The Health Insurance Portability and Accountability Act (HIPAA) is almost 30 years old. When it was created, artificial intelligence (AI) was only on the horizon for being used in standard healthcare functions.
With the increasing use of AI, how are the specifics of HIPAA handled by health information (HI) professionals? Does AI qualify as a business associate if there is no human interaction? What’s the impact on remote patient monitoring?
Let’s examine how HIPAA, specifically the HIPAA Security Rule, can co-exist with AI and explore practical tips for HI professionals to use in navigating this new landscape.
HIPAA, created in 1996, mandates that covered entities, (i.e., healthcare providers, payers, and clearing houses) may not disclose protected health information (PHI) except to the individual, or “for treatment, payment, or health care operations.” The Security Rule creates technical, physical, and administrative rules to protect PHI.
The technical specifications create requirements for the information technology (IT) side of PHI and include access controls, audit controls, integrity controls, and transmission security. The physical component of the rule creates regulations about facility access and control and workstation and device security. The administrative portion requires policies and procedures to enforce HIPAA security. HI professionals should ensure that their organizations have policies on HIPAA technical, administrative, and physical security.
AI Capacities in Healthcare
AI is used in healthcare in many capacities. AI algorithms can be paired with MRIs, X-rays, CT scans, and other imaging data to enhance accuracy and speed of diagnosis. Algorithms and machine learning can be used to convert patient and provider speech into written medical records, saving time out of providers’ workflows and improving accuracy. AI also can be used to analyze large datasets for drug discovery.
Not only can this technology assist with clerical and data analysis capabilities, it can also assist in healthcare decision making. AI is also used for remote patient monitoring with wearable devices such as activity tracking devices, heart rate monitors, calorie counters, glucose monitoring systems, smart pills, smart patches, and more.
This increasing use presents a conundrum: Does the HIPAA Security Rule apply to AI technologies like these?
AI technologies, such as machine learning, natural language processing, and robotics, are integrated into healthcare systems. HI professionals are divided on the question of trusting AI with patient data, and a 2025 JAMA Network Open article found that 65.8 percent of US adults reported low trust in their health care system to use AI responsibly. A practical tip of HI professionals is to have this conversation in your place of employment to understand views on AI’s use with PHI.
The Security Rule applies to covered entities deemed providers, payers, clearinghouses, and their business associates. To the extent that covered entities or their business associates use AI with PHI, they must follow HIPAA security protocols. But not all health information is created by covered entities or their business associates. Much of the health information amassed by companies like Amazon, Google, and Apple is not covered by the HIPAA Security Rule because those companies are not covered entities or business associates of covered entities. The rule only applies to covered entities and their business associates, so it is pertinent that HI professionals determine who is and who is not a business associate.
If the organization accessing the PHI is a covered entity or a business associate, it needs to have access controls for those who can access the information, even if it’s for AI. Other HIPAA technical security requirements include unique user identification, emergency PHI access procedures, automatic logoff, encryption, decryption, integrity controls, and audit controls.
There may be challenges in user identification if the user is AI. AI should be held to the same standard for audit controls and integrity controls to which humans are held. There is also the threat of encryption and AI. The technology can assist quantum computers to break current encryption methods. While there is fear of AI creating situations in which unauthorized people access PHI, AI can also enhance security in encryption, access controls, and monitoring mechanisms, detecting anomalies in data access patterns and potential breaches.
The data stored for AI falls under the same physical protocol as other PHI for non-AI purposes for covered entities and business associates. This does not apply to organizations like technology companies that are not covered entities or business associates.
Other physical safeguards described in HIPAA include contingency operations, facility security plans, facility access and validation, device and media controls, disposal, records for moving hardware and electronic media containing PHI, and data backup. Contingency plans should include the emergencies of AI acting out of its intended use, and the technical security and access to the facilities should be controlled in the event of AI malfunctions. The potential personhood of AI as it advances should be considered with respect to facility access containing PHI. And if AI is used for maintenance, that should be documented.
Legal Definition of Personhood
Legal personhood is not immutable: historically, even in the United States, the legal definition of personhood has changed and been given or taken away from certain humans and groups. For example, corporate personhood evolved throughout the legal history of the United States and became established law.
"Emergent capabilities" are on the horizon. These are when AI systems develop capabilities beyond what humans trained them to do. There is a well-established legal theory called Ultra vires that addresses when employers act outside their scope of authorization and the result is the company cannot be held accountable for the wayward employee. Can humans be held accountable for AI systems' emergent capabilities? Or should the AI systems themselves be held accountable if they are acting out of their intended scope?
There are various regulatory schemes in different industries that establish rules for grievances in similarly nuanced legal environments. The designation of partial AI personhood could prove legally beneficial to humans.
The administrative portion of HIPAA security must also be taken into consideration. AI that contains PHI must be included in the security management processes used by covered entities and business associates. Other administrative requirements include risk analysis, risk management, information system activity review, authorization for the appropriate workers and not for inappropriate workers, and termination procedures, training programs, responding to and reporting security problems, data restoration procedures, and business associates’ trust. The threat of AI acting in an unintended way must be analyzed and planned for by HI professionals in concert with their IT department.
Not all employees have authorized access to PHI, but should all AI algorithms be allowed access to PHI? What should the certification process for AI authorizing PHI be? These are questions for HI professionals to consider with their staff and leadership. In addition, organizations working with AI vendors must make sure they trust the vendor to securely maintain PHI before signing a Business Associates Agreement (BAA) with them. AI can help train employees on HIPAA and security measures and assist in evaluating the effectiveness of the security measures in place.
De-Identified and Synthetic Data
De-identification offers a path for PHI and AI, but it poses the risk of re-identification. PHI is “individually identifiable health information.” As defined by 45 CFR 160, PHI must relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
AI for diagnosis, clinical decision support, and other uses of AI in healthcare needs to be trained on PHI to create a useful output. But for the data to be HIPAA compliant, it must be de-identified. AI itself can cause challenges to de-identification because even if the 18 “safe harbor” metrics are removed, the intelligent system may be able to find other information with which to re-identify the data. For organizations that are covered by HIPAA, another method might be necessary.
Questions remain about the future of AI and healthcare; thus, HI professionals must be cognizant of the issues and questions so they can be in the conversation with their IT department. Will patients have to consent to their data being used for AI? Will informed consent be needed for AI diagnosis or treatment? How certain can we be in the reliability of datasets that AI is trained on?
As the boom and adoption of AI is still nascent, these are questions with which regulators, the public, and the industry will have to grapple. With 66.7 percent of healthcare professionals either agreeing, strongly agreeing, or somewhat agreeing that AI will make HIPAA obsolete, more change is coming.
Theodore Higgins, MSHI, is an IT specialist, and Joan M. Kiel, PhD, CHPS, is Chairperson, University Healthcare Compliance & Professor Health Administration, at Duquesne University in Pittsburgh.
By Theodore Higgins, MSHI, and Joan M. Kiel, PhD, CHPS