AI in Healthcare: Navigating Privacy Under Federal Law

Learning about the Regulatory Foundation of HIPAA and AI.

Artificial intelligence is quickly changing the way healthcare is delivered, including clinical decision support and predictive analytics, as well as automated documentation and optimization of the revenue cycle. These technologies enhance efficiency and patient outcomes, but they also create difficult compliance issues. The intersection of HIPAA and AI has become a burning area of concern that healthcare leaders should consider both innovations and the protection of patient privacy to a high degree.

The Health Insurance Portability and Accountability Act (HIPAA) defines national standards of protection of the protected health information (PHI). Any AI system that develops, accepts, retains, or shares PHI is under the jurisdiction of HIPAA. This implies that the healthcare community should not use AI tools as autonomous programs that act without compliance with laws. Rather, AI should be regulated, and the same stringent regulations should be imposed as with electronic health record systems and other regulated technologies.

The Roles of HIPAA Rules on AI Tools.

HIPAA is mainly the Privacy Rule and the Security Rule. The Privacy Rule regulates the use and disclosure of PHI. Treatment or payment applications, or healthcare use, are usually within permissible uses of AI. Nevertheless, when patient data is used outside of those purposes, e.g., training an algorithm not directly related to patient care, explicit authorization or appropriate de-identification can be necessary.

The Security Rule requires administrative, technical, and physical safeguards to secure electronic PHI (ePHI). In the case of AI tools, this would comprise encryption, multi-factor authentication, role-based access controls, secure data transmission protocols, and elaborate audit logging. This is due to the fact that healthcare organizations need to…

Source