Risks and Dangers of Sharing Patient Data with AI

Sharing private information with AI tools and services can go against HIPAA compliance.

By Jeff Wardon, Jr., Assistant Editor


Patient data is already a sensitive set of information and exposing it to unauthorized third parties can open a world of regulatory troubles for the organizations involved. Because of this, the University of Iowa is advising employees to avoid sharing patient information with artificial intelligence (AI) tools and services.  

In an announcement, the hospital reminded employees that most AI tools and services, such as ChatGPT, are not HIPAA-compliant. To use these services three things must happen: a proper security review, contracting and a business associate agreement. Furthermore, they say that the improper use of AI systems could result in a HIPAA violation.  

Mixing AI services and PHI can potentially lead to data breaches and HIPAA violations.   

Sensitive data is already being sought after by hackers and cybercriminals, and PHI is a prime target for them. Inputting a patient’s personal records into a service like ChatGPT gives these cybercriminals a potential avenue for accessing it.  

ChatGPT stores user conversations in its databases. If a healthcare worker were to use the service to draft a letter or any other type of patient communication, it may require that patient’s PHI being shared. If a data breach were to hit ChatGPT, that would leave a plethora of PHI potentially exposed to cybercriminals who can then steal that data.  

In addition, because of a potential breach, the exposed and compromised PHI would leave health organizations open to HIPAA violations. According to the U.S. Department of Health and Human Services, PHI is protected under the HIPAA Privacy Rule, and electronic protected health information (e-PHI) is protected by the HIPAA Security Rule. In the case of sharing records with AI, this would fall under the HIPAA Security Rule. 

There are some general rules for entities covered by the HIPAA Security Rule to follow, according to the HHS: 

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  • Protect against reasonably anticipated, impermissible uses or disclosures; and 
  • Ensure compliance by their workforce. 

According to The HIPAA Journal, “Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR (Office of Civil Rights) believes there has been a criminal HIPAA violation.” 

Furthermore, The HIPAA Journal states that the consequences for violation can be either fines and/or imprisonment. Fines can range from a minimum of $50,000 to a maximum of $250,000. Then jail time can range from one year to 10 years depending on the circumstances of the violation.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.  



November 1, 2023


Topic Area: Information Technology , Security


Recent Posts

17 Million Patient Records Stolen in PIH Health Ransomware Attack

A ransomware attack halted operations across three of PIH’s hospitals.


Holidays are Prime Times for Healthcare Cyberattacks

A study found that 86 percent of organizations that experienced ransomware attacks were targeted on a holiday or weekend.


Hartford Healthcare Forms Partnership to Open Health Equity Clinic

The new clinic will open in January 2025.


UCHealth Reveals Plans for Memorial Hospital North Expansion

Construction on the patient tower is slated for 2026 with a projected opening to patients in 2029.


What Are 'Hospi-tels'?

Hospitals and hotels are partnering to better cater to patients and families.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.