While, among other things, the landmark 1996 Healthcare Insurance Portability and Accountability Act (HIPAA) created national standards to protect individuals’ medical records and other personal health information, the pace of change in the field of artificial intelligence (AI) is accelerating so quickly that many healthcare professionals are re-thinking the framework’s efficacy.

As a recent article at CPO Magazine explains the problem, when HIPAA was passed it “was considered a real breakthrough for health data privacy, since it forced health organizations to think in terms of protecting digital records, not just written records. But that was back in 1996, before the rise of the Internet boom, before the social media era, and certainly before the current era of artificial intelligence. In short, a lot has changed since then and the stakes are higher than ever before for health data privacy.”

For example, as the article notes, researchers at the University of California-Berkeley recently published a new study in the journal JAMA Network OPEN, describing just how easy it is for modern AI systems to sift through thousands of medical records, connect that information with other readily accessible health data, and then generate the identity of specific individuals. 

In other words, “as hard as healthcare institutions work to protect healthcare data, AI systems appear robust enough to ‘crack the code’ and determine the identity of a person. As one researcher noted, the AI system is essentially ‘putting it all back together,’ no matter the efforts made to pull out identifying health information.”

As the writer sees it, the Berkeley study “points to the development of an unofficial AI arms race in the healthcare industry. On one side will be the AI systems attempting to break into healthcare data records and link names and identities to underlying health information, and on the other side will be AI systems trying to stop them. Now that more people than ever before are using fitness trackers and smartphones for health and wellness, the risks to health data privacy appear to be escalating.”

The main reason concern over health data privacy is growing, she says, is because data breaches at covered entities are becoming more and more common. “It’s not just that hackers are going after large medical companies known to have thousands of patient records – they are also going after just about any entity with large repositories of healthcare data, including the U.S. Department of Health and Human Services (HHS). In the era of AI, what is important is the raw data. When that data can be correlated and compared against other sets of health data – that is when unique identities can be discovered.”

The bottom line, she says, is that both state laws and federal law will need to be re-thought and re-imagined for the AI era. “For the American medical and healthcare establishment, there will need to be a modern AI version of the HIPAA Privacy Rule that will require covered entities to ensure health data privacy, no matter how intelligent AI systems become.”