Artificial Intelligence Use
Purpose
This policy states how ABAS workforce members use artificial intelligence: what information may be given to an AI system, what may be done with what a system produces, and how to work safely as AI features spread through the devices and services around us.
It is the companion to the Social Media and Online Conduct Policy (POL-015). That policy governs what you share with people; this one governs what you feed into machines and what you rely on from them. The risks differ. A social media disclosure fails because of its audience; an AI disclosure fails because of the processor: entering client information into a service the Company has not approved is a disclosure to that service's operator, whether or not any person ever reads it. And unlike social media, AI produces content, which creates a second risk social media never had: generated text that reads confidently and is wrong, in records where accuracy is a legal obligation.
Like POL-015, this policy names no product, platform, or device. AI capabilities change monthly; the behaviors that keep clients and the Company safe do not. The policy regulates those behaviors, so it applies to every AI system that exists today and every one that appears later, however it is packaged. [COC-001; POL-015]
Scope
This policy applies to all ABAS workforce members: employees, interns, contractors, and volunteers. It covers the use of AI systems in any form:
- Any system, however packaged. The policy applies by function, not by name. Standalone services, features embedded in an operating system, keyboard, browser, meeting tool, or wearable, and capabilities that ship inside other software are all AI systems under this policy, including systems that do not exist yet.
- Any device. Obligations do not change with the device. Entering client information into an unapproved system is a disclosure whether it happens on a Company workstation, a personal phone, or any technology that appears later.
- Work activity, and personal activity that touches a protected interest. Use of AI in any work product is covered in full. Personal AI use is covered only where it touches client information, confidential Company information, professional credentials, or the Company's voice. Purely personal AI use that touches none of these is not the Company's business, and this policy does not reach it.
Out of scope. The use of AI in employment decisions (hiring, evaluation, discipline) is not covered here; if the Company ever adopts such tools, they will be governed by a separate policy adopted first. Nothing in this policy restricts rights protected by Section 7 of the National Labor Relations Act; see the savings clause in the Policy Statement.
Definitions
| Term | Definition |
|---|---|
| AI System | Any software, service, or feature that generates content, transcribes or summarizes, answers questions, recognizes people or speech, or makes or recommends decisions by processing information through trained models. The definition is functional and includes standalone services, features embedded in devices, operating systems, and other software, and any future form that performs these functions. |
| Company-Approved AI System | An AI system in the Company's official technology stack, approved through the procedure in this policy, and covered by a business associate agreement wherever it processes protected health information. The current list of approved systems and their permitted uses is maintained in the Company's operational and training materials, not in this policy, so approvals can change without a policy revision. |
| Prompt | Any information given to an AI system by any means: typed, pasted, spoken, uploaded, or captured by the system from a screen, microphone, camera, or sensor. |
| Generated Output | Anything an AI system produces: text, summaries, transcripts, images, audio, video, code, or recommendations. |
| Ambient Capture | Any AI system feature that takes in information continuously or automatically rather than through a deliberate, item-by-item submission: meeting transcription, screen reading, always-listening assistants, camera-based recognition, and similar capabilities. |
| Client-Identifying Information | Any information that could identify a current or former client or family, alone or in combination: name, image, voice, video, initials in context, diagnosis, behavior descriptions, schedules, service locations, routines, or distinctive details. In a small community, context identifies people even when names are removed. |
Policy Statement
5.1 Client Information Goes Only Into Approved Systems
Client-identifying information and protected health information are entered only into Company-approved AI systems. Everything else, whatever it is called and wherever it is embedded, is an unapproved processor.
- A prompt is a disclosure. Entering client information into an unapproved system discloses it to that system's operator without a business associate agreement, which violates HIPAA regardless of what happens next. Discarding the output does not undo the disclosure. Deleting the conversation does not undo the disclosure.
- The small-community rule applies to prompts exactly as it applies to posts: removing a name is not de-identification when schedule, location, diagnosis, or behavioral detail could make the connection.
- This rule covers every pathway into a system: typing, pasting, dictating, uploading a document or image, or letting a feature read the screen.
The Company provides approved, business-associate-covered AI capability in its official technology stack for legitimate work uses. If the approved systems cannot do something you need, request an addition through the procedure in this policy; do not route around the stack.
5.2 You Own What You Sign
Generated output is a draft, never a finished record. The workforce member who signs, sends, or files a document owns every word in it, however the first draft was produced.
- Clinical documentation reflects what you did and observed. A session note, assessment, or treatment record must describe the services actually rendered and the observations actually made by the person signing it. Documentation supports claims for payment; content that describes things that did not happen, whether typed by a person or generated by a system, creates false-claims exposure for the signer and the Company (POL-013). Signing a note attests to its accuracy regardless of what tool drafted it.
- Verify before you rely. Generated content reads confidently whether it is right or wrong. Check names, dates, citations, clinical terms, legal statements, and numbers against the source before any use that matters.
- Professional judgment is not delegated. AI systems may assist with drafting and organization; assessment, clinical decision-making, and the professional responsibilities attached to a credential remain with the credentialed person, consistent with the BACB ethics codes.
5.3 Ambient and Embedded Features Stay Off Around Client Information
Features that capture continuously (transcription, screen reading, always-listening assistants, camera recognition) stay disabled wherever client information is present, visible, or discussable, unless the feature is part of a Company-approved system used for an approved purpose. This applies in service settings, in meetings where clients are discussed, and on any screen displaying client records, on Company and personal devices alike. Enabling a capture feature is the same act as inviting its operator into the room.
5.4 Confidential Company Information and Credentials
Confidential business information (finances, payer terms, security practices, personnel matters) goes only into Company-approved systems. Passwords and credentials go into no AI system, ever. Conversation histories held by AI systems can contain and retain business information; treat them as records, not as scratch paper. This provision does not restrict protected concerted activity; see 5.6.
5.5 Verification Against Synthetic Content
AI systems make convincing impersonation cheap: cloned voices, fabricated messages, and synthetic documents. Verify any unusual or urgent request involving money, credentials, client information, or changes to payment or account details through a known channel (a number or address you already have, not one supplied by the request) before acting, even when the request appears to come from Company leadership. Report suspected synthetic messages or impersonation to the HIPAA Security Officer immediately.
5.6 Personal Use and Protected Activity
Personal AI use that touches no protected interest is not the Company's business. Nothing in this policy restricts, and no provision of this policy will be applied to restrict, rights under Section 7 of the National Labor Relations Act: workforce members may use any tool to discuss, draft, or organize communications about wages, hours, and working conditions, without prior approval and without retaliation. Client privacy obligations under law survive this clause; concerted activity does not require disclosing protected health information, and no provision of this clause permits it.
5.7 Enforcement
Violations are handled through the progressive discipline framework, up to and including termination. Entry of protected health information into an unapproved system is a suspected breach and routes immediately through POL-014. Documentation violations may additionally carry consequences under POL-013 and the signer's certifying or licensing body. Good-faith reports of suspected violations, including self-reports of accidental disclosures, are protected from retaliation; fast self-reporting is the behavior this policy exists to produce.
Procedures
Requesting approval of an AI system or feature. Send the request to the HIPAA Security Officer (security@abaswma.org) with what the system does, what information it would process, and the work purpose. The Security Officer evaluates the system with the Privacy Officer wherever client information is involved (business associate agreement, data handling, retention), and the Executive Director designates approved systems into the official technology stack. The approved list and permitted uses are published in the Company's operational and training materials.
If client information went into an unapproved system. Report it to the Privacy Officer (privacy@abaswma.org) the same day, under POL-014; the breach assessment clock runs from discovery. Include what was entered, where, and when. Do not attempt to quietly delete it and move on: deletion does not undo the disclosure, and the report is what protects the client, the Company, and you.
Before using generated content in a client record. Verify it against your own observations and the source records, edit it to reflect what actually happened, and sign only when it is yours. If a system was used in drafting and you are unsure whether that use was within an approved purpose, ask before filing: the Compliance Officer (compliance@abaswma.org) for policy questions, the Privacy Officer for anything touching client information.
Suspected impersonation or synthetic content. Verify through a known channel before acting, then report it to the HIPAA Security Officer (security@abaswma.org). Do not reply to or engage with the suspect message.
Training
AI use is covered in compliance onboarding and the annual refresher under the Compliance Training Program (TRN-001). The division of labor is deliberate: this policy carries the durable rules, and the training and operational materials carry what changes, including the current approved-systems list and its permitted uses. Training content evolves with the landscape; this policy does not.
Reporting
| Concern | Route | When |
|---|---|---|
| Client information entered into an unapproved AI system | Privacy Officer, privacy@abaswma.org (POL-014) | Immediately, same day |
| Suspected synthetic message, cloned voice, or impersonation | HIPAA Security Officer, security@abaswma.org | Immediately |
| Documentation accuracy concern involving generated content | Compliance Officer, compliance@abaswma.org (POL-013, POL-003) | Promptly |
| Request to approve an AI system or feature | HIPAA Security Officer, security@abaswma.org | Before use |
| Other policy questions or concerns | Compliance Officer, compliance@abaswma.org | Promptly |
| Anonymous reporting | https://anonymous.abaswma.com/ | Any time |
Good-faith reporting, including self-reporting an accidental disclosure, is protected from retaliation under POL-003 (Reporting and Investigation).