How healthcare teams can use AI to automate workflows

Ask a doctor where their day goes and the answer is rarely the exam room. It’s the forms. An AMA survey found that 94% of physicians say prior authorization delays access to necessary care, 78% say it leads patients to abandon treatment, and the average physician burns through 43 prior authorizations a week, eating about 12 hours of physician and staff time. That’s the load AI should be aimed at, and it’s nowhere near a patient.

So the short answer: AI belongs in the administrative machinery of healthcare, where it extracts, assembles, and drafts, while a person with the right role owns every step that touches a patient record or a coverage decision. The model reads the discharge packet against the payer’s checklist. It pre-fills the standard sections. It drafts the appeal. What it never does is commit a clinical entry or a coverage call, because those carry a license and a legal weight a model can’t hold.

A quick note on scope, because there’s overlap to avoid. This is the evergreen vertical playbook. The single-issue story of how a mistyped chart entry becomes a denied claim is its own post, and so is what pharma’s GxP rules demand of any validated workflow. Here we map the whole administrative cycle and where a model safely slots in.

The admin load is where AI pays off

Healthcare runs on document-heavy, deadline-bound, consistency-sensitive work, which is the exact profile AI handles well. The trick is the same one that holds everywhere AI meets regulated work: sort each step by what it does to the world. Reading steps and checking steps are AI candidates today. Committing steps stay human.

A model reading an intake form against a payer’s rules before submission does the job nobody has time for, at the moment it’s cheapest to fix a problem. That’s humble work, the kind of patient checking nobody enjoys doing by hand, and it’s exactly the right level of ambition for a first deployment. The bottleneck in a clinic is rarely the model’s intelligence. It’s the absence of a controlled, role-scoped process to run the model inside, one that records who reviewed what.

The question revenue-cycle leads ask us first is whether the model can just file the routine claims itself. For a medical record, the signature is the control. Remove it and the trail records that software edited a record and nobody looked, which is the failure mode every audit is built to catch.

Say the off-limits list out loud, because a healthcare playbook that pretends AI can do everything is the dangerous kind. Clinical and diagnostic decisions stay with clinicians. Coverage determinations and claim denials stay with the people authorized to make them. Anything touching protected health information without a defined control and a signed agreement doesn’t happen at all. The model can read, sort, draft, and remind across every one of those, and it has to stop at the moment a decision binds, because that moment carries a license, a liability, and a patient.

Five workflows to automate before you touch the clinic floor

Start with the cycle you already run. Each of these has reading a model can take and a sign-off a person must keep.

Patient intake. A model extracts the demographics, runs insurance-card capture, and normalizes it all into a tracked intake instance, flagging the gap while the front desk still has the patient’s card in hand.

Prior authorization. This is the big one. The model assembles the packet, matches the clinical documentation against the payer’s rules, checks completeness, and drafts the submission. A clinician reviews the clinical justification. Given that the average physician faces 43 of these a week, the assembly work is where the hours go, and the model can take most of it.

Claims and denial management. The model classifies the denial reason, drafts the appeal, and tracks the deadline. This matters because denials are routine: a KFF analysis found HealthCare.gov insurers denied 19% of in-network claims in 2024, fewer than 1% were appealed, and insurers upheld 66% of the appeals that were filed. A process that catches the gap upstream beats an appeal nobody has time to write.

Referral coordination. The model routes the referral, tracks its status, and closes the loop instead of letting it die in an inbox.

Provider credentialing. The model collects the documents, runs the primary-source-verification checklist, and tracks expiry dates, so a lapsed credential surfaces before it becomes a billing problem.

Notice the template’s shape: intake, verification, coding, a review gate, submission, then denial follow-up as its own track. Walk a claim through it with AI in the right seats. At intake, the model checks the demographics and insurance details against what the payer will demand. At coding support, it drafts the codes from the visit documentation and marks the ones it’s least sure about. The completeness check compares the chart against the claim and catches the missing referral that would have triggered a denial three weeks later. Then the gate: a coder whose name is on the step reviews the flagged items and signs, and only that signature releases the submission. Every flag the model raised and every correction the coder made lands in the run history without anyone writing a memo about it.

You’ve changed the economics of the work without changing who’s accountable for it.

The orange boundary in that diagram is the part outsiders miss. Everything the model touches sits inside a scope where protected health information is controlled, and the commit step always carries a human signature. That isn’t a nice-to-have. It’s what the next section is about.

What does HIPAA demand of an AI step?

That you limit what the model can see, and that a named person owns what it produces. The HIPAA Privacy Rule’s minimum-necessary standard requires a covered entity to make reasonable efforts to limit the use, disclosure, and requests of protected health information to the minimum needed for the task. An AI step is a use of PHI, so it has to be scoped: it gets the fields the task requires and no more, the same role-based limit you already apply to staff.

The second boundary is the Business Associate Agreement. The moment an AI vendor processes PHI on your behalf, it’s a business associate, and that relationship needs a BAA before a single record flows. No agreement, no PHI. That isn’t a workflow setting; it’s a contract you sign before the model is wired in at all.

What a workflow platform contributes is narrower and checkable. It won’t make your deployment HIPAA-compliant on its own, and any vendor who claims otherwise is one to distrust, because compliance rides on agreements, access controls, training, and a dozen things beyond any one tool. What the process gives you is a defined sequence, a named reviewer on every consequential step, and a record that accumulates because the work ran through it. In Tallyfy terms, the model’s output parks at a blocking approval step with a role-scoped owner, and the run history tracks every step as it happens. Those are the parts an auditor or a payer can actually verify.

A pattern we keep seeing in clinic operations is that the gate written in a policy memo and the gate built into the workflow behave very differently the first time someone is busy, which in a clinic is always. A sentence in a binder is a hope. A step the claim can’t move past without a signature is a control.

Start with the paperwork, keep clinicians on the calls

Be plain about the split. The reading-and-drafting pilots are yours to start. Pick one workflow, prior authorization is usually the highest-pain choice, put a model on the packet-assembly step, keep your existing clinical review, and measure the hours it gives back. The risk is contained: a wrong draft costs a reviewer a few minutes, not a patient.

Firm-wide rollout across PHI-touching systems is the harder problem. Once a model touches clinical documentation at scale, you’re into minimum-necessary scoping, BAAs with every vendor, access reviews, and a story you’ll have to tell an auditor. The BAA piece alone trips teams up: every AI tool in the chain that sees PHI needs its own agreement, the scope of what it may process has to be written down, and a vendor that won’t sign one is a vendor that can’t touch a single record. That’s where vendor-neutral help on sequencing pays for itself, because the order you automate in, and the controls you build first, are the whole risk. We’ve written about how healthcare process management lives or dies on handoffs, and what happened when a telehealth team rebuilt its patient workflows around defined steps. The AI version is the same conversation with the stakes turned up.

A mistyped form is a small error. A process that lets it travel unreviewed from a busy clinician’s keyboard to an automated payer rule is the big one. Fix the second, and the model becomes the tireless checker you always wanted, while the chart stays human.