This article discusses HHS’s recent NPRM regarding AI and HIPAA Security Rule compliance, outlining essential risk assessment protocols, vendor management expectations, and the integration of AI considerations into healthcare practices. It emphasizes the need for thorough inventory of tech assets and evolving strategies to maintain the security of electronic protected health information (ePHI).
In the final installment of Bradley’s blog series, we delve into how the U.S. Department of Health and Human Services (HHS) is adapting the HIPAA Security Rule to encompass the advancements of artificial intelligence (AI) and other emerging technologies. The notice of proposed rulemaking (NPRM) highlights that while traditionally the Security Rule has been technology-neutral, it now calls for specific security measures for these innovative tools, guiding the integration of AI into compliance and risk strategies.
HHS proposes that entities must conduct a meticulous inventory of their technology, highlighting AI technologies that interact with electronic protected health information (ePHI). Under the NPRM, the Security Rule now applies to both AI training data and the algorithms utilized by covered entities. Regulated entities are required to weave AI considerations into their risk analyses and update their assessments regularly to accommodate evolving technologies and organizational changes, ensuring they scrutinize how AI engages with ePHI.
Moreover, HHS stresses the importance of identifying and evaluating possible AI-related risks, including those linked to data access and processing. A lifecycle approach is recommended where entities track AI interactions with ePHI to bolster compliance. By actively monitoring vulnerabilities, regulated organizations must have a robust patch management program, ensuring that the security, integrity, and availability of ePHI remain uncompromised as they navigate technological progress.
The NPRM also advocates for the integration of AI developers in the Security Risk Analysis process. Regulated entities must enter into Business Associate Agreements (BAAs) and include BAA risk assessments in their overall security strategy. Collaborating with AI vendors facilitates a comprehensive evaluation of potential threats while also documenting respective security measures and risk management practices.
As clinicians adopt AI into their workflows for health record analysis and patient summaries, the HIMSS cybersecurity survey shows mixed governance across health organizations. Alarmingly, many lack formal approval or monitoring processes for AI utilization, leading to concerns over potential data breaches and AI bias. The NPRM therefore emphasizes a detailed risk analysis, calling for updates in procurement processes to ensure compliance with the Security Rule and alignment with best practices like the NIST AI Risk Management Framework.
Additionally, HHS’s finalized rule under Section 1557 of the Affordable Care Act necessitates that covered healthcare providers address discrimination risks stemming from decision-support tools. Therefore, as regulations become stringent, entities must enhance vendor oversight and address AI-related security vulnerabilities when utilizing software that processes ePHI.
This series on the Security Rule updates concludes here, and we’re ready to assist with any inquiries as you adapt to these changes. Explore more on the HIPAA Security Rule NPRM and the HHS Fact Sheet for valuable resources.
In summary, the proposed changes by HHS underline the significant intersection between AI technology and HIPAA Security Rule compliance. As entities must now integrate AI considerations into their risk assessments, this necessitates revised practices surrounding vendor management, risk analysis, and technology inventory management. With a focus on ensuring the security, integrity, and ethical use of electronic protected health information, the healthcare landscape is poised for a transformative shift in how AI technologies are utilized while adhering to regulatory demands.
Original Source: natlawreview.com
