Your EHR Vendor Just Added AI Features. Now What?
You receive a renewal notice, release notes update, or a product roadmap from your EHR vendor. Somewhere in the message, between the uptime improvements and the interoperability updates, are 3 new AI-powered features: ambient documentation that listens to patient visits and drafts clinical notes, AI-assisted coding suggestions that recommend billing codes based on the encounter, and predictive scheduling that reorganizes your appointment slots based on historical patterns.
Nobody in the organization requested these features. Nobody evaluated them. Nobody configured them. And in many cases, nobody told the clinical staff what they do, what data they access, or what happens when they produce an incorrect result.
This is how most mid-size healthcare organizations and community health centers encounter AI for the first time. Not through a strategic planning process. Not through a governance discussion. Through a vendor update. The features simply arrive, bundled into an existing contract or offered as an upsell. And your standard vendor renewal process, built to evaluate cost, uptime, interoperability, etc. for the core platform was never designed to evaluate embedded AI capabilities.
This Is Happening Across Every Major EHR Platform
EHR vendors are accelerating their embedded AI feature offerings:
· Epic launched its native AI Charting ambient scribe in February 2026, a feature that listens to patient visits and automatically drafts clinical notes and orders directly within the EHR.
· Oracle Health released its Clinical AI Agent covering more than 30 medical specialties.
· eClinicalWorks expanded AI-driven revenue cycle and at-risk patient identification tools.
· NextGen reports that its Ambient Assist product saves clinicians an average of 2.5 hours per day on documentation.
· Athenahealth began offering ambient AI documentation at no additional cost.
The trend is clear: EHR vendors are bundling AI into existing contracts rather than selling it as a separate product. For the organization, this means AI features can activate inside clinical workflows without triggering the procurement review that a standalone AI tool purchase would usually require. This is where the governance gap begins.
What Your Vendor Review Covers & What It Misses
Most healthcare organizations conduct a thorough review before renewing a major vendor contract. That review typically covers cost and contract terms, system uptime and support service levels, interoperability with other systems in the organization’s tech stack, and HIPAA compliance for the core platform. These are the right questions for a software renewal. They are not sufficient when the renewal includes embedded AI features that process patient data in new ways.
Here is what the standard review does not cover: whether the AI features access, process, or retain patient data differently than the core EHR. The base system has a signed Business Associate Agreement, defined data handling procedures, and documented retention policies. The AI feature that drafts clinical notes from ambient listening may have different data flows. It may retain audio recordings or transcripts beyond the session. It may send data to a third-party model hosted on separate infrastructure. The existing BAA may or may not cover these specific AI data practices.
The standard review also does not ask whether the vendor uses organizational data to train its AI models, whether the organization can opt out, whether the AI features produce different results for different patient populations, or whether the vendor has disclosed known limitations and performance gaps. These questions matter because the answers determine whether the organization can meet its own data privacy, transparency, and health equity commitments.
3 Questions That Close the Gap
Expanding the existing vendor review to cover AI features does not require building a new process. It requires adding 3 categories of questions to the review you already run.
1. How does this AI feature handle patient data?
Specifically, does the feature access PHI or PII that the core system does not? Does it retain data after the clinical session ends? Can the organization configure or override the retention policy? Does the vendor use organizational data to train or improve its AI models, and can you opt out? Asking these questions before the renewal process catches the most common privacy exposures: features that retain data beyond the approved purpose and vendors that use clinical data for model training without explicit organizational consent.
2. Has the vendor disclosed how this AI feature was trained and what its known limitations are?
Can the vendor explain, in plain language, what the model was trained on? Has the vendor identified patient populations or clinical scenarios where the feature performs less accurately? Has the vendor disclosed known error rates? If the vendor cannot answer them, the organization cannot determine whether the feature is appropriate for the populations it serves. An ambient documentation tool trained primarily on English language encounters in large academic medical centers may perform differently in a community health center serving patients who speak multiple languages.
3. Will staff receive training on this specific feature before it goes live?
This is the question that separates a governed AI feature from an ungoverned one. Staff need to understand what each AI tool does, what its limitations are, and when to override or disregard AI-generated output before they begin using the tool. An EHR update that activates an AI documentation feature without staff training creates the same risk as a staff member using an unapproved tool on their own: AI output entering workflows and patient records without informed human review.
What to Do Before the Renewal Processes
Next steps are straightforward and fit within the procurement process you already manage:
Identify which AI features are included. Ask the vendor for a complete list of AI-powered features in the renewal or update, including features that were added since the last contract cycle. Many organizations discover AI features they did not know existed in tools they already use.
Screen each feature. Does this tool address a specific, identified need in a current workflow? Bundled AI features that do not map to an actual workflow can be deactivated. There is no obligation to use every feature a vendor includes.
Complete a data privacy impact assessment for features that access patient data. This takes less time than the risk it prevents.
Add the feature to an AI Tool Inventory. Assign a designated organizational owner and define the human review point for the workflow where the feature will operate.
Train staff before the feature activates. Staff need to know what the feature does, what it does not do, and how to report errors through the incident process they already use. This can be a briefing added to an existing team meeting.
You Already Review Vendors. Widen the Scope.
The structures you need already exist. You already evaluate vendors before renewal. You already review new features for HIPAA compliance. You already train staff when a system update changes their daily workflow. Covering AI features requires a few additional questions in the vendor contract renewal review, a data privacy assessment for features that access patient data, and a staff training briefing before activation.
The EHR vendor update is not the risk. The risk is treating AI features bundled inside an existing system as if they carry the same governance profile as the system itself. They often do not. The data flows may differ. The retention policies may differ. The training data may not represent the populations your organization serves. And the staff using the features may not know what they are looking at.
Three questions, an assessment, and a training session. That is the distance between an ungoverned AI feature and a governed one. And your organization already covers most of that distance every time it renews a vendor contract.
Has your EHR vendor added AI features recently? What steps did your organization take when you found out?
#EHRAIFeatures #HealthcareAIGovernance #AIGovernance #TrustworthyAIHealthcare #AIReadiness
