While AI Evolves, Regulatory Rules Still Apply

Even if you have a new car with the latest technology, you still must follow the established “rules of the road.”

That was the message from US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director Melanie Fontes Rainer for healthcare organizations utilizing artificial intelligence (AI) in clinical and non-clinical operations.

Director Fontes Rainer spoke on March 11 at the AHIMA Advocacy Summit in Washington DC, where representatives from 44 US states and Puerto Rico gathered to meet with policymakers to address pressing issues related to health data and information.

“The laws [governing health data] haven’t changed,” Director Fontes Rainer said. “HIPAA [the Health Insurance Portability and Accountability Act of 1996], Section 1557 [of the Affordable Care Act], non-discrimination in healthcare have not changed, no matter what sort of emerging technology or platform you are using. The law is still the law.”

What needs to change, she added, is how healthcare organizations are informing covered entities (payers, providers, clearinghouses, etc.) and those working with covered entities of the fact that they continue to follow these “rules of the road” as technology emerges. To keep up with technical changes, Director Fontes Rainer noted the HHS AI Task Force convened earlier this year and is led by National Coordinator for Health Information Technology Micky Tripathi.

Director Fontes Rainer said that through the task force, HHS will have a strategic plan for how it thinks about AI, and that work will be part of driving regulations. “But we also want to make sure we aren’t stifling AI,” she noted. “I want people to know that I’m not opposed to it or just want to ban it.”

US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director Melanie Fontes Rainer discusses the regulatory environment around artificial intelligence with AHIMA  CEO Kevin Klauer at the AHIMA Advocacy Summit on March 11, 2024. Photo courtesy: AHIMA

In December 2023, HHS finalized its “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Rule.” The HTI-1 rule established transparency requirements for AI and other predictive algorithms as part of certified health technology used by a majority of US hospitals and office-based physicians. The rule empowers clinicians with a consistent set of information about the algorithms they use to support decision making, including details about the algorithms’ fairness, appropriateness, validity, effectiveness, and safety.

Noting that AI could play an important role in clinical trials, for example, helping to populate a database to match patients with opportunities, Director Fontes Rainer said such advancements come with the need to protect health information as well. Add to that the need to make sure the data is good and non-biased, which is where OCR comes in.

“Institutional bias should not be baked into these systems, so we really have to be on the ball and thinking about this, monitoring this, and constantly changing how we think about it,” Director Fontes Rainer said. “…If it is a machine, we have comfort that it doesn’t have bias. But it has to be instructed what to do based on the algorithms that are written and those algorithms are written by people. And people have biases. It doesn’t make us bad people …we all have unconscious or subconscious bias, but we have to make sure we interrupt that process.”

New Challenges Protecting Health Data

With recent legislation on abortion, gender-affirming care, and other health issues, OCR is seeing cases where medical records are being misused to try and track people who had certain types of healthcare provided and the healthcare professionals who provided them. In addition, the office is reacting to increased threats to health data via malicious cyberattacks.

In this changing data privacy climate, Director Fontes Rainer said her office, HHS, and the White House are making health data protection a priority for all citizens.  

“The HIPAA Security Rule - Love it or hate it, it’s an old law, but it was written to be adaptable, scalable, and technology neutral,” she said. “We are likely to update it because of what we are seeing in the healthcare space with cybersecurity, for example, to make it a bit tighter … but the rule continues to be enforced.”

And at the end of the day, Director Fontes Rainer added, the role of OCR is not to dole out punishment, but to provide guidance.

“Our job, my job, is not to go after you with civil monetary penalties,” she said. “I will if someone breaks the law and continues to break the law. But we really try to drive voluntary compliance. We want to work in [healthcare] spaces around the country to be sure we are informing people as best we can about how to follow the law.”