AI-ming for Better Healthcare: Legal Issues in Healthcare AI Usage
Artificial intelligence (AI) is a simulation of human intelligence that is subsequently processed by machines. It has revolutionized the healthcare space by improving patient outcomes in a variety of ways. It has also begun to leave a positive impact in health systems and hospitals as healthcare worker burnout remains on the rise. However, there are significant legal challenges that accompany its groundbreaking nature. Hospitals and health systems have a duty to mitigate these legal challenges and understand that AI should be used as a supplement, not a replacement, to human intelligence.
The FTC’s Enforcement Action: GoodRx’s Failure to Protect Its Customers’ Personal Health Information
On February 1, 2023, the Federal Trade Commission (FTC) brought an enforcement action against GoodRx, a provider of telehealth and prescription drug services at discounted rates. In a first-of-its-kind action, the FTC alleged that GoodRx violated the Health Breach Notification Rule (HBNR) by sharing their consumers’ confidential health information with several advertising companies. While GoodRx is already facing a $1.5 million penalty for the violation, the FTC has also proposed an order that will require GoodRx to remedy the situation and make several changes to protect confidential health information in the future.
The Quiet Corporate Health Cybersecurity Struggle Playing Out in Plain Sight
Cyberattacks on the healthcare industry have reached a fever pitch. In 2020 alone, there was a drastic increase in healthcare organization cybersecurity breaches. In 2021, the average cost of a healthcare data breach increased by over $2 million to $9.23 million. Healthcare providers continue to be the most targeted industry for cybersecurity breaches, with over ninety-three percent of healthcare organizations experiencing a data breach over the past three years. 306 breaches of unsecured protected health information (“PHI”) impacting 500 or more individuals were reported to the U.S. Department of Health and Human Services (“HHS”) in 2020. Yet healthcare organizations continue to be ill-equipped to handle this growing problem.
Security Awareness — Not Just an IT and Compliance Responsibility
Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education.
Stemming the Tide of Medical Information Data Breaches
Protected Health Information is seeing a surge of breaches on the cyber security front due to contractor error. It’s also impacting the most consumers in comparison to other data breaches and, in some cases, has the power to cause chaos in national infrastructure. Advances in technology and compliance measures can stem the tide and protect the most valuable information in consumers lives.
What Happens When The Police Demand PHI
It happens in every emergency department: a law enforcement officer comes into the ER at two o’clock in the morning and demands to test the blood alcohol levels of a patient brought in after an auto accident. The officer pulls an exhausted nurse to the side in the hopes that the nurse will forget his or her training, or become anxious enough to give up the information for fear of being arrested. Yet no matter the specific facts, the question remains: can a hospital give law enforcement officers a patient’s PHI without authorization from the patient? In some situations, is it even required?
There is a provision under the HIPAA Privacy Rule that allows, and in some cases, requires, entities to disclose patient’s PHI to law enforcement without the patient’s authorization. However, state law can complicate this picture with more restrictive regulations and guidance.
Handling a Data Breach: Equifax v Google
Google answered Amazon’s Echo Dot by recently launching their own pint-sized smart speaker, the Google Home Mini. Recently, Google was forced to disable one of the features on the Home Mini after it was discovered that a technical glitch led to near 24/7 audio recording. Google responded quickly and appropriately, investigating the cause and quickly releasing an update to disable the hardware responsible for the glitch. The Equifax hack – a breach of personal data including social security numbers, driver’s license information, and other credit details – exposed nearly half the country and waited months to respond. Upcoming European legislation that can significantly impact American companies with European Union clients may be part of the reason for their drastically different responses.
Averting Disaster: Building Regulations in the Wake of Hurricane Irma
After Hurricane Irma’s dissipation on September 15, 2017, the residents of Florida can now begin to assess the damage caused by the strongest hurricane making landfall since Katrina in 2005. According to early estimates, Irma has caused over 62 billion dollars in damage. However, amongst the destruction there is a silver lining; the damage caused was significantly limited by building regulations that went into effect in 2002. Homes and buildings that would have otherwise been destroyed by Hurricane Irma were able to survive, and suffered only minor damage.
Data Breaches: How Do We Keep Our Data Safe?
In the last month, multiple large-scale data breaches were reported by various entities, with 3 breaches reported in the past week alone. Unfortunately, even the most well-known entities do not stand a chance against increasing technological abilities of bad actors. Since the Equifax breach in early September, Whole Foods, Sonic, Deloitte and the Securities Exchange Commission, among others, had similar large-scale breaches affecting consumers across the country.
Personal Information Protection Act (“PIPA”): Redefining Cyber-Security & Consumer Protection
Illinois’ Personal Information Protection Act (“PIPA”) became effective on January 1, 2017. Illinois is just one of many states that recently strengthened their data breach notification systems and created data security laws to enhance protection of personal information. Like other state provisions, Illinois created stronger safeguards for personal information transmitted electronically. This act requires that all personal information provided electronically must be encrypted or redacted. The amendments to PIPA (1) broadened the statute’s definition of personal information; (2) clarified the safe harbor for encryption; (3) addressed required notification to residents after a breach; and (4) established limited exemptions.