Privacy Risks of Embedded 'Shadow AI' in Healthcare Software Raise Regulatory Concerns
Regulatory attorney Elizabeth Hodge warns that AI stealthily embedded into existing healthcare software and tools — often without vendor disclosure — creates privacy risks on par with shadow AI.
Artificial intelligence stealthily embedded into newer editions of healthcare software and technology tools is creating a privacy risk comparable to shadow AI, according to regulatory attorney Elizabeth Hodge of Akerman LLP. In an interview, Hodge warned that vendors are increasingly incorporating AI capabilities into products that historically did not use AI — sometimes without clearly informing their customers.
"There are applications, software, tools or services that vendors are providing that historically did not incorporate AI, but now they have," Hodge said. She noted that while some vendors proactively disclose these changes, others do not, leaving healthcare organizations unaware that patient data may be flowing through AI-powered features they never explicitly authorized.
The phenomenon — sometimes called "embedded AI" or "stealth AI" — mirrors the shadow IT problem that has plagued enterprises for years, but with higher stakes in healthcare due to HIPAA and other patient-data privacy regulations. When AI is silently added to a radiology platform, an EHR system, or a practice management tool, the data processing and storage patterns may shift in ways that violate existing compliance agreements or patient consent frameworks.
Hodge recommends that healthcare organizations proactively scrutinize vendor contracts and conduct risk analyses for every application, product, or service that "potentially use the most data, or would pose the greatest risk" if AI were introduced without notice. She emphasized that due diligence should include asking vendors directly whether AI has been added to any component of their software stack, and demanding contractual guarantees about data handling.
The issue sits at the intersection of healthcare compliance, vendor management, and the broader trend of AI features being silently bolted onto existing enterprise software. As regulatory scrutiny around AI in healthcare intensifies — with lawsuits and policy debates already underway — the embedded AI problem may become a significant liability vector for organizations that fail to audit their software supply chains.