Register
AI Tool Register — Fill-In Template
One page that lists every AI tool touching your practice — what it does, what data it sees, where that data goes, and who approved it. The register most practices don't have, ready to print and fill in today.
You can't manage what you haven't listed. AI is already in your practice — in the scribe, the browser extension someone installed, the marketing tool your agency uses — and most practices have no single page that says what's in use, what data each tool sees, and who approved it. This register is that page. Keeping it current is the simplest piece of AI governance there is.
Free. No patient data required. General template — adapt to your practice.
AI Tool Register — Fill-In Template
The AI tool register for ________________________ (practice name). Maintained by ________________________. Last reviewed: __________.
How to use this: list every AI tool that touches the practice — including AI features inside other software (your PMS, your email, your marketing platform) and tools your agency or suppliers use on your behalf. One row each. Review the register quarterly and whenever a new tool arrives. Print it, or keep it wherever your policies live.
Why keep a register
- You can't manage what you haven't listed. The riskiest AI tool in the practice is the one nobody wrote down.
- It turns "are we okay?" into a five-minute check: every tool, its data, its approval — one page.
- When something goes wrong (or a patient, insurer or adviser asks), the register is the first thing you'll wish you had.
The register
| # | Tool / AI feature | What it does for us | Patient data it can see? | Where data goes (AU / overseas / unknown) | Acts on its own, or human approves? | Owner approved (name, date) |
|---|---|---|---|---|---|---|
| 1 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
| 2 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
| 3 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
| 4 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
| 5 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
| 6 | __________________ | __________________ | none / some / identifiable | __________________ | reads only / acts with approval / acts alone | __________________ |
Don't forget: AI scribes · chatbots/AI receptionists · browser extensions · AI features in your PMS or email · transcription/dictation · marketing/social tools (yours and your agency's) · backup or document tools with AI review.
How to read your own register (the patterns that matter)
- Any row with "identifiable" + "overseas/unknown" → that's a cross-border disclosure question (APP 8). Confirm where the data goes before relying on the tool. (Review trigger, not a declared breach.)
- Any row with "acts alone" → the highest-risk pattern. Ask the vendor for an approval gate, or reconsider. A tool that only reads and suggests is a different risk class from one that acts.
- Any row you couldn't fill in → that's not a gap in the form; it's a question for the vendor. The vendor questions guide is the script.
- A tool nobody remembers approving → decide now: approve it properly, or remove it.
Keep it alive
| Routine | When |
|---|---|
| New tool or AI feature arrives → add a row before it's used | As it happens |
| Quarterly review — every row still accurate? still needed? | Every 3 months |
| Annual clean-out — remove tools no longer used (and close their accounts) | Yearly |
This is a general template for practice workflow governance. It is not legal advice and completing it does not establish compliance with the Privacy Act, the Australian Privacy Principles, state laws (such as the NSW HRIP Act), or any other obligation. Adapt it to your practice and seek qualified advice for your circumstances.