Somewhere right now, a therapist is copying your session notes into ChatGPT to help write a summary. They probably don't think much about it. You might want to.
The adoption of cloud AI in healthcare and therapy settings has been quiet but significant. A practitioner discovers ChatGPT helps them write clinical summaries faster. Another finds it useful for drafting treatment notes. A third uses it to recall medication interactions mid-session. These are all reasonable uses of a useful tool. Most of the practitioners doing it aren't doing it carelessly — they're busy professionals who've found something that works.
The problem is the data path.
What happens when you send data to a cloud AI
Every prompt you send to ChatGPT, Claude.ai, or Gemini travels over the internet to servers you don't control, is processed by infrastructure you don't own, and is handled according to terms of service written to protect the provider — not you or your patients.
OpenAI maintains different agreements for different customer types. Their enterprise and API products include provisions limiting training on customer data and offer data processing agreements. ChatGPT Plus — the $20/month subscription most individual practitioners are actually using — operates under consumer terms. Whether a practitioner using ChatGPT Plus has appropriate data handling agreements in place is a question worth asking.
The specific risks in healthcare settings
The concern in healthcare contexts isn't primarily about dramatic data breaches. It's about the routine transmission of sensitive information to third-party systems that weren't designed or contracted for that purpose.
Clinical session notes contain protected health information: patient names, diagnoses, treatment details, personal disclosures made in a therapeutic relationship. When those details are pasted into a consumer AI tool, they travel to external servers. They may be retained. They may be handled according to terms of service that can change over time.
Whether a specific deployment of a specific AI tool meets the requirements your practice operates under — those are determinations for your compliance counsel. We're not offering legal or regulatory advice here. What we can describe accurately is what local AI does differently.
With local AI, the text you type never leaves your office. There's no third-party server involved. Nothing is transmitted, retained, or processed anywhere outside the hardware you own.
What local AI offers for clinical workflows
Local AI runs on hardware in your office. When a practitioner types into it, the text is processed by software running on that machine. It doesn't travel anywhere. The data handling model is categorically different from cloud AI — not a degree of difference, a category of difference.
For healthcare-adjacent workflows, we configure setups designed for privacy-sensitive work: Open WebUI running locally, document analysis that processes files without transmitting them, model inference that stays entirely on hardware you control. Practitioners using it for session summaries, note generation, and clinical correspondence can do so with the same AI capability — with patient data staying on hardware you own.
Whether that meets your specific regulatory requirements is a determination for your compliance counsel. But the underlying data handling model is fundamentally different. See how it works for healthcare professionals for specific workflow examples, or the full model guide for what hardware and software is involved.
If you're a patient
It's reasonable to ask your healthcare providers about their AI practices. What tools do they use? Where does data go? Do they have appropriate data handling agreements for any cloud AI in their workflow?
These aren't accusatory questions — most practitioners are using these tools thoughtfully and simply haven't thought carefully about the data path because no one has asked. But you have a legitimate interest in knowing.
If you're a practitioner
Local AI runs on hardware you already understand — a Mac Mini on your desk — and can be configured specifically for workflows like yours. You get the same capability: clinical summaries, note drafting, document analysis. The data processing happens on hardware in your office, with a one-time setup cost and no ongoing per-query fee.
This is what "designed for privacy-sensitive workflows" actually means in practice: not a promise from a cloud provider, but a physical property of where the compute happens.