AI has the potential to shape the future of physician practices, from documentation and coding to RCM and the front office. It also has the potential to run afoul of HIPAA regulations.
As readers may know, AI requires huge amounts of data for training. Understandably, that data includes patient health information (PHI) in the case of healthcare-related apps. The trick for software developers is to de-identify the data without rendering it useless for AI.
The good news is that AI can automate the de-identification process of scanning health records and anonymizing sensitive information. The bad news is that for HIPAA compliance purposes, the data must not be able to be re-identified, and this can be a problem for AI. When anonymized data gets combined with other data, it can lead to re-identification of individual patients, a potential HIPAA breach.
How Specific Healthcare Professionals Can Support HIPAA in the Age of AI
The upshot is that HIPAA and AI have a complicated relationship, and regulators, software developers, and physicians must work together to ensure patient data is properly protected in the AI era.
Regulators
The industry needs clearer guidelines for protecting PHI within AI systems. In particular, regulators must set rules about who is accountable for non-compliance: the AI tool itself, the developer, or the healthcare provider.
Software Developers
Presumably, vendors working on healthcare-related tools know the basics of HIPAA compliance and the rules for business associates. However, the nature of AI tools means they involve more change than in the past. Health AI developers must be fully prepared to account for these changes as AI tools learn and adapt.
Physicians
Regardless of the depth of their technology background, keeping PHI safe in the AI era requires physicians to (1) have a basic understanding of how AI works, (2) ensure these tools are used responsibly in their practice, and (3) be transparent with patients about the use of AI in their practice. According to the AMA, physicians should also develop governance policies designed to mitigate risks of:
- Incorrect or falsified responses
- Training data-set limitations that could result in responses that are out of date or otherwise incomplete
- Lack of regulatory or clinical oversight to ensure the tool’s performance
- Bias, discrimination, or stereotype promotion
- Data privacy
- Cybersecurity
- Physician liability associated with the use of generative AI tools
Ask Your AI Provider the Right Questions
HIPAA is based on five essential rules, so that’s a place to start when developing a list of questions for any AI vendor you’re considering. Below are due diligence questions related to each of the rules. A full list of questions is available here, and, of course, this list is intended to be the beginning of the conversation you should have with your AI software vendor.
- PHI. Does your AI system adhere to strict security measures to protect PHI from unauthorized access or disclosure?
- Privacy. Does your AI solution ensure patients’ rights to access their health information and control its disclosure?
- Security. Does your AI model include data encryption, intrusion detection, and access controls?
- Breach notification. Does your solution facilitate timely detection and notification of data breaches involving PHI?
- Minimum necessary standard. Does your AI system use only the minimum amount of PHI required to fulfill its purpose?
AI certainly adds a layer of complexity to safeguarding PHI, but it also opens the door to major advances in the way physicians interact with patients (AI scribes let them face the patient rather than the computer screen), run their practices (AI scheduling automatically adjusts when a doctor calls in sick), and view their bottom line (AI-assisted billing streamlines the process and reduces billing errors).
To learn more about PracticeSuite's approach to AI, visit our Artificial Intelligence page.
