Journal states it plainly.
So where does that leave a small billing shop without its own enterprise deployment? With a simple, firm policy: treat every chatbot window — ChatGPT, Claude, Gemini — as a place patient data never goes. Not a name, not a date of birth, not a member ID, not a date of service.
There are two legitimate ways to use AI with real patient data, and both require your organization to set them up:
- A HIPAA-ready, BAA-backed deployment — OpenAI launched “OpenAI for Healthcare” in January 2026 with a BAA, audit logs, and customer-managed encryption, and Claude offers a HIPAA-ready Enterprise tier. If your org has one of these and a signed BAA, PHI is permitted inside that specific tool.
- Purpose-built RCM tools (Hathr, Claimable, Waystar and similar) that operate under their own BAAs.
If you don’t have either, you’re not stuck. You just work with de-identified information — and it turns out that covers most of what you actually need.
What “de-identified” actually means
This is the unlock, so get it right. HHS defines a “Safe Harbor” method: strip 18 specific identifiers and the information is no longer PHI. The big ones for billing:
- Names (patient, relatives, anyone)
- Geographic detail smaller than a state (mostly — limited zip exceptions)
- All dates tied to the individual except the year — no dates of service, birth dates, admission dates
- Phone, fax, email, SSN, medical record number, account number, claim number, member/subscriber ID
- Any other unique number or code that could pin it to one person
And one judgment call on top: you must not have reason to believe the leftover details could re-identify someone (a super-rare condition plus a small town plus an age can do it, even with names removed).
In plain terms: instead of “John Reyes, DOB 4/12/1959, MRN 88231, denied 3/14/2026,” you work with “a 67-year-old with congestive heart failure.” The denial code, the CPT, the ICD-10, the payer’s own policy language — none of that identifies a person. That’s your raw material.
The PHI-free denial → appeal workflow
Here’s the part that saves you an hour per letter.
Step 1 — Build a de-identified input. Copy in only the non-identifying facts:
- Payer name and plan type (“UnitedHealthcare Medicare Advantage PPO”)
- The denial code and its description (e.g., CO-50 — services not deemed a medical necessity)
- The CPT/HCPCS code(s) and a generic clinical indication
- The ICD-10 diagnosis code(s)
- The relevant chunk of the payer’s own medical policy language
- The appeal level (first, second, external) and what you want (overturn, pay the full allowable)
Leave out everything from the identifier list above. No name, no dates, no member ID, no claim number.
Step 2 — Use a prompt that forbids invention. Hallucinated regulations are the fastest way to lose an appeal and your credibility. So tell it not to:
You are helping a medical billing specialist draft an insurance appeal
letter. Do NOT invent facts, regulations, or policy numbers — use only
what I provide below. Structure the letter with: a clear statement of
the claim and denial, a medical-necessity argument tied to the payer's
own policy language, the specific policy/regulation I cite, a request
for the desired remedy, and professional paper-trail language. Leave
[PLACEHOLDERS] for the patient name, dates, and member ID — I'll fill
those in myself on my secure system.
Denial details (de-identified): [paste the de-identified facts]
Step 3 — You finish it on your system. The draft comes back with [PATIENT NAME] and [DATE OF SERVICE] placeholders. You fill those in inside your own secure, compliant system — never in the chatbot — and send it. Certified mail, keep a copy, log everything.
That’s the loop one denials-management pro described as “awesome — it saves a lot of time, we can do more appeals, we’re more productive. It’s a tool, not a competitor.”
The other quick win: plain-English code explainers
Patients call confused about a bill, and “CPT 99214, ICD-10 I50.9” means nothing to them. AI is great at translation — and this is fully PHI-free, because codes aren’t patient data.
Prompt: “Explain in warm, simple language what a CPT 99214 office visit and an ICD-10 I50.9 diagnosis mean on a patient’s bill. No jargon, about 100 words, reassuring tone.” Paste the result into your patient-facing reply (after a read-through). Fewer confused callbacks, calmer patients.
What this means for you
If you’re a solo or small-shop biller: This is built for you. You don’t need an enterprise deployment to draft appeals from de-identified denial codes today — you need the discipline to strip identifiers first. Save the prompt above, run your next CO-50 through it, and feel the hour come back.
If you run a billing company: Two priorities. Write a one-page “what never goes in a chatbot” policy and train everyone on it — the 18 identifiers, taped to the monitor. Then, if volume justifies it, get a BAA-backed tool so staff have a compliant place for the identifiable work instead of being tempted to cut corners.
If you’re a coder: Use it for the explaining, not the deciding. Plain-English code summaries for patients and colleagues, yes. Letting it pick the code from a note? Only with human verification — one practice saw AI mis-code a history diagnosis as primary and trigger hundreds of denials.
If you’re a patient advocate or office manager: The same de-identified appeal workflow works for you. Strip the identifiers, draft the structure, personalize on your own system.
What this can’t do (and the part that bites)
It can’t touch real PHI on a consumer plan. Ever. This is the non-negotiable. The efficiency is only worth it if it never becomes a breach. When in doubt, leave it out.
It will confidently make up citations. Large language models invent regulation numbers and policy clauses that sound perfect and don’t exist. That’s why the prompt says “use only what I provide.” Verify every citation against the actual payer policy and the actual reg before the letter goes out. If a draft seems off, throw it away and start over — don’t try to blind-fix a hallucination.
It doesn’t know your payer’s quirks. Each plan has its own appeal address, deadlines, and required forms. The model writes prose; you supply the procedure. Miss the filing window and the best-written appeal is worthless.
It’s an arms race now. Their AI denies, your AI appeals, and somewhere a human still has to catch the mistakes both make. Use it to move faster, not to stop reading. The judgment is still the job.
The bottom line
The denials aren’t slowing down, and the payers automated their side a while ago. You’re allowed to automate the writing — as long as the patient never shows up in the chat box. De-identify the denial, let AI draft the structure, verify every citation, and finish it on your own system. That’s a safe hour saved per appeal, repeated all day.
Start with one denied claim and the prompt above. Strip the identifiers first. Always.
Want to get genuinely fluent — building reliable, reusable prompts and knowing exactly where the lines are? ChatGPT for Business takes you from nervous to capable, and Prompt Engineering teaches the “don’t invent facts, use only what I give you” patterns that keep AI honest.
Sources
- Is ChatGPT HIPAA Compliant? (Updated 2026) — HIPAA Journal
- Guidance Regarding Methods for De-identification of PHI (Safe Harbor) — HHS
- Introducing OpenAI for Healthcare — OpenAI
- Your Payer’s AI Denied That Claim in Seconds — Medical Billers and Coders
- Insurance Denials Meet Their Match in AI-Powered Appeals — PYMNTS
- Is ChatGPT HIPAA Compliant? Risks & Secure Alternatives — HIPAA Vault
