CQC inspection approaching
Can you show how AI tools are governed, monitored and reviewed?
Best next step
Board Findings Report + RAG Exposure Map
For private GP, dental and specialist clinics using AI with patient data
Your clinic is already using AI. Could you prove it is under control?
Founder-delivered by a CISM and CRISC-certified AI governance consultant with 20+ years' experience in regulated environments. Led by Faisal Ali, Founder and Principal Consultant of ELSA AI.
ELSA AI helps clinics discover which AI tools are already in use, where patient data may be involved, what evidence is missing, and what should be prioritised in the next 30 days.
Starting point: Clinical AI Exposure Diagnostic™
4 working days from completed intake · Fixed fee £4,500–£6,500 + VAT
A Royal College of Physicians snapshot survey, January 2026, found that 69% of 305 UK physician respondents used personal access to AI tools such as ChatGPT and Microsoft Copilot for clinical questions.
Founder-delivered AI governance, not a platform subscription.
Led by Faisal Ali, CISM, CRISC, Founder and Principal Consultant of ELSA AI, with more than two decades of experience across cybersecurity, information risk and AI governance in regulated environments.
- Private healthcare AI deployer focus
- Source-mapped governance evidence
- Board, DPO, insurer, MDO and clinical leadership ready outputs
- Advisory boundaries clearly defined
COMMON TRIGGERS
When AI governance becomes urgent
Private clinics usually contact ELSA AI when informal AI use becomes an evidence question, from a CQC inspection, DPO request, insurer renewal, MDO query, ambient scribe rollout or board review.
Each trigger points to the same issue: can the clinic show what AI is in use, what patient data may be involved, what evidence exists and what needs action next?
Insurer or PMI renewal
Can you answer AI, data protection and clinical oversight questions accurately?
Best next step
Disclosure Readiness Note
DPO requesting evidence
Can you show which AI tools process patient data and whether DPIA review is needed?
Best next step
DPIA Readiness and Patient Data Exposure Note
Ambient scribe rollout
Do you have DPIA readiness, vendor evidence and patient transparency before routine use?
Best next step
Ambient Scribe Assessment Sheet
MDO query or clinical incident
Can clinicians evidence that AI use was approved, supervised and documented?
Best next step
MDO, PMI and Insurer Disclosure Readiness Note
Board AI review
Can leadership see what AI is in use, what risk exists and what action is required?
Best next step
Board Findings Report + 30-Day Priority Action Plan
One Diagnostic. Six common reasons to start.
The Clinical AI Exposure Diagnostic™ gives clinic leadership a board-ready view of AI use, patient-data exposure, evidence gaps and priority actions in four working days from completed intake.
Fixed fee £4,500–£6,500 + VAT.
Advisory governance support only. Not legal advice, CQC certification, ICO approval, insurer coverage advice, MDO indemnity advice or clinical safety case sign-off. Final decisions remain with the clinic's accountable officers and advisers.
Built for private healthcare providers using AI with patient data
ELSA AI works with four clinic types where AI exposure is real, regulated and already in motion.
Private GP and GP-led clinics
CQC-regulated · Primary segment
For private GP, executive health and GP-led clinics using or evaluating ChatGPT, Copilot, ambient scribes, transcription or admin AI with patient data.
Clinics using ambient scribes
Pre-rollout or live · High urgency
For clinics using or evaluating ambient scribes and AI note tools where consultation audio, identifiers and clinical text need a documented governance position.
Dental practices and groups
Single-site or group
For dental practices and groups using AI imaging, note drafting, transcription, patient communications or office AI where patient data may be involved.
Doctor-led specialist clinics
Dermatology · Aesthetics · Diagnostics · Fertility · Ophthalmology
For doctor-led specialist clinics using AI with patient images, consultation notes, correspondence or clinical workflows.
Who this is for
ELSA AI is designed for CQC-regulated private GP, dental and specialist clinics where AI is already being used with patient data – for example ambient scribes, ChatGPT, Copilot, imaging AI or supplier platforms.
It is a good fit where there is at least a small clinical team, formal CQC registration and DPO/board interest in AI governance. Very small, single-handed practices using only basic office automation may be better served by simple policy templates rather than a full Diagnostic.
How the Clinical AI Exposure Diagnostic™ works
A focused 4-working-day assessment showing what AI is being used, where patient data may be involved, what evidence is missing and what should be prioritised next.
Step 1
Day 1
Discover AI use
Leadership intake, evidence request, confidential role-level staff survey and initial shadow AI mapping.
Step 2
Days 2–3
Assess governance evidence
Review AI tool inventory, patient-data exposure, DPIA readiness, vendor evidence, ambient scribes where applicable, human oversight and disclosure-readiness indicators.
Step 3
Day 4
Deliver board-ready actions
Board Findings Report, RAG Exposure Map, 30-Day Priority Action Plan and source-mapped evidence appendix.
What you receive in the 4-day Diagnostic
A board-ready evidence pack showing what AI is in use, what patient data may be involved, what evidence exists, what is missing and what should happen next.
Board and leadership view
- Board Findings Report
- One-page RAG Exposure Map
- 30-Day Priority Action Plan
DPO and clinical governance evidence
- AI Tool and Use Case Inventory
- DPIA Readiness and Patient Data Exposure Note
- Vendor Data Position and Evidence Tracker
- Ambient Scribe Assessment Sheet, where applicable
External review readiness
- MDO, PMI and Insurer Disclosure Readiness Note
- Source and Guidance Mapping Appendix
Evidence & guides
Evidence clinics are starting to need
AI governance pressure usually arrives as a request for evidence: from the DPO, board, insurer, MDO, CQC inspector, clinical lead or patient. These guides explain what private clinics may need to have ready before AI use becomes difficult to explain.
AI Evidence Pack Checklist for Private Clinics
A practical checklist of the board, DPO, vendor, patient transparency, ambient scribe, insurer and incident evidence a clinic may need when AI touches patient data.
View checklist →Ambient Scribe Pre-Go-Live Checklist
A focused guide for clinics using or planning Heidi, Tortus, Accurx Scribe, Dragon DAX, Tandem, Nabla, Otter or similar tools.
Review scribe checklist →DPO Evidence Request Guide
What a DPO may ask for when AI tools process patient data, including DPIA indicators, vendor evidence, privacy notices and Records of Processing Activities.
Read the DPO guide →View all Evidence & Guides →
Advisory governance support only. These guides are not legal advice, DPIA sign-off, CQC certification, ICO approval, insurer coverage advice, MDO indemnity advice or clinical safety case sign-off.
What clinics do with the Diagnostic findings
The Diagnostic does not claim to fix every AI risk in four working days.
It gives leadership a documented starting position: what AI is in use, what patient data may be involved, what evidence is missing and what should be prioritised next.
Example outcomes
Illustrative scenarios based on typical clinic profiles, not specific clients.
Executive health clinic
From unknown AI use to a board-readable exposure map
A GP-led executive health clinic identifies declared and informal AI use across clinical, admin and support teams. Leadership receives an AI Tool and Use-Case Inventory, RAG Exposure Map and 30-Day Priority Action Plan showing which tools need DPO review, vendor evidence or staff guidance first.
Specialist dermatology clinic
Preparing for ambient scribe rollout
A doctor-led specialist clinic preparing to use an ambient scribe receives a structured view of DPIA readiness, vendor evidence gaps, patient transparency wording needs, human-review workflow and clinical safety ownership points for review by its DPO, clinical lead and accountable officers.
Multi-site dental group
Moving from shadow AI to approved-use guidance
A dental group finds staff using personal AI tools for drafting, notes and admin support. The Diagnostic helps leadership distinguish approved, conditional and prohibited use, identify patient-data exposure risks and prioritise staff guidance, vendor evidence and DPO review actions.
Each scenario leads to the same starting point: a documented AI governance position the clinic can review, own and act on.
From first evidence pack to ongoing AI governance
Diagnostic first. Launchpad second. Sentinel third. ELSA AI starts with a documented view of current exposure, then helps clinics build and maintain a working governance baseline.
Step 1
Starting point
Clinical AI Exposure Diagnostic™
4 working days£4,500–£6,500 + VAT
Identify what AI is in use, where patient data may be involved, what evidence is missing and what actions should be prioritised in the next 30 days.
Step 2
Clinical AI Safe Usage Launchpad™
4–6 weeks£14,500–£22,000 + VAT
Convert Diagnostic findings into a board-approved governance baseline: policy, register, risk register, DPIA readiness pack, vendor evidence, patient transparency, staff guidance, incident process and board evidence pack.
Step 3
AI Exposure Sentinel™
Quarterly retainer£950/month or £10,500/year + VAT
Keep AI governance evidence current as tools, staff use, vendor terms, insurer questions and regulatory expectations change.
Next step
Confidential discovery call with Faisal Ali. No commitment required.
Faisal Ali, CISM, CRISC
Founder and Principal Consultant, ELSA AI
Founder-delivered governance support
ELSA AI engagements are led by Faisal Ali, CISM, CRISC, Founder and Principal Consultant of ELSA AI. Faisal brings more than two decades of experience across cybersecurity, information risk and AI governance in regulated environments.
ELSA AI was built for private healthcare providers deploying third-party AI tools, not building AI products from scratch. The focus is practical evidence: what tools are in use, what patient data may be involved, what controls exist, who owns the risk and what decision-makers need to see.
Proof points
- Senior-led, not template-and-invoice delivery
- Advisory support for AI deployers, not AI product builders
- Source-mapped evidence for board, DPO and clinical governance review
- Clear advisory boundaries
Clear advisory boundaries
What ELSA AI does
- Identifies AI tools and use cases
- Maps patient-data exposure
- Identifies advisory risk indicators and evidence gaps
- Structures board, DPO, vendor and disclosure-readiness evidence
- Produces practical 30-day actions
What ELSA AI does not do
- No legal advice
- No CQC certification
- No ICO approval
- No insurer coverage advice
- No MDO indemnity advice
- No clinical safety case sign-off
- No DCB0160 sign-off
Who owns final decisions
- Clinic board, partners or directors
- DPO and legal adviser
- Clinical Safety Officer or clinical lead
- Insurer, PMI or MDO
- Accountable officers and advisers
ELSA AI structures evidence so the clinic's own accountable officers and advisers can review, adopt and own the final position.
Ready when you are
The starting point is a confidential 20-minute conversation.
We will confirm whether the Clinical AI Exposure Diagnostic™ is the right fit for your clinic, what tools and workflows should be in scope, and whether there is a time-sensitive trigger such as an ambient scribe rollout, DPO review, insurer renewal, MDO question, board meeting or CQC inspection.
20 minutes
Direct with Faisal Ali
No commitment required
Confidential · No obligation · Senior-led from the first call
Advisory governance support only. Not legal advice, regulatory approval, CQC certification, insurer coverage advice, MDO indemnity advice or clinical safety case sign-off. Where needed, evidence is structured for adoption and sign-off by the clinic's own legal advisers, clinical safety officers and indemnity providers.