Updated 6/9/24 at 5:12 p.m.
Let's say you receive a large stack of medical records in a personal injury case. You're short on time, and you want a quick summary. AI may not be the answer, because it has HIPPA problems.
I tested Open AI GPT 4o on May 14, 2024, and asked, does it comply with the Health Insurance Portability and Accountability Act for handing protected health information (PHI). The answer: "GPT-4o does not inherently encrypt or protect data specifically according to HIPPA standards during interactions." "Conversations with AI models like GPT-4o are not private or confidential in the way required for handling PHI." "There is no built-in mechanism to log access or control data handing in a manner compliant with HIPPA."
Open AI does provide some tips to safeguard data when using PHI, including "de-identify data before processing it with AI models to reduce risk of exposure, and work with vendors and AI service providers who explicitly offer HIPPA-compliant solutions."
Also tested was Claude 3 Opus, the high-end AI large language model from Anthropic. When asked, "Is Claude HIPPA compliant," the answer was: "No, I am not HIPAA compliant. As an AI language model, I do not have the necessary safeguards and certifications in place to handle protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA)." The service added, "I cannot directly access, store, or transmit medical records or any other sensitive patient data. My purpose is to provide general information and assistance, but for any tasks involving PHI, it is crucial to use HIPAA-compliant services and tools that are specifically designed to ensure the privacy and security of sensitive medical information. If you require assistance with medical records or health-related queries, I recommend consulting with a healthcare professional or using a platform that is certified as HIPAA compliant."
Moving on to Gemini (once known as "Bard"), service, the following responses were received:
"HIPAA compliant: Gemini for Google Workspace can be HIPAA compliant if your organization has a qualifying Google Workspace edition and signs a Business Associate Agreement (BAA) with Google. This BAA ensures Google meets HIPAA requirements for protecting covered health information.
Not HIPAA compliant: Accessing Gemini through gemini.google.com or mobile apps is currently not HIPAA compliant. This is because these versions lack the necessary security and privacy protocols for handling protected health information."
Interestingly, the Microsoft Copilot program offered the following response:
"Yes, Copilot is committed to ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) for users subscribed to their Advanced plan1. They offer a Business Associate Agreement (BAA) to facilitate this1."
"To request a BAA, you need to be subscribed to the Advanced plan and then you can email them at support@copilot.com with the legal name you wish to have on the agreement1.
Please note that while Copilot itself meets HIPAA compliance standards, third-party tools may not. So, exercise caution when integrating external products with your workspace1."
"Copilot’s comprehensive HIPAA audit was carried out by Insight Assurance LLC, a licensed accounting firm registered with the American Institute of Certified Public Accountants (AICPA)2. This compliance confirms Copilot’s commitment to data security and privacy and empowers their healthcare customers to protect their patients’ health information completely2."
Bottom line for now: When using any AI service (and there are many available at the consumer and business levels) be very careful. You may inadvertently be exposing HIPPA protected health information.
-Mitch Chester
Comments