Can AI Coexist With HIPAA? How Collaboration Can Remedy the Tech-Compliance Conundrum

By John Murray, senior director, SAP.

From the daybreak of the Web to the arrival of digital well being data, the healthcare business traditionally has been gradual to embrace new applied sciences and the enhancements they’ll carry. One motive is the perceived dangers related to these applied sciences. One other is the perceived prices of implementing them.

The rise of cloud computing and synthetic intelligence presents healthcare suppliers — conventional ones like hospitals and well being methods, together with medical gadget suppliers and different entities that meet the “supplier” definition — presents the business with the same tech conundrum. As new gamers be a part of extra typical suppliers in reshaping the affected person care ecosystem, alternatives abound for them to leverage the cloud, AI and different instruments to reinvent healthcare enterprise processes, providers and the affected person expertise.

However with these upside alternatives come potential new dangers and prices, together with compliance challenges with HIPAA, a legislation that doesn’t readily reconcile with applied sciences like AI or cloud computing, which weren’t round when it was promulgated, nor with the rising range of entities now outlined as affected person care suppliers.

For this rising class of suppliers, the functions for AI and different clever applied sciences are certainly promising, for issues like predicting sure elevated dangers for sufferers, diagnosing points and recommending therapies. Generative AI (genAI) copilots pushed by massive language fashions might help decision-making about diagnoses and coverings. GenAI additionally exhibits nice promise for enhancing clinician and scientific productiveness. As versatile as it’s, AI additionally might help corporations handle their compliance obligations — and the information required to fulfill them — throughout a number of jurisdictions.

What’s extra, AI exhibits potential for connecting affected person well being with advertising, the place, for instance, based mostly on an evaluation of affected person information, AI-powered capabilities serve procuring record suggestions to sufferers for nutritional vitamins, dietary supplements, over-the-counter medicines, and so forth., after they’re in-store or procuring on-line. This clever health-based advertising appears to be like like a extremely promising frontier for corporations that may get it proper.

Danger and reward

AI’s enormous potential clearly isn’t misplaced on healthcare corporations. In a 2024 survey of 100 upper-level U.S. healthcare execs carried out by McKinsey, 72% of respondents stated their organizations are both already utilizing genAI instruments or are testing them. One other 17% stated they have been planning to pursue genAI proof of ideas. And now their AI investments have begun to repay. About 60% of those that have applied gen AI options are both already seeing a constructive ROI or count on to.

This rising embrace of AI and cloud computing introduces an entire new set of points, dangers and obligations that healthcare suppliers — and their regulators — should ponder. Guaranteeing affected person privateness and information safety in compliance with HIPAA is maybe probably the most urgent of these points. As a result of HIPAA turned legislation in 1996, properly earlier than Amazon, Google, the cloud and AI entered the tech mainstream, and properly earlier than medical gadget corporations, insurers and the Walmarts of the world have been offering some type of care on to sufferers, its provisions aren’t geared up to discern how compliance obligations and legal responsibility needs to be shared among the many varied events that now contact affected person information, together with coated entities and their enterprise associates. Because the definition of “supplier” adjustments, corporations in lots of extra industries now might contact affected person information not directly.

The growing use of AI by affected person care suppliers brings new classes of related entities into the compliance combine. That features the hyperscalers that host the cloud-based AI capabilities and enormous language fashions suppliers are utilizing, the software program/tech corporations that construct and promote these methods, and the system integrators which might be serving to suppliers implement them. Who’s chargeable for an information breach? Who owns the chance related to defending affected person data on this broader care ecosystem? It’s a true authorized quagmire with few clear solutions.

The notion of AI as an untested expertise (not less than in a healthcare context) can also be a part of the chance equation. Easy methods to deal with potential bias and hallucination threat in massive language fashions, for instance? The price of implementing cloud-based AI and different tech infrastructure, and inner resistance to embracing these new applied sciences, additionally issue into that equation.

Maximizing tech’s potential

A 2023 article within the Harvard Enterprise Evaluation contends that implementing cloud-based AI capabilities in a manner that’s compliant would require in depth cooperation amongst stakeholders throughout the healthcare panorama. “Payers, well being methods, and suppliers want to return to a standard understanding about when it’s applicable to make use of an AI utility, the way it needs to be used, and the way potential unwanted side effects can be recognized and mitigated.”

That’s a essential and worthwhile endeavor, the article’s creator concludes. “It could be sadly ironic if the U.S. well being sector lagged in reaping the advantages of this transformative new expertise.”

The problem right here is a big one: establishing broadly accepted practices, requirements and guardrails round cloud computing and AI so regulation can catch as much as and maintain tempo with expertise and the moral and safety points it raises, in addition to with the shifting affected person care ecosystem.

Essentially the most viable car for doing so, not less than right here within the U.S., could possibly be to ascertain some sort of broad stakeholder consortium, maybe led by the U.S. authorities (the FDA and/or HHS, for instance), and together with medical schools/boards, together with coated entities and their enterprise associates underneath HIPAA. The aim: develop consensus about how the obligations and liabilities related to HIPAA can be divided and executed within the AI period.

A broader embrace of the cloud and AI inside the affected person care ecosystem will increase the universe of coated entities and enterprise associates that seemingly can be touching or not less than have some function, direct or oblique, within the dealing with of affected person information. That in flip necessitates formation of enterprise networks, inside which information can move unimpeded, transparently and securely between related entities within the affected person care ecosystem.

So, for example, within the case of cell and gene therapies, a enterprise community would allow the assorted stakeholders dealing with a affected person’s therapy, from drawing a blood pattern to producing, delivering and administering the precise remedy, to securely connect with share and analyze data in a well timed and compliant method to yield the absolute best affected person end result. Every member of the worth chain thus should have the safety and data-management capabilities in place to viably take part in such a community. This similar idea would additionally apply to scientific networks.

As daunting as a few of this will sound, expertise like AI won’t stand nonetheless. So neither ought to members of the affected person care worth chain in laying the mandatory groundwork — requirements, networks, and so forth. — to take full benefit of clever applied sciences in a manner that’s compliant, worthwhile and most significantly, useful for sufferers.