DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule contains no mention of the phrase "AI" or the phrase "artificial intelligence." The Department of Health and Human Services, which enforces HIPAA, has yet to release guidance on the use of AI in a HIPAA environment. Ultimately, to evaluate whether, when, and how the use of AI poses HIPAA concerns, the specific Security Rule standards must be considered. These standards, and how AI might affect their implementation, are discussed below.
1. The HIPAA De-Identification Standard and AI:
If input of PHI into an AI platform is not desired, then PHI should be de-identified before it is disclosed to an AI platform. De-identification data is not subject to the HIPAA Privacy Rule. As a precaution, AI language models should be trained to recognize and redact any personally identifiable information before processing that information. Failure to ensure de-identification may result in a breach of unsecured PHI. In an environment where identification of PHI before disclosure of the information to an AI platform is sought, consider training employees and those in the organization responsible for de-identificaton on how the deidentification works.
2. Secure Data Storage and Transmission
Secure data storage and transmission methods should be used when an AI model is processing PHI. These methods include encrypting data at rest and in transit, and ensuring the AI language model is hosted on a secure and compliant infrastructure. Entities may consider using private clouds, on-premises servers, or HIPAA-compliant cloud services.
3. Access Control and Auditing
If the AI language model is processing PHI, entities should implement robust access control mechanisms. This will ensure access to PHI is limited to authorized individuals. In addition to access controls, entities should implement regular audit controls. Having audit controls in place and conducting regular system auditing is key to effective compliance monitoring, identifying improper user activity, and identifying system vulnerabilities.
4. Employee Training
At organizations where AI language models process PHI, employees should be trained on HIPAA. This training includes training on what constitutes PHI; training on the HIPAA minimum necessary standard; training on when to obtain patient authorization for use or disclosure of PHI; and training on what workforce members may use the AI platform. In particular, employees should be trained not to paste or otherwise enter PHI into an AI model unless those employees are authorized to do so, AND the disclosure is permitted by HIPAA.
The Guard offers a Training Course: HIPAA Annual Training, which covers aspects of the HIPAA Privacy, Security, and Breach Notification Rules for all Employees. The Guard also offers a Premium Course that Tokens may be purchased for. This Training Course is called Artificial Intelligence/AI Proficiency Certificate and can be previewed, if necessary, to gauge the scope and usefulness of the Training before moving forward with any purchase.
5. Entering into a Business Associate Agreement with the AI Service
If a covered entity is contemplating using an AI Service to perform business associate functions permitted by law, the covered entity should enter into a written, signed business associate agreement with the AI Service. A business associate agreement might be found to be invalid, if the sole function the AI service is to perform is to use a covered entity's PHI to teach or refine the model, as opposed to the AI service's providing some kind of service or performing an operation for the covered entity.
Further Resources and Reading on HIPAA Compliance and Ai
We recommend the following Articles, which generally look at strategies for using AI, such as ChatGPT, specifically, and ensuring HIPAA compliance:
- Paubox - Quick Guide to Using ChatGPT in a HIPAA Compliant Way
- Light IT - Using ChatGPT and Generative AI in a HIPAA Compliant Way
- What is a HIPAA Authorization for Uses and Disclosures of PHI?
- What is the Difference Between "Uses" of PHI and "Disclosures" of PHI?
- When Should Transmission of ePHI by Text or Email Be Encrypted?
- What is PHI?
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article