← All posts

What actually goes in a practice AI policy (and why silence isn't one)

13 June 2026 · 5 min read · written by a practising NHS GP

Most practices know they should have a policy on staff use of generative AI. Fewer have written one, usually because it sounds like a project. It isn't. A workable AI policy is a few pages, and the main thing it has to do is replace silence with a clear, written answer to "what are we allowed to do?"

Silence is the real risk. When a practice says nothing, staff who are already using ChatGPT keep using it, and the practice carries a processing activity it never assessed. A short, clear policy is worth more than a long, perfect one that never ships. Here is what it needs to cover.

The seven things to cover

  1. Scope — who and what it applies to. All staff, all generative AI tools, all practice data. Say so in one sentence so there is no "I didn't think it applied to me".
  2. Approved tools. Name the tool(s) the practice has assessed and permits. It is acceptable for this list to be empty at first — an empty list simply means no patient-identifiable data goes into any generative AI tool until one is approved. That is a valid, safe position to start from.
  3. The hard rule on patient data. No patient-identifiable information goes into any tool that isn't on the approved list. This is the line that protects the practice, so it should be stated plainly and early.
  4. Permitted uses, and the review rule. Which categories of task AI may help with (drafting letters, summarising, policy text) and the non-negotiable: a responsible clinician or staff member reads and checks every output before it is used or sent. AI drafts; a person decides.
  5. Telling patients, where relevant. A short line on transparency — when and how patients are informed that AI assisted with administrative drafting, consistent with your existing privacy notice.
  6. Reporting problems. How a staff member flags a bad or unsafe AI output or a near miss, and who reviews it. This is what turns "we have a policy" into "we learn from what happens".
  7. An owner and a review date. A named person responsible (usually the practice manager) and a date to revisit — yearly, or sooner if a new tool is adopted or an incident occurs.

Make the approved route the easy route

A policy that only prohibits will be quietly ignored, because the time pressure that drives shadow AI doesn't go away. The version that works pairs the rules with one genuinely useful approved tool, so the compliant path is also the convenient one. If your staff have a sanctioned way to draft a referral letter in seconds, they have no reason to paste it into a consumer chatbot.

You don't have to start from a blank page

We wrote a free practice AI policy template that covers all seven points above, in plain English, vendor-neutral, with a matching DPIA your practice can adopt as its own. It is built to be adapted in an afternoon, not admired in a folder.

Free practice AI policy template + DPIA

Plain language, vendor-neutral, no sign-up to read. Find-and-replace the bracketed fields, take it to your partners, brief it at the next meeting.

Get the templates See it in use (for GPs)

Hush AI (hush-ai.uk) is a UK-sovereign AI assistant founded by a practising NHS GP. It drafts documents under clinician review — not an ambient scribe, not a medical device — on UK-owned hardware, outside US CLOUD Act jurisdiction, and never trains on your data. The policy and DPIA templates are free and vendor-neutral: useful whether or not your practice ever uses Hush.