Patients are telling AI the truths they hide from their doctors.

A few weeks ago a neighbor told me something I have not stopped thinking about. "I tell my ChatGPT friend everything," he said. "My labs, my meds, the health problems I haven't even told my doctor yet." He said it the way a person admits a small, harmless secret (half embarrassed, half relieved).

When I urged him to bring those questions to his physician, and warned him about where that data might travel, he looked lighter. As if confessing how he actually uses AI had lifted something off him. He slept fine that night. I did not.

He is not an outlier. He is the mainstream.

The scale, and the paradox inside it

In its early 2026 tracking poll, KFF found that about one in three adults had used an AI chatbot for health information in the past year, and that monthly use had nearly doubled in two years, from roughly 17 percent in mid-2024 to 29 percent.

The same survey found something that should stop every governance committee in its tracks: 77 percent of adults said they were concerned about the privacy of the personal medical information they give these tools. Read those two numbers together. People are worried about the privacy of what they type, and they are typing anyway, in growing numbers. That is not carelessness. That is need outrunning fear.

Why they confess to the machine

The instinct to tell a chatbot what you withhold from your clinician is not new behavior. It is old behavior pointed at a new listener.

Research on disclosure has shown for years that people open up more honestly when they believe they are speaking to a computer rather than a person, because the fear of being judged falls away (Lucas et al., Computers in Human Behavior, 2014). And patients withhold a great deal from their actual clinicians. In a national survey published in JAMA Network Open, most patients admitted concealing medically relevant information from their providers, and the two most common reasons were not wanting to be judged and plain embarrassment (Levy et al., 2018).

So when a patient pours their history into a chatbot at eleven at night, they are not insulting their doctor. They are doing what humans have always done. They are choosing the listener that will not flinch. The machine has time, patience, and no visible disappointment. That is the entire appeal.

What they do not know about the room

Here is what my neighbor did not know, and what most patients do not know. When you pour your health into a consumer AI tool, you are not whispering to a physician. There is no HIPAA in that room.

HIPAA binds covered entities: hospitals, clinics, insurers, and the vendors they hire. It does not bind the chatbot your patient trusts. The conversation is not theirs. It can be stored, used to train the next model through a setting buried in a policy no one reads, exposed in a breach, or summoned in a lawsuit.

That last risk vector is no longer hypothetical. In 2025, in the litigation between The New York Times and OpenAI, a federal court ordered OpenAI to preserve enormous volumes of ChatGPT conversations as potential evidence, including chats users believed they had deleted. The court later ordered the production of roughly 20 million logs. Crucially for the preservation of individual patient identities, these logs were strictly de-identified under a protective court order.

However, the structural lesson remains universal. Because users voluntarily submit these communications, a conversation that a court can freeze and pull into discovery is not a conversation you control. He thought he was in a confession booth. He was standing in a room he could not see, speaking out loud. That is not his failure. No one told him the rules had changed.

The governance vacuum, and the law sprinting to fill it

We keep debating whether AI can help the patient. It can. That was never the hard question. The hard question is the one we keep skipping: who owns the conversation.

Convenience answered first. Governance never showed up. We built a tool intimate enough to hold a person's deepest fears, and never decided who holds the record afterward. Regulators already know the gap is there, and they are filling it reactively, one case at a time.

In 2023 the FTC penalized GoodRx and then BetterHelp for funneling sensitive health data to advertisers. BetterHelp had told users it was HIPAA compliant when it was not, and was ordered to pay 7.8 million dollars and return money to the people whose disclosures it had shared.

That same year, Washington passed the My Health My Data Act. This statute operates as a localized consumer defense mechanism written specifically to protect health information that falls outside HIPAA, rather than a universal national shield for all U.S. adults. The pattern is unmistakable. The most intimate health conversations have migrated to tools the old rules never anticipated, and the law is catching up unevenly, after the fact.

What we actually do

So what do we do, those of us who build and govern this?

• First, stop treating it as user error. A third of adults are already here, and most of them are uneasy about it. Patients are not reckless for seeking clarity. They are filling a vacuum the system created when it priced a follow-up question as an imposition. Shaming them back into silence solves nothing.
• Second, build the literacy. A short, audited handout is required. Imagine a nurse who says, before discharge, "If you are going to ask an AI about this, here is what is safe to share and what to keep out of it." We teach patients to read a nutrition label. We can teach them to read a privacy one.
• Third, put the patient in the room where the rules get written. Not as a courtesy. As a design requirement. A committee deciding how AI will touch patients, with no patient at the table, is not governance. It is theater. This is the spine of the Patient AI Bill of Rights I have been building, and it begins with one claim: sovereignty over your own body has to include sovereignty over the story told about it.
• Fourth, execute the part only clinicians can do. Become the interpreter the patient is already looking for. The reason your patient turns to the machine is not that the machine is smarter. It is that the machine has time, patience, and never makes them feel stupid for asking. Close that gap inside the exam room, and the unprotected room loses its pull.

The Close

My neighbor will keep talking to his ChatGPT friend. So will the third of the country sitting beside him. The question is not how to stop them. It is whether we will build a system worthy of the trust they are already handing, knowingly or not, to a stranger.

Before we send one more patient home to "go ask the AI," we owe them one honest sentence: you may be the only one in that conversation who thinks it is private.

Sources

• KFF Tracking Poll on Health Information and Trust (2026): https://www.kff.org/health-information-trust/poll-1-in-3-adults-are-turning-to-ai-chatbots-for-health-information-equaling-the-share-who-use-social-media-for-health/
• Lucas et al., "It's only a computer: Virtual humans increase willingness to disclose," Computers in Human Behavior (2014): http://multicomp.cs.cmu.edu/wp-content/uploads/2017/09/2014_CHB_Lucas_It.pdf
• Levy et al., patient nondisclosure to clinicians, JAMA Network Open (2018): https://pubmed.ncbi.nlm.nih.gov/30646397/
• FTC final order, BetterHelp, $7.8M (2023): https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-gives-final-approval-order-banning-betterhelp-sharing-sensitive-health-data-advertising
• FTC enforcement against GoodRx and BetterHelp (overview): https://calawyers.org/privacy-law/ftc-enforcement-action-against-goodrx-and-betterhelp/
• OpenAI ordered to produce 20 million ChatGPT logs (Bloomberg Law, 2025): https://news.bloomberglaw.com/ip-law/openai-must-turn-over-20-million-chatgpt-logs-judge-affirms
• Washington My Health My Data Act (IAPP overview): https://iapp.org/resources/article/washington-my-health-my-data-act-overview