How Does HIPAA Plan to Address AI Data Privacy Concerns
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy and security of patient health information. As AI becomes more prevalent in healthcare, there are concerns about how HIPAA will address patient data privacy concerns.
HIPAA requires covered entities to implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, and disclosure. These safeguards include access controls, audit controls, encryption, and other measures to protect PHI’s confidentiality, integrity, and availability. HIPAA also requires covered entities to conduct periodic risk assessments to identify vulnerabilities in their information systems and implement measures to address them.
Regarding AI, HIPAA applies the same privacy and security requirements to using PHI by AI algorithms as it does to using PHI by human healthcare providers. Therefore, covered entities that use AI algorithms to process PHI must ensure that the algorithms are designed and implemented to protect that information’s privacy and security. This includes implementing appropriate technical and administrative safeguards to prevent unauthorized access, use, and disclosure of PHI by AI algorithms.
HIPAA also requires covered entities to enter into business associate agreements (BAAs) with third-party vendors that handle PHI on their behalf. This includes vendors that provide AI algorithms or other services that involve using PHI. BAAs require vendors to comply with HIPAA’s privacy and security requirements and to implement appropriate safeguards to protect PHI from unauthorized access, use, and disclosure.
It is important to note that HIPAA regulations provide the federal floor of privacy and security standards. AI developers and vendors should review the mHealth App Guidelines developed by Xcertia and now managed by HIMSS to find other state and federal laws that can apply that pre-empt HIPAA – particularly concerning healthcare adjacent data – or apply to more organizations than Covered Entities and Business Associates.
According to The HIPAA Journal, “…it is the responsibility of each Covered Entity and Business Associate to determine what health information is PHI, what health information is adjacent, and how each should be managed. It is also the responsibility of each Covered Entity and Business Associate to conduct due diligence on any AI technologies that are implemented to improve efficiency and the patient experience to make sure that they are compliant with the HIPAA Rules, especially with respect to disclosures of PHI.”