CHARGE
/
Insights
/
Navigating HIPAA's New Proposed AI Rule: Key Implications for Health Systems
Governance
January 13, 2025

Navigating HIPAA's New Proposed AI Rule: Key Implications for Health Systems

Sam Khan explores the newly proposed HIPAA AI rule and its impact on healthcare AI compliance.

The Department of Health and Human Services (HHS) has proposed critical updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, marking its first major revision since 2013. These updates aim to fortify cybersecurity protections for electronic protected health information (ePHI) in response to evolving healthcare technologies and increasing cyber threats. Notably, this is the first time HIPAA explicitly addresses the regulation of artificial intelligence (AI). While the proposed rule covers a wide range of cybersecurity improvements, this article specifically focuses on the implications of these updates for AI systems in healthcare.

Why the Update?

Healthcare systems face increasing cyberattacks driven by significant technological advancements and growing reliance on digital applications. HHS has identified inconsistent compliance with the existing Security Rule and aims to establish clearer, more robust regulations to ensure all entities maintain strong cybersecurity defenses. These updates are designed to:

AI in the Spotlight: New Compliance Mandates

AI technologies are reshaping healthcare, offering significant benefits, such as in diagnostic imaging, personalized treatments, and operational efficiencies. However, these advancements also introduce new vulnerabilities that require stronger oversight. Recognizing these emerging risks, the proposed HIPAA updates include specific measures designed to mitigate AI-related threats and safeguard ePHI throughout the entire lifecycle of AI systems.

Addressing AI-Specific Risks

The safety and security of AI regarding ePHI entail risk mitigation efforts across multiple areas, including cybersecurity, data privacy, and critical infrastructure. AI systems are particularly vulnerable to:

Key AI Compliance Requirements

Adoption of AI Governance Frameworks

Although the proposed rule does not explicitly mention it, an effective AI governance structure is crucial for conducting comprehensive risk analyses and complying with new AI requirements. Health systems would benefit from establishing an oversight committee—potentially led by a Chief AI Officer—along with implementing organizational policies, procedures, and technical and physical safeguards. Training workforce members based on their AI-related responsibilities and enforcing appropriate access controls are essential. The proposed rule does highlight the NIST AI Risk Management Framework as a valuable resource to help regulated entities understand, measure, and manage AI-related risks, impacts, and harms.

Timeline for Compliance

If finalized, the new rule would take effect 60 days after publication, with most regulated entities required to comply within 180 days. Additional transition time may be granted, such as for updating business associate agreements.

Request for Comment

HHS requests comment on the earlier discussion regarding the Security Rule's protection of ePHI in emerging technologies, including any advantages, disadvantages, or unforeseen effects. Additionally, HHS seeks input on the following specific considerations:

Shaping the Future of AI in Healthcare

HHS's proposed updates represent a significant step forward in securing AI systems within healthcare. While the rule broadly addresses numerous cybersecurity aspects, its focus on AI-specific safeguards highlights the growing importance of responsible AI integration. By adopting these best practices, healthcare organizations can safeguard sensitive data while harnessing the transformative potential of AI. As the healthcare industry moves toward this new regulatory landscape, stakeholders must prioritize AI compliance and actively participate in shaping responsible AI integration. The future of healthcare depends on it.

Want to learn more?

Explore more of our research and insights on health AI safety.

https://www.chargeai.org/blog/4c54576e-7cb2-417b-889c-1605c0a36562
The author
CHARGE editorial
Source

Originally published on the CHARGE blog. Republished here as part of the archive.