Artificial intelligence (AI) is rapidly changing the delivery of healthcare in America. Different types of AI are currently being used by healthcare providers to assist with patient intake, diagnostics, clinical record taking, research, risk analysis, patient discharge, and patient instructions and billing. This involves the use of several different types of AI, which are outlined below.
Generative AI is used to create new content from large amounts of data. In the healthcare arena, generative AI is often used to create clinical notes based on recorded patient encounters and draft patient instructions or summaries for care coordination.
Autonomous AI uses systems that perform tasks without human involvement. This can allow clinical decisions to be made without input from a provider. Examples include the use of autonomous diagnostic tools that detect abnormalities in radiology scans or devices that can detect dangerous conditions.
Augmented AI is a system that keeps humans in control to enhance capabilities by using machine learning to assist but not replace human decision-making. Its goal is to assist human decision-making rather than replace it. This AI can be used to help providers identify patients at a high risk for certain diseases or injuries. It can also assist with clinical decision-making such as flagging medication interactions.
This article will provide an overview of how the Health Insurance Portability and Accountability Act (HIPAA) laws and regulations apply to AI. Further, this article will outline the law, provide examples, and offer practical guidance for providers and their teams.
Background
HIPAA was signed into law in 1996 by President Bill Clinton. The law provides a federal floor for the protection of Americans’ health information by regulating how a patient’s protected health information (PHI) can be accessed or used by healthcare providers, health plans and healthcare clearing houses – covered entities – as well as their business associates. A business associate is an entity or person that provides services on behalf of a covered entity and has access to or uses protected health information in the course of those services. Third-party AI vendors that provide services to healthcare providers are often HIPAA business associates.
In 1998 the Department of Health and Human Services promulgated security regulations that specifically apply to the confidentiality, integrity and availability of protected electronic health information. While the HIPAA privacy rule applies to all protected health information in any format, the security rule specifically protects electronically held health information.
In 2009, President Barack Obama signed into law the American Recovery and Reinvestment Act, which contains the Health Information Technology for Economic and Clinical Health Act (HITECH). This law created the breach notification rule, which imposes additional requirements on providers following a data breach of protected health information and established that the privacy rule penalties are directly applicable to business associates.
AI and HIPAA Compliance Concerns
As discussed above, the HIPAA privacy rule protects protected health information. De-identified health information is not protected by HIPAA. An area of concern is that a provider may use an open AI system to share patient information in a way that constitutes a data breach and a violation of HIPAA. Some healthcare providers may have closed AI systems where this information will only be shared within the particular medical facility. For example, a physician using ChatGPT to ask a question using patient identifying information would likely constitute a HIPAA violation and possibly a data breach. Therefore, specific staff training regarding HIPAA as it relates to the AI systems is important. It is important that any AI system used by a provider is a closed AI System to ensure that protected health information is not improperly disclosed to third parties.
Another concern is that it can be difficult to comply with HIPAA’s minimum necessary standard when using generative AI since providing more information usually leads to a better result. Once providers determine that they can either share information in a closed AI system or be confident that it is properly de-identified, they need to consider what is the minimum necessary health information to use the system optimally.
A third consideration is ensuring an AI system truly is HIPAA compliant. A third-party vendor merely stating that its AI system is HIPAA compliant is not enough. The system needs to actually comply with HIPAA, including both privacy and security. Assuming that the vendor will be a HIPAA business associate, it will also need to enter into a HIPAA business associate agreement that complies with the statutorily required terms.
Practical Steps to Ensure Compliance
Medical practices can take steps to ensure the safety of their use of AI. Compliance should start internally with the practice either creating or updating internal policies that prohibit the use of protected health information in any non-HIPAA compliant AI systems. The failure to comply with this policy should be treated as any other HIPAA breach. This internal review should include a HIPAA Security Rule risk assessment of how PHI moves through these AI systems and what additional modifications or policies, if any, should be implemented to protect the confidentiality, integrity and availability of the protected health information. Additionally, the practice should implement policies addressing how to properly use AI. For example, the policies should outline how to properly de-identify health information when required and how the minimum necessary standard applies when using AI.
Next, proper due diligence needs to be implemented with respect to contracting with any outside AI company that has access to any protected health information of the practice. The practice should enter into an appropriate HIPAA business associate agreement with those third-party AI vendors. Additional terms to consider are provisions requiring the business associate to maintain cybersecurity insurance, as well as indemnification clauses should the vendor’s failure to comply with HIPAA or the agreement result in damage to the practice. If the third-party AI vendor provides the proposed business associate agreement, it should be reviewed by a healthcare attorney to ensure it includes the required terms and that any negotiable terms are also considered.
Because HIPAA is technology neutral, it can be applied to AI systems in healthcare. Providers and practices should consider how protected health information will be impacted by these systems and enact or update policies and procedures to address privacy risk areas.
Erin S. Aebel
Erin S. Aebel is a shareholder at Trenam Law in Tampa, Florida, and a Florida Bar board certified health law specialist. She represents a range of providers in matters involving Stark law, fraud and abuse, acquisitions and changes of ownership, and HIPAA and licensure issues arising from joint ventures.
J. Trevor Carson
J. Trevor Carson, an associate in Trenam’s Health Care practice, represents providers, hospitals and health facilities in a wide range of matters. He can be reached at [email protected].
