Last year, the American Hospital Association (AHA) sued the U.S. Department of Health and Human Services (HHS) in the U.S. District Court of the Northern District of Texas, requesting that HHS be barred from enforcing a new rule adopted by the Office for Civil Rights entitled “Use of Online Tracking Technologies by HIPAA Covered Entities
CISA Issues Advisory on Black Basta Ransomware
On May 10, 2024, CISA, along with the FBI, HHS, and MS-ISAC, issued a joint Cybersecurity Advisory relating to Black Basta ransomware affiliates “that have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.”
The Black Basta Advisory provides information on how the threat actors gain…
OCR Issues Final Rule for Reproductive Privacy
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive Order 14076, where President Biden directed HHS to take actions to protect reproductive health information following Dobbs v.
Forecasting the Integration of AI into Health Care Compliance Programs
*This post was co-authored by Josh Yoo, legal intern at Robinson+Cole. Josh is not admitted to practice law.
Health care entities maintain compliance programs in order to comply with the myriad, changing laws and regulations that apply to the health care industry. Although laws and regulations specific to the use of artificial intelligence (AI) are limited at this time and in the early stages of development, current law and pending legislation offer a forecast of standards that may become applicable to AI. Health care entities may want to begin to monitor the evolving guidance applicable to AI and start to integrate AI standards into their compliance programs in order to manage and minimize this emerging area of legal risk.
Executive Branch: Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Following Executive Order 13960 and the Blueprint for an AI Bill of Rights, Executive Order No. 14110 (EO) amplifies the current key principles and directives that will guide federal agency oversight of AI. While still largely aspirational, these principles have already begun to reshape regulatory obligations for health care entities. For example, the Department of Health and Human Services (HHS) has established an AI Task Force to regulate AI in accordance with the EO’s principles by 2025. Health care entities would be well-served to monitor federal priorities and begin to formally integrate AI standards into their corporate compliance plans.
- Confidentiality and Security: Federal scrutiny of the privacy and security of entrusted information extends to AI’s interactions with data as a core obligation. This general principle also manifests in more specific directives throughout the EO. The EO also orders the HHS AI Task Force to incorporate “measures to address AI-enhanced cybersecurity threats in the health and human services sector.”
- Transparency: The principle of transparency refers to an AI user’s ability to understand the technology’s uses, processes, and risks. Health care entities will likely be expected to understand how their AI tools collect, process, and predict data. The EO envisions labelling requirements that will flag AI-generated content for consumers as well.
- Governance: Governance applies to an organization’s control over deployed AI tools. Internal mechanical controls, such as evaluations, policies, and institutions, may ensure continuous control throughout the AI’s life cycle. The EO also emphasizes the importance of human oversight. Responsibility for AI implementation, review, and maintenance can be clearly identified and assigned to appropriate employees and specialists.
- Non-Discrimination: AI must also abide by standards that protect against unlawful discrimination. For example, the HHS AI Task force will be responsible for ensuring that health care entities continuously monitor and mitigate algorithmic processes that could contribute to discriminatory outcomes. It will be important to permit internal and external stakeholders to have access to equitable participation in the development and use of AI.
National Institute of Standards and Technology: Risk Management Framework
The National Institute of Standards and Technology (NIST) published a Risk Management Framework for AI (RMF) in 2023. Similar to the EO, the RMF outlines broad goals (i.e., Govern, Map, Measure, and Manage) to help organizations address and manage the risks of AI tools and systems. A supplementary NIST “Playbook” provides actionable recommendations that implement EO principles to assist organizations to proactively mitigate legal risk under future laws and regulations. For example, a health care organization may uphold AI governance and non-discrimination by deploying a diverse, AI-trained compliance team.Continue Reading Forecasting the Integration of AI into Health Care Compliance Programs
HHS Updates Guidance on Use of Tracking Technologies with Websites and Mobile Apps
On March 18, the Office for Civil Rights of the U.S. Department of Health and Human Services issued a Bulletin updating its guidance to HIPAA-covered entities and business associates on the use of tracking technology on websites and mobile apps.
The Bulletin supplements the original guidance published by OCR in December 2022.
According to the…
HHS Addresses the Growing Influence of Artificial Intelligence in Health Care
Artificial Intelligence (AI) has emerged as a major player in the realm of health care, promising to completely transform its delivery. With AI’s remarkable ability to analyze data, learn, solve problems, and make decisions, it has the potential to enhance patient care, improve outcomes, and foster innovation in the health care industry. In this blog…
FTC and HHS Warn Hospitals and Telehealth Providers About Use of Tracking Technologies
On July 20, 2023, the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) issued letters to hospitals and telehealth providers “about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health…
HHS Seeks to Strengthen Protections of Reproductive Health Information with Proposed Changes to HIPAA
On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order…
HHS Proposes Rule to Align Part 2 Records and HIPAA
On November 28, 2022, the Department of Health and Human Services (HHS) issued a proposed rule to modify the confidentiality protections of Substance Use Disorder (SUD) patient treatment records under 42 CFR Part 2 (Part 2) to implement statutory amendments passed under Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (42…
HHS Warns Hospitals to Fix Security Vulnerability in PACs
In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging,…