Risks and Dangers of Sharing Patient Data with AI

Sharing private information with AI tools and services can go against HIPAA compliance.

By Jeff Wardon, Jr., Assistant Editor


Patient data is already a sensitive set of information and exposing it to unauthorized third parties can open a world of regulatory troubles for the organizations involved. Because of this, the University of Iowa is advising employees to avoid sharing patient information with artificial intelligence (AI) tools and services.  

In an announcement, the hospital reminded employees that most AI tools and services, such as ChatGPT, are not HIPAA-compliant. To use these services three things must happen: a proper security review, contracting and a business associate agreement. Furthermore, they say that the improper use of AI systems could result in a HIPAA violation.  

Mixing AI services and PHI can potentially lead to data breaches and HIPAA violations.   

Sensitive data is already being sought after by hackers and cybercriminals, and PHI is a prime target for them. Inputting a patient’s personal records into a service like ChatGPT gives these cybercriminals a potential avenue for accessing it.  

ChatGPT stores user conversations in its databases. If a healthcare worker were to use the service to draft a letter or any other type of patient communication, it may require that patient’s PHI being shared. If a data breach were to hit ChatGPT, that would leave a plethora of PHI potentially exposed to cybercriminals who can then steal that data.  

In addition, because of a potential breach, the exposed and compromised PHI would leave health organizations open to HIPAA violations. According to the U.S. Department of Health and Human Services, PHI is protected under the HIPAA Privacy Rule, and electronic protected health information (e-PHI) is protected by the HIPAA Security Rule. In the case of sharing records with AI, this would fall under the HIPAA Security Rule. 

There are some general rules for entities covered by the HIPAA Security Rule to follow, according to the HHS: 

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information; 
  • Protect against reasonably anticipated, impermissible uses or disclosures; and 
  • Ensure compliance by their workforce. 

According to The HIPAA Journal, “Both individuals and organizations can be charged with knowingly and wrongfully disclosing individually identifiable health information without authorization if OCR (Office of Civil Rights) believes there has been a criminal HIPAA violation.” 

Furthermore, The HIPAA Journal states that the consequences for violation can be either fines and/or imprisonment. Fines can range from a minimum of $50,000 to a maximum of $250,000. Then jail time can range from one year to 10 years depending on the circumstances of the violation.  

Jeff Wardon, Jr. is the assistant editor for the facilities market.  



November 1, 2023


Topic Area: Information Technology , Security


Recent Posts

Partnering on Personnel: Strategies for Success

Environmental services in healthcare have special staffing circumstances. They must meet stringent compliance standards and maintain accreditations.


Kaiser Permanente Opens First Two Medical Offices in Northern Nevada

These are part of its joint venture with Renown Health.


Acadia Healthcare Reports Data Breach

This incident did not disrupt Acadia’s operations or its ability to care for patients.


Site Selection Mistakes: What Not To Do

Healthcare providers that treat site selection as a strategic decision, not a simple real estate deal, will be positioned for long-term success.


High-Performance EFCO Systems Shape MUSC's New Black River Medical Center

Case study: A sweeping curved-glass entrance, impact-resistant envelope and energy-efficient fenestration support a sustainable, resilient design for one of South Carolina’s newest rural hospitals.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.