Recently, things may have sped up a little in your doctor’s office. The notes for your recent visit may have been organized and filed a little more quickly. You might have received assistance sooner than expected with a physician letter to your carrier concerning a claim. You also may have received copies of those medical records you have been waiting for, earlier than usual. Greasing the skids in these areas could be due to the use of generative AI technologies, such as ChatGPT, being leveraged in a myriad of ways across all industries, not just healthcare. But, as pointed out in this recent ScienceBlog post, some caution may be in order.

Healthcare providers and business associates subject to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA) have some steps to consider before sharing protected health information (PHI) with a third party. One that should come as no surprise is determining whether the third party is a business associate. According to OCR guidance:

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity… The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

If the third party is a business associate, sharing PHI with the third party must be preceded by entering into a business associate agreement. As a best practice, it also would be prudent to assess the cybersecurity policies and procedures of the third party as well. If the third party is not a business associate, in general, the authorization of the patient would be needed in order to share the information, unless there is a basis under HIPAA to make the disclosure without an authorization.

With ChatGPT or a similar service (offered by a third party to any physician’s office or health system), any doctor, nurse, office manager, administrator, or other staff member in a physician’s office or health system could set up an account (free or paid) and begin leveraging the large language model-based chatbot’s services. Those services might include help with various administrative tasks, such as those described above. The same might be true for workers employed by business associates providing services to physician office customers, for example.

Naturally, the question is whether ChatGPT or any similar service is a business associate under HIPAA. It may be, and it may be prepared to enter into a business associate agreement. Whether the service is HIPAA compliant would need to be an issue to assess when considering the applicable use cases that will be permitted. These are important determinations that any HIPAA covered entity or business associate needs to make before permitting the sharing of PHI on the chatbot’s platform, or that of any similar service. Of course, an alternative is to limit the use of these tools by policy and certainly provide some training. Employees at all levels of a healthcare organization simply may not appreciate flow of data, particularly considering the ease at which they could generate a quick patient letter or referral to a colleague.

For completeness, I asked ChatGPT: I am a healthcare provider, should I share patient data on ChatGPT. The chatbot responded:

As a healthcare provider, it is essential to prioritize patient privacy and adhere to data security regulations. Sharing patient data on this platform is not recommended, as it could compromise patient confidentiality. Instead, consider using secure and HIPAA-compliant communication channels for discussing sensitive patient information. If you have any medical or healthcare-related question, feel free to ask, and I’ll provide general information without requiring specific patient details.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.