The use of artificial intelligence (AI) and generative AI (GenAI) in the healthcare space is skyrocketing.
GlobalData analysis reveals that the AI market in healthcare is projected to reach a valuation of around $19bn by 2027.
Go deeper with GlobalData
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
While the White House recently unveiled plans to “remove barriers to American leadership” with an AI action plan, for now, entrants into the healthcare space providing AI tools to healthcare providers (HCPs), must comply with the US’s Health Insurance Portability and Accountability Act (HIPAA), a regulation from 1996 that outlines rules around protecting patient healthcare data.
Aaron T. Maguregui, partner at law firm Foley & Lardner told Medical Device Network: “HIPAA was intended to scale with time and with technology. What I don’t think HIPAA ever contemplated was the fact that AI would be able to essentially take in data from multiple sources, match it together, and create the potential for the reidentification of data that was never intended to be used for reidentification.”
Technology has far outpaced regulation, and while Maguregui does not view HIPAA as being incompatible “in and of itself”, he states that it needs updating to account for the growing technology and compute power that exists, and how data is now being used to train AI.
“An AI vendor that provides a service to a HCP that is regulated by HIPAA is a subcontractor, and their role in healthcare is very regulated, and this becomes a somewhat limiting force for AI vendors trying to innovate and move the needle with their product, because their permitted usage and disclosures of the data as regulated by HIPAA is very restrictive,” Maguregui explained.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“It’s restricted to the services that the vendor has agreed to provide, so any additional innovation, including, for example, additional training provisions the vendor may need, usually requires the HCP, and sometimes patients’, consent.”
Navigating HIPAA for HCPs and vendors
Maguregui advises clients to start with a privacy impact assessment and bake in data governance from day one.
“On the provider side, it’s important to know the types of data you have, who you’re sharing data with, and what your responsibilities with respect to that data are,” Maguregui said.
“With virtual health exploding, and clinical intake going virtual, there are chatbots and workflows that are collecting data and information almost constantly, and it is important to understand whether information is regulated by HIPAA or by state law.”
Having an awareness of these factors is especially important for HCPs that want to leverage an AI vendor, because they have to be able to communicate to that vendor what they need to comply with, because it will be the same regulation that the HCP has to comply with.
Maguregui continued: “In some cases, from an AI vendor’s perspective, this may seem a bit unfair, because they have to rely on another party’s assertion that they are complying with all of the laws they are required to comply with.
“The vendor then has to figure out whether they can comply with the relevant regulation and provide their service in compliance with the law and legally use the data at hand for purposes that are going to make their product better.”
The direction of HIPAA regulation
According to Maguregui, if the US cannot get on board with a single federal privacy legislation, then HIPAA should be expanded to cover the other entities that interact with health information.
“We have a desegregated regime in the US where the Federal Trade Commission (FTC) tries to regulate when HIPAA does not regulate, and that leads to more confusion and results in uncertainty for vendors and HCPs alike in understanding what their roles and obligations are,” Maguregui said.
“My wish for HIPAA would be to expand and update it, to understand where technology has gone, where compute has gone, and to improve the ability for innovation, the ability for vendors to have better access to data that will help them create better products, and to ultimately improve the patient and provider experience, and healthcare overall.”
