AI Use in Health Care Investigations: Privilege Risks After Heppner

A recent federal decision, United States v. Heppner, offers a timely reminder for health care organizations experimenting with generative AI: using public AI tools in connection with legal or compliance issues may undermine privilege protections. The court held that a defendant’s communications with a public generative AI platform were not protected by attorney-client privilege or the work product doctrine. Although the case arose in a criminal context, its reasoning has clear implications for the health care sector, where internal investigations, regulatory exposure and sensitive data are routine.

The Decision: No Privilege for AI Communications

The Heppner case addressed whether documents showing a defendant’s communications with an AI platform, used to analyze legal exposure after a government investigation began, could be withheld from prosecutors. The answer was no.

The court found that privilege did not apply for three key reasons:

  • No attorney involvement: the communications were between the defendant and an AI platform, not a lawyer
  • No reasonable expectation of confidentiality: the user voluntarily shared information with a public third-party platform that retained and processed data without confidentiality protections
  • No request for legal advice: the AI tool disclaimed legal advice, and the defendant was not seeking advice from a qualified attorney at the time of the communication

Importantly, the court rejected the argument that sharing the AI-generated materials with counsel later could “retroactively” create privilege.

The court also declined to apply work product protection, emphasizing that the materials were not prepared by or at the direction of counsel and they did not reflect the attorney’s mental impressions or litigation strategy. Even if created in anticipation of litigation, independently generated materials, standing alone and without attorney involvement, fell outside the doctrine’s scope.

Implications for Health Care Organizations

For health care providers and life sciences companies, the implications are significant. Internal analyses of billing practices, potential False Claims Act exposure, privacy incidents or regulatory compliance often depend on preserving privilege. Heppner underscores that using public AI tools in these contexts may be treated as disclosure to a third party, creating a significant risk that confidentiality — and therefore privilege — will not be preserved.

This ruling presents a particular risk in a sector that regularly handles sensitive Protected Health Information (PHI), business information and regulated data. Inputting legal theories, investigative findings or proprietary information into external AI systems may not only create discoverable records but also affect trade secret protections and broader data governance obligations.

Practical Considerations

The takeaway is not that health care organizations must avoid AI altogether, but that their use should be carefully structured. Public AI platforms should not be treated as confidential environments, particularly in connection with legal or compliance matters. Instead, organizations should ensure that AI-assisted activities occur, where appropriate, within attorney-directed workflows or secure enterprise systems designed to preserve confidentiality.

Looking Ahead

Heppner reflects a broader judicial approach: courts are applying traditional privilege doctrines in a technology-neutral manner. For health care organizations, that means the rules governing confidentiality have not changed, even as the tools have.

The practical lesson is straightforward. Without careful oversight, the use of generative AI in sensitive matters may create exactly the kind of disclosure that privilege doctrines are designed to prevent.

Print

Close