View all my published articles

Last week Microsoft moved Copilot Health into preview. If you work in healthcare, you should read it as more than a product launch. It is the moment the patient-side AI conversation stopped being a fringe behavior and became sanctioned infrastructure from the largest enterprise software company on earth.

The number buried in the announcement is the one that matters. Microsoft says it now responds to more than 50 million health questions a day across its consumer products. Not a forecast. Not a TAM slide. Fifty million conversations, every day, already happening.

I have been writing about this shift for months. A West Health-Gallup survey late last year found that one in four U.S. adults, the equivalent of more than 66 million Americans, have turned to an AI tool for physical or mental health information. When OpenAI launched ChatGPT Health in January, it crossed 40 million daily users within weeks. The patient is already in the room with an AI. The only open question was whether anyone with real distribution and real discipline would build for it.

Microsoft just answered that question.

What Microsoft got right

I want to be clear, because too much commentary on big-company launches is reflexively cynical. Copilot Health is good work, and the care shows in the details.

They built it with an external panel of more than 250 physicians across two dozen countries. They earned ISO/IEC 42001 certification, which means an independent third party verified how they build and govern the AI, not just that it ships. Health conversations are walled off from the rest of Copilot and are not used to train models. Data is encrypted, and the patient can disconnect it at any time. Answers are grounded in trusted sources, including a partnership with Harvard Health and principles published by the National Academy of Medicine.

That is what responsible looks like at the consumer layer. The bar for patient-facing AI just went up, and the whole field is better for it.

But here is where I want to slow down, because this is the part most people will skip past.

Copilot Health is the consumer layer. It is not the institutional one.

Read the fine print and the boundaries are honest and deliberate. Copilot Health is for Microsoft 365 Personal, Family, and Premium subscribers. Work accounts are explicitly excluded. It connects to patient-held wearable data and to records the patient pulls in themselves. It is, by design, a tool the patient runs in the consumer world.

That is the right scope for what it is. But it means the hardest problem in healthcare AI is still sitting on the table untouched.

Your patient asks Copilot Health why they feel tired. The answer is grounded, cited, careful. Then the patient walks into your clinic. None of that conversation is governed by your institution. None of it is in your record. None of it routes back to a clinician when it should. The consumer tool did its job well, and the academic medical center still has no visibility, no audit trail, and no escalation path.

This is the layer everyone is missing. Not the patient’s tool. The institution’s governance of it.

The three things the institutional layer actually requires

If you run technology, compliance, or clinical operations at an AMC, the strategic question is no longer whether your patients use AI for health. They do. It is whether that use can be made grounded, governed, and inspectable on your terms. Three requirements, and all three have to be true at once.

Grounded in the real record. Consumer tools work from what the patient remembers to type or chooses to connect. The institutional layer has to work from the actual longitudinal record, pulled through the patient’s own authorized access. The standard for this already exists. It is SMART on FHIR, the same mechanism a decade of federal policy has required you to expose. The patient authorizes, scoped and time-bound. No new integration project, no data duplicated into a vendor cloud.

Governed by the institution. Every agent action logged with the model version and the policy version behind it. An audit trail your compliance team can actually open. Escalation thresholds the hospital defines, so a symptom or a medication risk that crosses a line routes back to the care team through the secure messaging you already use. Governance is not a feature you bolt on at the end. It is the entire reason an institution can put its name on the thing.

Open enough to inspect. This is the one most enterprises get wrong. If your security team cannot read the code your patients are running, you are trusting a black box with the most sensitive data your patients own. The patient-facing runtime should be open source and inspectable. The commercial value lives in the governance plane, not in hiding the agent.

Notice that none of this competes with Copilot Health. Microsoft solved the consumer experience. The institutional governance layer is a different problem, sitting at a different altitude, owned by a different buyer. They are two ends of the same story.

A governance question, not a product question

Regular readers know I keep returning to one theme. In healthcare, model flexibility is a governance requirement, not an IT preference. When the underlying model changes, the outputs change, and in healthcare that has direct consequences for compliance, documentation, and clinical trust. The institution that builds its patient AI strategy on a single provider with no contingency is exposed the day that provider ships an update.

The patient-side question is the same question wearing different clothes. The win is not picking the cleverest consumer app. The win is owning the layer where grounding, governance, and escalation are enforced, on standards you control, with model policy you set.

I have spent fifteen-plus years building governed AI inside an academic health system. The methodology we developed there was accepted by CMS as an alternative to traditional time studies and held up through third-party audits. That work taught me one thing above all. The technology is rarely the hard part. Governance at scale is the hard part, and it is the part that determines whether anything real ever gets deployed.

A few weeks ago I gave an open-source AI agent OAuth access to my own hospital records through MyChart. The patient-side ceremony took about five minutes. The hospital integration cost was zero, because the standards were already there. That experiment was not the point. The point was what it implied. The patient-side capability is here and it is cheap. What is scarce, and what every academic medical center actually needs, is the governance layer that sits between that capability and the institution.

That is the layer my team is building. It is also the layer I think defines the next two years of this category. Microsoft proving the consumer demand at 50 million questions a day does not make that work less urgent. It makes it the most urgent unsolved problem in patient-facing healthcare AI.

Congratulations to the Copilot Health team. The bar just went up. Now the institutions have to decide who governs the conversation once the patient walks back through their doors.

Sources

• Microsoft, Copilot Health: Now in Preview — the preview announcement, including the 50 million health questions per day figure, the 250+ physician panel, and ISO/IEC 42001 certification.

• Microsoft AI, Introducing Copilot Health — product scope, trusted-source grounding, and the safe-and-secure-by-design details.

• Microsoft AI, Our values in operation: Health — the values framework behind the health work and the Mayo Clinic frontier-model collaboration.

• Microsoft AI, Health Check: How People Use Copilot for Health — Microsoft’s analysis of how patients actually use Copilot for health questions.

• Nature, analysis of half a million Copilot health conversations — the peer-reviewed study behind the symptom-interpretation and test-result findings.

• West Health-Gallup Center on Healthcare in America, Millions of Americans Now Consult AI Before, After, and Sometimes Instead of, Seeing a Doctor — the one-in-four / 66 million figure.

Paul J. Swider is CEO and Chief AI Officer at RealActivity, a Microsoft Partner specializing in mission-critical AI for healthcare systems. He has 30+ years in healthcare technology, has trained over 3,000 engineers across GE, IDX, and Microsoft, and is the founder of BOSHUG, the Boston Healthcare Cloud & AI Community spanning 50+ countries.

If you lead technology, compliance, or clinical operations at an academic medical center and you are working through where patient AI fits in your strategy, I would genuinely like to hear how you are thinking about it. That conversation is the one worth having right now.