Is there a HIPAA-compliant AI? What you should know before buying
Artificial Intelligence (AI), previously described as ‘the future of technology’, has now arrived in full force. Many healthcare providers want to take advantage of AI to help streamline their internal processes, assist in diagnosing patients, aid in enhancing patient experience, and effectively run their practices.
The proliferation of AI use cases and tools in healthcare has many practices struggling with data privacy and data security questions. Here are answers to some frequently asked questions about how you can use AI tools in your practice while maintaining compliance with HIPAA rules related to Protected Health Information (PHI).
Can healthcare practices use AI tools that interact with PHI?
Yes! There are two circumstances in which you can use AI tools that interact with PHI.
First, if you are using a tool for “treatment, payment, or health care operations,” this falls within permissible uses for PHI.
Second, if you want to use a tool for purposes beyond those categories, you can do so if you receive patient consent for your specific purpose.
Can healthcare practices use third-party AI tools that interact with PHI?
Yes, but again, there are a few limitations to be aware of.
First, the above limitations (the tool must (1) either fall into the specific categories of treatment, payment, or healthcare information or (2) have another purpose for which there is express patient consent) will apply to any tool, whether or not it’s provided by a third party.
Second, if you use a third-party tool, you must have a Business Associate Agreement (BAA) in place before allowing those tools to interact with PHI.
Third, you should ensure that any vendors providing such tools have adequate security measures in place to protect PHI.
Should we inform our patients that their PHI may be used in AI tools?
It is a best practice to be transparent and disclose how a patient’s PHI may be used. As you are exploring new tools, it may be a good opportunity to update your patient consents or privacy notices to include language disclosing any use of AI or AI tools in running your practice or providing services to your patients.
In addition, specific consents may be needed if you are recording phone calls (which is a common practice for providers wanting to analyze and improve patient call experiences).If you record phone calls in a two-party consent state, you should also disclose during calls that conversations may be recorded and analyzed using AI to improve services.
Is there anything else I should consider when looking at using AI tools in my healthcare practice?
If you are thinking of exploring how AI can benefit your practice, there are several things that you can do to help protect yourself and preserve your HIPAA-compliant status.
First, as described above, ensure you have entered into a BAA with any vendor or software provider that will have access to PHI. A BAA is essential to ensuring that any vendor processing PHI does so in accordance with HIPAA Privacy and Security standards.
Second, ask vendors how your data will be used and whether PHI will be used for AI purposes, including model training and development. If PHI will be used for these purposes, you would want to ensure that you have proper data protection statements in your agreements with those vendors and appropriate consents from your patients.
Third, understand what the outputs of that data will be. In order to properly support your patients and get the products and services you want, you should have a clear understanding of what the outputs of the data will be. Will you receive a report? Are you going to see an interactive dashboard of data points? Is there some other output that will be beneficial to your business?
Finally, while there are AI tools that can help improve your practice and patient experiences, it’s important that you educate yourself on AI and how and when it should and can be used. AI is not perfect and can produce errors and hallucinations. You should never fully rely on AI but instead, use it as a tool to enhance your current skills and capabilities.