- February 14, 2022
- Rashmi T K
- 0 Comments
- 51 Views
- 2 Likes
- HIPAA
Artificial Intelligence & HIPAA
Healthcare is a constantly evolving industry. With the advent of new technologies like artificial intelligence (AI) solutions the onus of data protection lies with the organization. Organizations must ensure that the technology that is being used is HIPAA compliant. There is a larger need for compliances like HIPAA to adapt to the advancements in Technology.
What is HIPAA ?The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Modern Healthcare organizations generate and collect data from users on a daily basis through various applications. They also understand the need to safeguard data but the purpose is lost as new technologies are adopted. Hence it is always better to consider HIPAA while adopting new technology and the first step would be the risk assessments.
While developers that are not ‘covered entities’ or ‘business associates’ may be able to freely use AI to make contributions and improvements to healthcare, the utility of AI in healthcare would be quite limited if the AI relied largely on consumer-generated data. To fully harness AI, ‘large quantities of images or other real world data’ is necessary to ‘train the technology’ – data that is held by HIPAA-covered entities like healthcare providers and insurersand their business associates like electronic health records vendors. Further, this data qualifies as personal health information (‘PHI’), meaning that ‘health care providers and insurers that hold this data are limited in their ability to transfer the PHI to third parties, including developers’, who will use this data for AI purposes. Covered entities and business associates are also potentially constrained in using the data for AI purposes internally.
Few Key points to remember while implementing AI
Access control to stored data: HIPAA law requires access management to safeguard protected health information (PHI). Access should only be granted to those who need it as part of their roles & responsibilities.
Data encryption: Data at rest and in transit needs to be encrypted. This is a key requirement of HIPAA. Organizations must invest in the latest encryption mechanisms to safeguard their data.
Deidentifying data: Deidentification of data is mandatory under HIPAA. De-identification is the removal of specific information about an individual that can be used alone or in combination with other information to identify that individual. Covered entity (or business associate) that wishes to disclose PHI to a third party for purposes of AI can do so in one of two ways. First, the covered entity can de-identify the data using either the Safe Harbor method or Expert Determination method, so that HIPAA requirements no longer apply to the de-identified data. However, this method is not without risk. As one observer notes, ‘de-identifying sounds like a good solution – but many health providers don’t have the time, finances, or technical know-how to strip out the patient health information. Even when they do have the necessary tools, they make mistakes which breach HIPAA. In addition, both covered entities and business associates are limited by HIPAA (and, for business associates, by the terms of their business associate agreements) in terms of permitted uses of PHI, including the use of PHI to create de-identified data.
Risk Assessments : Conduct risk assessment within your organization whenever new technology is adopted by the organization.
Update policies and procedures: When implementing new technology an organization must look at their internal policies to ensure that their procedures are HIPAA compliant.
Business associate agreement (BAA): a business associate agreement must be executed before any PHI can be transmitted. Since AI solutions have contact with PHI, an organization must have a signed BAA with the technology company before they can use any new technologies. The covered entity or business associate can disclose PHI to a third party for purposes of AI by entering into a business associate agreement or subcontractor agreement with the developer and/or other third party employing AI.