Privacy Please: HIPAA and Artificial Intelligence – Part 2

With the wide‑spread implementation of electronic health records (EHRs) and the tremendous amount of electronic information being created and collected, the health care industry is a new (or not quite-so-new) frontier for Artificial Intelligence (AI). AI is finding its way onto physicians’ desks to provide information about drug interactions, and in to EHRs to pull-up requested patient records, and wearables used by health plans to track health care metrics, promote wellness and address chronic conditions. But, health care is heavily regulated – and Part 1 of this blog we explained how using AI applications and systems like those noted above may trigger a multitude of requirements for AI developers, health care providers, and health plans.

An important law that may affect AI in the health care setting is the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA), the federal law establishing a floor for privacy, security, and breach notification related to most health information. A critical threshold question is at what point does an AI vendor become subject to HIPAA? The answer has significant ramifications for both the AI vendor and the covered customer, which may be a health care provider, health plan, clearinghouse, or business associate. The AI functionality could fall along a continuum ranging from falling outside of HIPAA to triggering the business associate obligations subject to HIPAA.

Government Guidance

The Department of Health and Human Services’ Office for Civil Rights (OCR), the primary regulator that enforces HIPAA, has issued guidance (Guidance) that has implications for AI in the health care setting (even though the Guidance directly addressed app developers as opposed to AI developers). Essentially, a business associate must be: performing certain functions, activities, or services on behalf of a covered entity or business associate; and creating, receiving, maintaining, or transmitting protected health information (PHI) as part of those functions, activities, or services.

As discussed in Part 1 of this blog, OCR identified scenarios in which an AI vendor/app developer would not be deemed to be a business associate.  The last two scenarios raised by OCR in the Guidance result in the app developer/AI vendor being deemed to be a business associate and covered by HIPAA. Applying this Guidance to an app or device with AI:

• Scenario 5: A health care provider has contracted with an AI vendor for patient management services, including remote patient health counseling, monitoring of patients’ diet and exercise, patient messaging, and EHR integration. The provider instructs patients to download the app to their cell phones. In this scenario, the AI vendor is considered a business associate because the health care provider is a covered entity who is directly contracting with the AI vendor and, as part of those services, the vendor is creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. In the AI realm, the parties should follow the agreements and money to determine whether the vendor is acting on behalf of a covered entity or a business associate (and, of course, whether the services involve PHI).
• Scenario 6: A health plan offers a health app that allows plan members to download and store health plan records, check the status of claims/coverage decisions, and document and track their general wellness information. The health plan analyzes the information uploaded through the app by its members, a key machine learning function. The AI vendor would be considered a business associate of the health plan under this scenario. The health plan is a covered entity that is contracting directly with the vendor for services, which may be branded services on behalf of the health plan. These services involve consuming, processing, creating, receiving, maintaining, and transmitting PHI. This brings the AI functionality under the HIPAA umbrella.

If, however, the vendor were to offer a separate, direct-to-consumer version of the app with the same functionality, then the consumer-oriented version would not bring the vendor under HIPAA as long as the vendor keeps the health information contained in the two versions of the app separate.

Considerations to Determine HIPAA Applicability to AI

Some AI situations clearly fall within or outside of HIPAA’s purview. Many, however, are not so clear. The Guidance is particularly helpful in that it identifies specific questions to be considered to determine whether an app developer/AI developer would be deemed a business associate subject to HIPAA. Some of these considerations seem to extend beyond a traditional HIPAA analysis. Thus, an AI developer, might consider these questions when evaluating the potential application of HIPAA to its application or system:

• Does the AI create, receive, maintain, or transmit identifiable health information?
• Is the AI functionality selected independently by the consumers? When the use of AI is in the sole control of the individual consumer, it makes the arrangement less likely to trigger HPAA.
• Who is using the AI? Who are the customers of the AI developer? For example, are the developer’s customers health care providers or health plans or are they the consumers? Again, HIPAA is more likely to attach when the AI developer is providing its services to covered entities or business associates.
• How is the AI funded? Was the AI developer hired or paid by a covered entity or a business associate? Although HIPAA did not traditionally “follow the money,” the Guidance suggests that an AI developer is more likely to be acting on behalf of a covered entity (or business associate) when the covered entity is funding the project.
• Did a covered entity or business associate direct the development of the AI product? The focus is whether the developer is acting on behalf of a covered entity or business associate.
• Are all decisions to transmit health data to third parties controlled by the consumer? Again, consumer-directed actions are less likely to implicate HIPAA.
• Does the AI developer have any contractual or other relationships with third party entities, particularly covered entities and business associates, besides interoperability agreements? The Guidance notes that interoperability agreements are not enough to create a business associate relationship; however, other arrangements may trigger HPAA.

So What?

If HIPAA applies to an AI activity, then both the AI developer and the covered entity/business associate customer must take numerous steps to comply with HIPAA. Failure to do so could result in criminal or civil enforcement actions, contractual liability, settlements, and damage to reputation, to name a few. Future blog posts will discuss HIPAA compliance obligations with respect to AI.