One of the most common mistakes I see in small businesses right now is pasting client information into a free AI tool to "help draft" something, and not realizing what just happened to the data. Consumer AI tools typically use your inputs to train future models unless you are on a business plan with data controls turned on. So the intake form with the client's health history, the list of customer emails, the internal note with personal details: it is now potentially part of a training set.
Before we go further, one important disclaimer. The specifics of what applies to your business depend on what kind of data you handle and what laws apply to you. HIPAA applies to covered entities and business associates. CCPA has its own definitions and thresholds. For the actual legal obligations tied to your business, talk to your attorney, your compliance professional, or your HR pro. I am not quoting statutes in this post because I am not the right source for them. What I can do is give you the operational pattern for using AI without stepping into obvious problems.
The short version
Never paste sensitive client or employee data into a consumer AI tool (the free versions of ChatGPT, Claude, Gemini, others).
Use the business versions with data controls turned on if you need AI for work that touches any data you care about. These exist. They are inexpensive. They are what you should be using for any work interaction.
Never use AI tools for data your compliance framework explicitly protects (HIPAA health information, PCI payment data, the specific categories of personal data your jurisdiction covers) without confirming with your attorney or compliance pro that the specific tool and configuration you are using meets your obligations.
That is 90 percent of the guidance. The rest is specifics.
What consumer AI tools do with your inputs
On free and consumer versions, the default is often that your inputs are used to improve future models. The fine print varies by provider. The practical upshot is that you should treat anything you paste into a free consumer tool as potentially no longer private.
This is why a free ChatGPT account is a bad place to draft a client email that mentions the client's specifics, or to summarize an intake form, or to cleanup a spreadsheet with customer data in it.
The business versions are different. ChatGPT Team and Enterprise, Claude with a Team or Enterprise plan, Microsoft Copilot for business, Google Gemini for Workspace: each of these has data controls that prevent inputs from being used in training and add other protections. Use them for work.
What to never paste into any AI tool until you have run it past a professional
Health information. Lab results, medical history, mental health notes, anything HIPAA touches. Even in business plans, the specific tool and configuration matters for HIPAA compliance.
Payment card data. Never. Full stop.
Social security numbers, full driver's license numbers, passport numbers.
Full client lists with personal details across multiple fields.
Employee performance reviews with names attached, especially if they include protected characteristics.
Anything covered by a specific confidentiality agreement you signed.
For any of these, the specific compliance path depends on your situation. Do not guess.
Practical safety habits
Use business accounts with data controls. ChatGPT Team, Claude Pro with appropriate settings, Gemini for Workspace. Pay the monthly fee. It is the cost of safety.
Redact before you paste. If you want help drafting an email, you can often describe the situation without naming the client. "A returning client with a specific medical concern asked about X. Draft a short reply." You do not need to paste their actual intake form.
Use your own data only when you have to. For a lot of AI tasks (drafting, summarizing, brainstorming) generic context is enough. Save the specific client data for tasks that genuinely require it, and only in tools that protect it.
Train your team. Make it clear what is and is not okay to paste into AI tools. A short, plain-English policy is enough. "Free tools, no client data. Business tools, check before pasting. When in doubt, ask."
Review AI outputs before using them. AI can hallucinate. It can invent details. It can get numbers and dates wrong. Any output that touches a client or a regulated context gets reviewed by a human before it goes out.
HIPAA specifically, because it comes up most
For HIPAA-covered Santa Cruz businesses (massage therapists handling clinical notes, wellness centers with health intake forms, fitness studios doing screenings, anyone under HIPAA rules), the AI conversation is genuinely complicated. A specific AI product may or may not be usable under a Business Associate Agreement. The configuration matters. The use case matters.
Do not try to read your way to a HIPAA-compliant AI workflow from a blog post. This is a conversation with a HIPAA-aware attorney or a healthcare compliance professional. The cost of doing this wrong is not just bad feelings. It is real.
CCPA and California-specific notes
California residents' personal information has specific protections under CCPA and related laws. The specifics of what is covered, how it applies to your business, and what disclosures you need to make to your customers are a conversation with a privacy attorney. For small businesses, compliance is often manageable but not always trivial.
For AI workflows, the general pattern holds: use business tools with data controls, limit what personal data you paste, and confirm with your attorney before automating anything involving California residents' data at scale.
The pattern for safe AI adoption
Start with low-risk tasks. Drafting generic content, summarizing public information, brainstorming, cleaning up your own writing. No client data involved. Low risk.
Move to internal work with care. Meeting summaries from your own notes, draft responses to common inquiries using templates you build, polishing writing you already have. Business tool, data controls on.
Add client-specific work only with clear guardrails. Make sure you are on a business plan. Make sure the team is trained. Have a written policy. Never put HIPAA-covered or similarly regulated data into any AI tool without running it past your compliance professional.
Never use client-facing bots without serious thought. Chatbots that answer customer questions with access to your client data are a different risk profile. They deserve their own conversation with a pro.
A few honest limits
I cannot tell you exactly what tool is HIPAA compliant for your practice. I cannot tell you what CCPA requires for your specific business. I cannot tell you what your state's privacy law is without knowing your state.
What I can tell you is that the small businesses I see doing this well have a few things in common. Paid business AI accounts. A short written policy on what is and is not okay. A team that knows the rules. A relationship with an attorney or compliance pro for anything that touches regulated data.
The small businesses I see doing this poorly are using free tools for everything and trusting that nothing will come back to bite them. It usually does not bite. When it does, the bite is memorable.
If you want help
Setting up safe AI workflows that do not put you at risk, building the policy, training the team, evaluating which specific tools fit your compliance picture, that is operational work I can help with through the AI Integration side of the work. The legal specifics stay with your attorney and your compliance pro. The workflow design is what I do.
For related reading, AI for Santa Cruz businesses, AI safety for small business, and cybersecurity for small business.