Risks and Dangers of Sharing Patient Data with AI

Sharing private information with AI tools and services can go against HIPAA compliance.

By Jeff Wardon, Jr., Assistant Editor

Patient data is already a sensitive set of information and exposing it to unauthorized third parties can open a world of regulatory troubles for the organizations involved. Because of this, the University of Iowa is advising employees to avoid sharing patient information with artificial intelligence (AI) tools and services.  

In an announcement, the hospital reminded employees that most AI tools and services, such as ChatGPT, are not HIPAA-compliant. To use these services three things must happen: a proper security review, contracting and a business associate agreement. Furthermore, they say that the improper use of AI systems could result in a HIPAA violation.  

Mixing AI services and PHI can potentially lead to data breaches and HIPAA violations.   

Sensitive data is already being sought after by hackers and cybercriminals, and PHI is a prime target for them. Inputting a patient’s personal records into a service like ChatGPT gives these cybercriminals a potential avenue for accessing it.  

ChatGPT stores user conversations in its databases. If a healthcare worker were to use the service to draft a letter or any other type of patient communication, it may require that patient’s PHI being shared. If a data breach were to hit ChatGPT, that would leave a plethora of PHI potentially exposed to cybercriminals who can then steal that data.  

In addition, because of a potential breach, the exposed and compromised PHI would leave health organizations open to HIPAA violations. According to the U.S. Department of Health and Human Services, PHI is protected under the HIPAA Privacy Rule, and electronic protected health information (e-PHI) is protected by the HIPAA Security Rule. In the case of sharing records with AI, this would fall under the HIPAA Security Rule. 

There are some general rules for entities covered by the HIPAA Security Rule to follow, according to the HHS: 

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  • Protect against reasonably anticipated, impermissible uses or disclosures; and 
  • Ensure compliance by their workforce. 

According to The HIPAA Journal, “Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR (Office of Civil Rights) believes there has been a criminal HIPAA violation.” 

Furthermore, The HIPAA Journal states that the consequences for violation can be either fines and/or imprisonment. Fines can range from a minimum of $50,000 to a maximum of $250,000. Then jail time can range from one year to 10 years depending on the circumstances of the violation.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.  

November 1, 2023

Topic Area: Information Technology , Security

Recent Posts

Tarzana Medical Center's New Patient Tower Outfitted with Rockfon Solutions

The Friese Family Tower is the centerpiece of an extensive and ongoing hospital expansion and modernization initiative known as Tarzana Reimagined.

How Doors Help Provide Security and Privacy in Healthcare Facilities

Door manufacturers discuss how doors aid in securing facilities and providing privacy.

Bon Secours Completes Expansion of St. Francis Medical Center

The project consisted of a 55-bed renovation and vertical expansion.

Delta Specialty Hospital Experiences Email Breach

The incident was limited to just one employee’s email account.

Selecting the Right Team for Healthcare Projects

Focusing on key criteria ensure design and construction teams deliver a facility that is safe, functional and tailored to a specific healthcare setting.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.