OpenAI says AI products for healthcare sector to be compliant with US' HIPAA requirements. Here's why this is important

Artificial intelligence (AI) major and ChatGPT maker OpenAI on 8 January announced its “OpenAI for Healthcare” set of products aimed at helping organisations “deliver more consistent, high-quality care for patients—while supporting their HIPAA compliance requirements”.

The products include two offerings — ChatGPT for Healthcare and OpenAI API. Notably, the company claims that both of its offerings are compliant with United States' Health Insurance Portability and Accountability Act (HIPAA) of 1996, which ensures privacy and disclosure protections to patients.

“Advances in models have significantly improved⁠ AI’s ability to support real-world clinical and administrative work, like helping clinicians personalize care using the latest evidence. OpenAI for Healthcare helps close that gap by giving organizations a secure, enterprise-grade foundation for AI—so teams can use the same tools to deliver better, more reliable care, while supporting HIPAA compliance,” it stated.

What is OpenAI offering to healthcare providers?

• The first is ChatGPT for Healthcare which is “built to support the careful, evidence-based reasoning” while reducing administrative burden, the company stated. This has been made available throughout the US and has already been rolled out to institutions such as AdventHealth, Baylor Scott & White Health, Boston Children’s Hospital, Cedars-Sinai Medical Center, HCA Healthcare, Memorial Sloan Kettering Cancer Center, Stanford Medicine Children’s Health, and University of California, San Francisco (UCSF).
• The second is OpenAI API, which powers which is the software offering that will power healthcare ecosystems. The company said that “thousands of organizations have configured it to support HIPAA-compliant use”, including Abridge, Ambience, and EliseAI.

What is HIPAA? Why is it important?

According to the US Centers for Disease Control and Prevention's (CDC) official website, HIPAA establishes federal standards protecting sensitive health information from disclosure without patient's consent.

Besides this, the act also covers health insurance coverage for workers, national standards for electronic healthcare transactions, guidelines for pre-tax medical spending accounts, guidelines for group health plans, and oversees company-owned life insurance policies.

The rules — HIPAA Privacy Rule and HIPAA Security Rule — have been issued by the US Department of Health and Human Services (US HHS) to protects patient information as per HIPAA requirements, it added.

HIPAA is significant in US healthcare as:

• The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities (individuals and organisations) subject to the rule.
• It contains standards for individuals' rights to understand and control how their health information is used.
• It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health.
• And permits important uses of information while protecting the privacy of people who seek care and healing.

What are the exceptions to HIPAA compliance?

According to the US CDC, the law permits disclosure without individual's authorisation, for the following situations:

• To the individual themselves,
• For treatment, payment, and healthcare operations,
• For decisions related to opportunity to agree or object to the disclosure of PHI — wherein the individual can agree, acquiesce, or object to queries.
• When doing so is incident to an otherwise permitted use and disclosure.
• When there is limited dataset for research, public health, or healthcare operations.
• When doing so benefits public interest and benefit activities under 12 national priority purposes: When required by law, public health activities, victims of abuse or neglect or domestic violence, health oversight activities, judicial and administrative proceedings, law enforcement, functions (such as identification) concerning deceased persons, cadaveric organ, eye, or tissue donation; research, under certain conditions; to prevent or lessen a serious threat to health or safety; and essential government functions.

How is OpenAI ensuring compliance of its AI products with HIPAA?

OpenAI in its announcement blogpost said that its products allow clients to access management and governance through a centralized workspace with role-based access controls and organization-wide user management. “This gives healthcare organizations the governance and visibility they need to deploy AI across clinical, administrative, and research teams,” it stated.

Further, in terms of data control and support for HIPAA compliance, the company said that patient data and PHI remain under an organisation’s control, “with options for data residency, audit logs, customer-managed encryption keys, and a Business Associate Agreement (BAA) with OpenAI to support HIPAA-compliant use”.

It added, “Content shared with ChatGPT for Healthcare is not used to train models.”