Lesson 166 · The Grant Architect

166. Data Privacy and AI

30 min

By the end you'll be able to

  • Identify categories of data (PHI, FERPA-covered records, PII, embargoed research) that must never enter third-party AI tools.
  • Read vendor data retention and model-training policies critically.
  • De-identify case material before drafting and choose enterprise tooling when sensitive context is truly required.
  • Answer, before each AI session, what data is being shared, where it is going, and the worst-case exposure.

When you paste text into a hosted AI tool, you should assume that text leaves your control. That single assumption is the foundation of responsible AI use in grant work, because the consequences of getting it wrong are not theoretical. Protected Health Information triggers HIPAA. Student records trigger FERPA. Personally Identifiable Information triggers a patchwork of state privacy laws and potential civil liability. Embargoed research, NDA-covered material, and confidential funder communications carry their own contract and policy risks.

In this lesson you will learn the categories of data that must never enter a third-party model, and the practical workflows that keep you compliant without slowing you down. You will see how to de-identify case studies before drafting, how to use generic placeholders instead of real names and diagnoses, and how to choose enterprise or on-premise tools when the work genuinely requires sensitive context. You will also learn to read a vendor's data retention and training policies the way an auditor reads a single audit, looking for what is actually promised rather than what is implied.

By the end you should be able to walk into any AI-assisted drafting session and answer three questions without hesitation: what data am I about to share, where is it going, and what is the worst case if it is exposed. That habit is what separates a careful Grant Architect from a future case study.

Common mistakes

These are the traps learners hit most often on this topic. Knowing them in advance is half the fix.

  • Treating "private mode" or "incognito" as a compliance control.

    Browser privacy modes only affect local history. They do not change what the vendor receives, stores, or uses for training, and they do not satisfy HIPAA, FERPA, or contractual restrictions.

  • Assuming redaction is enough.

    Removing a name while leaving diagnosis, date of service, ZIP code, and provider intact still produces re-identifiable PHI. Effective de-identification requires the full Safe Harbor list or expert determination.

Practice problems

Try each on paper first. Click Show solution only after you've made a real attempt.

  1. Problem 1
    A program officer asks you to summarize ten real patient stories for a foundation appeal using a public AI tool. Draft a three-sentence response that protects the organization and still gets the work done.
    Show solution

    Pasting identifiable patient stories into a public model would be a HIPAA disclosure outside any Business Associate Agreement, so we cannot do it as proposed. I can draft strong composite stories using de-identified themes and generic details, then run them through the model for tone and tightening. If we need to work with the real case files, we would need to move to an enterprise tool covered by a signed BAA before any patient text leaves our systems.

Practice quiz

  1. Question 1
    Which of the following can be pasted into a consumer-grade hosted AI tool without triggering a regulatory or contractual concern?
  2. Question 2
    Why does this lesson treat vendor data-retention policies as a compliance question rather than a procurement question?
  3. Reflection 3
    In one or two sentences, explain why a grant writer who pastes a real patient case description into a free chatbot has likely created a HIPAA problem even if no one outside the chat sees it.

Lesson 166 recap

Sensitive data (PHI, FERPA-covered records, PII, embargoed and NDA-covered material) must not enter third-party AI tools without compliant agreements. The Grant Architect verifies what is being shared and where it goes before every session.

Coming next: Lesson 167 — Organizational AI Policy Development

Next, we turn that personal discipline into organizational policy, so the whole team operates the same way you do.

Saved in your browser only — no account, no server.