By Jeff Wardon, Jr., Assistant Editor

Patient data is already a sensitive set of information and exposing it to unauthorized third parties can open a world of regulatory troubles for the organizations involved. Because of this, the University of Iowa is advising employees to avoid sharing patient information with artificial intelligence (AI) tools and services.  

In an announcement, the hospital reminded employees that most AI tools and services, such as ChatGPT, are not HIPAA-compliant. To use these services three things must happen: a proper security review, contracting and a business associate agreement. Furthermore, they say that the improper use of AI systems could result in a HIPAA violation.  

Mixing AI services and PHI can potentially lead to data breaches and HIPAA violations.   

Sensitive data is already being sought after by hackers and cybercriminals, and PHI is a prime target for them. Inputting a patient’s personal records into a service like ChatGPT gives these cybercriminals a potential avenue for accessing it.  

ChatGPT stores user conversations in its databases. If a healthcare worker were to use the service to draft a letter or any other type of patient communication, it may require that patient’s PHI being shared. If a data breach were to hit ChatGPT, that would leave a plethora of PHI potentially exposed to cybercriminals who can then steal that data.  

In addition, because of a potential breach, the exposed and compromised PHI would leave health organizations open to HIPAA violations. According to the U.S. Department of Health and Human Services, PHI is protected under the HIPAA Privacy Rule, and electronic protected health information (e-PHI) is protected by the HIPAA Security Rule. In the case of sharing records with AI, this would fall under the HIPAA Security Rule. 

There are some general rules for entities covered by the HIPAA Security Rule to follow, according to the HHS: 

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
• Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
• Protect against reasonably anticipated, impermissible uses or disclosures; and 
• Ensure compliance by their workforce. 

According to The HIPAA Journal, “Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR (Office of Civil Rights) believes there has been a criminal HIPAA violation.” 

Furthermore, The HIPAA Journal states that the consequences for violation can be either fines and/or imprisonment. Fines can range from a minimum of $50,000 to a maximum of $250,000. Then jail time can range from one year to 10 years depending on the circumstances of the violation.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.