Risks and Dangers of Sharing Patient Data with AI

Sharing private information with AI tools and services can go against HIPAA compliance.

By Jeff Wardon, Jr., Assistant Editor

Patient data is already a sensitive set of information and exposing it to unauthorized third parties can open a world of regulatory troubles for the organizations involved. Because of this, the University of Iowa is advising employees to avoid sharing patient information with artificial intelligence (AI) tools and services.  

In an announcement, the hospital reminded employees that most AI tools and services, such as ChatGPT, are not HIPAA-compliant. To use these services three things must happen: a proper security review, contracting and a business associate agreement. Furthermore, they say that the improper use of AI systems could result in a HIPAA violation.  

Mixing AI services and PHI can potentially lead to data breaches and HIPAA violations.   

Sensitive data is already being sought after by hackers and cybercriminals, and PHI is a prime target for them. Inputting a patient’s personal records into a service like ChatGPT gives these cybercriminals a potential avenue for accessing it.  

ChatGPT stores user conversations in its databases. If a healthcare worker were to use the service to draft a letter or any other type of patient communication, it may require that patient’s PHI being shared. If a data breach were to hit ChatGPT, that would leave a plethora of PHI potentially exposed to cybercriminals who can then steal that data.  

In addition, because of a potential breach, the exposed and compromised PHI would leave health organizations open to HIPAA violations. According to the U.S. Department of Health and Human Services, PHI is protected under the HIPAA Privacy Rule, and electronic protected health information (e-PHI) is protected by the HIPAA Security Rule. In the case of sharing records with AI, this would fall under the HIPAA Security Rule. 

There are some general rules for entities covered by the HIPAA Security Rule to follow, according to the HHS: 

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  • Protect against reasonably anticipated, impermissible uses or disclosures; and 
  • Ensure compliance by their workforce. 

According to The HIPAA Journal, “Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR (Office of Civil Rights) believes there has been a criminal HIPAA violation.” 

Furthermore, The HIPAA Journal states that the consequences for violation can be either fines and/or imprisonment. Fines can range from a minimum of $50,000 to a maximum of $250,000. Then jail time can range from one year to 10 years depending on the circumstances of the violation.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.  

November 1, 2023

Topic Area: Information Technology , Security

Recent Posts

The Advantages of Access Control Technology Over Traditional Formats

Access control manufacturers discuss the technology’s potential benefits.

Preparing for the Hazards of Winter Weather

Winter is here and healthcare facilities must be ready for inclement weather to prevent slips and falls.

The Leapfrog Group Announces 2023 Top Hospital and Top ASC Award Winners

132 hospitals earned the Top Hospital Award, and 27 ambulatory surgery centers earned the Top ASC Award.

Tampa General Hospital Completes Acquisition of Bravera Health

This acquisition will expand TGH’s capabilities and reach.

Protecting Healthcare Facility Workers During Winter Weather

As facility managers brace for colder weather, workplace safety must remain top of mind.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.