Why AI Raises HIPAA Questions

Rob 0:00

Welcome to the Van Ryan Compliance Podcast with Rob and Don. We help growing teams reduce risks, build trust, and stay audit ready without the overwhelming. This week on the Van Ryan Compliance Podcast, we're going to focus on AI and the HIPAA compliance laws. We've talked a lot about AI in the podcast, and obviously AI is everywhere, right? But how does that align with the current laws? And also how do you tie in penetration testing and portability scanning, like we talked about last week, and make sure you are compliant to the regulation? Well, we know AI is everywhere now, right? We know it it's between your, it's on your phone, it's on your computer, it is everywhere that you want it to be. In a lot of places you probably don't. But every vendor now is AI powered, right? Every team is experimenting with it. Here at Van Ryan, we're looking at multiple large language models to see what is best for auditing, what is best for customer experience, and what is best for the team right now. But here's the real question that no one has really answered clearly. Is HIPAA compliant? It is this platform, this new AI that's going to ingest this information. Is it actually going to be compliant? Do we have a signed business associate agreement? Right? Do we have all of these pieces in place? But more importantly, are you exposing your organization without realizing it to a HIPAA five, to a breach, to an incident? These are the things that you really need to focus on and really think about. So today I'm going to cut through the noise and just give you true signal, right? No fluff, no fear tactics, just what actually matters when AI meets HIPAA. So, first of all, let's start here. Let's do a little reality check. Let's make sure we know what we're talking about, right? Let's make sure that we are dialed in. So when HIPAA was created 30 plus years ago, AI wasn't around, right? We all know this. And I have clients that say, hey, I was here before HIPAA. So why do I need the HIPAA? But AI was not around when HIPAA was written into law. It was written in the late 90s, before cloud, before APIs, before machine learning. So when people ask, is AI HIPAA compliant? Well, the wrong question is, well, I think so, right? Or really what you need to say is, does your use of AI protect PHI the way HIPAA requires? Let's remember something. The regulation is a regulation. No matter what industry comes up, if it's AI to cloud compute, to GPUs, to CPUs, to all EUs, right? It doesn't matter. The law is a law. And at the end, you are going to be responsible legally as a compliance officer or business owner to ensure that you are compliant with that law and making sure that you are doing the right thing. That's the game. So this is making sure that you review your vendors, right? Make sure they're not a vendor. Make sure they're our true partner so that you both can work together and ensure you're securing the data. Do we have those business associated agreements signed? Have they been reviewed? Do we have everything where we need to be? So where AI and HIPAA align right now is this is first of all, the privacy rule. Who can access PHI? That matters. So the access control list. Is it just my team? Is it some outside partners? Is it my client? Who has access? How are they authenticating to get access to the data? Are they using SSO? You know, are they using Microsoft 365? Are we using uh um Google? Are we using some other type of authentication? We're using just simple two-factor, right? What does that really look like? So that's the first thing you need to ask yourself. Second piece is the security rule. How is the PHI protected? And this is actually gonna be a big change coming in May when the new regulations come out, the new laws come out in May. Is a security rule is have we actually secured the data, right? Have we actually made sure that the data was encrypted from point to point in transit and at rest? Do we have our two-factor, our multi-factor? More importantly, can we show evidence? Can we show that we actually have the evidence in hand that states that yes, we are compliant and yes, we protected that data. The third piece is that breach notification rule. Nothing's changed. And I think there's more breaches or incidents now as we're trying new AI than there has been before. I still look at the HIPAA wall of shame. It still goes, it's still big. It's a thing. It really is. And it is going to grow. So what happens when things go wrong now applies to AI. If your AI tool touches PHI, if it stores PHI, if it processes that health information, then guess what? It's in scope. It is there. Uh, it is definitely within scope. And the HIPAA law requires you to secure that data uh to ensure that you have a breach notification put together. So, what does breach notification law look like? What that states is if you had an incident andor breach, you must do a few things. First of all, you need to review. You need to you need to dive into that incident, make sure was it an incident or was it an actual breach? You need to identify that piece and you need to document that and write that report. Even if it's just quick notes on a napkin or however that looks, just get it down, put it in a Google Sheet, put it in a Word doc, get out of your brain, and put it down, uh, making sure that we uh we know what's going on. Next piece, if it's over 500 or more records, then you must notify not only the local authorities, but also the government, the OCR, and the local media. Yep, there's three pieces. And that's where your information will be put on the HIPAA wall of shame. And that gets put up on the internet so for all to see it is a thing. So there is no excuse excuses just because of AI, just because it's a new thing, right? Think back about cloud computing. Oh my gosh, how is this going to handle health information? Oh, we're just gonna give it to Amazon or the Googles or co-locate it and get it out of my door. I won't need to deal with it. Well, that's wrong. You are still legally responsible to deal with it. And you need to make sure that you have everything in place. And those are the key pieces with that. Next up, next segment really is kind of diving into the biggest risks, right? The kind of kind of this piece is I really want to unpack the areas that are real risks that we're seeing right now with our clients. Well, the first step is shadow AI. Employees are pacing PHI in the GBT or co-pilot, you know, Microsoft's co-pilot, Gemini, right? Or Claude or any of the other ones out there. And um there's no approvals, no controls, no tracking. That's not innovation. That's a breach of waiting to happen. You've got to teach your teams how and when to use the PHI appropriately, when to use their AI appropriately, so you can ensure that you don't have a breach, A, but B, make sure you're following your company guidelines. That's a big key piece. Because the breaches are just sitting there, they're just waiting to happen. We are now offering free, I like free, right? Free AI security training. So you can take a condensed course of our training, which is free, if I mention free. And in this training, you can actually get a good foundation for your team on how they can choose what to use and the proper authority and approvals to go through to ensure that they are using the proper and the correct AI for your business. And the key piece is you must teach your team what to use. Give them the right guardrails, right? If you're gonna build off Claude or GBT or Gemini or any of those, making sure that they are they uh they understand that. The other thing too is um your platforms, your partners, your vendors, if you want to call it, you need to ask them what they're using. And does it fit within your stack? Does it fit within your regulations and your security internally? Business associate agreements are key. It doesn't matter. No BAA, no business. That's that's how you how it is. It is a law. It is also a contractual obligation between two entities to make sure that you know what? You have the right people engaged, right? You and your partner, your vendor are working together and have the right level of security, have the right level of interest and focus to make sure that you're both protecting health information because you both have responsibility in there, right? So make sure you're both compliant and make sure that you're dialed in together. Because if not, it's a full stop. And most AI tools today don't offer HIPAA ready compliant frameworks for their environments. They're probably gonna say it's HIPAA ready, it's HIPAA-like, it's HIPAA-ready, let's go. But you need to say, all right, send me your business associate agreement and let's have a conversation. Because once you have a legal contract to review with a vendor, which I really like to refer to as partners, then that's really where the rubber meets the road. You have to have that business associate agreement, which is key. The other piece to look at is data leakage and model training, right? This is a big problem. Is where is a health information stored? Is it in the US? Is it offshore? Is it in a some other data center that we don't know about? Where is the data? Is it being trained on your models? Is it accessible to others? It's kind of like how we went from on-premise to off-prem to colo to cloud compute, making sure is all the departments, is everything compartmentalized, right? Is everything separated? Is everybody secure? That's the key thing. Making sure that your data and your company is separated, making sure it's not accessible to anybody else, make sure it's all properly, you know, segregated so that your information is not shared. That is a key piece. Because you don't know, um, if you don't know your controls and your environment, then you've already lost to the data. You've got to know where the data is. So make sure you don't, make sure you don't just go ahead and give your data to a large language model and accept their defaults. Make sure to go in and check their security, right? Make sure to go in there today and check your Gemini and your and your anthropics and your GBTs and even perplexity and making sure that you untick the box says you can use my language and my information and my searches for your large language model. We don't want that. So, what you should be doing is this these are the actionable items you need to be doing within your business. First up, you need to create an AI acceptable use policy. We have those, we create them for clients, we include that in our AI governance programs we put together. And it really spells out what tools are approved, what data can be used, what is strictly prohibited, and there's no guessing. That is a key piece. You need to put together the acceptable use policy. So your team, your developers, and even your clients know exactly how you're going to use AI. And please make sure to communicate it to your team. Communication, communication, communication. Your team can't read your mind. You need to tell them exactly what is expected in your environment. Next up, inventory. I like to call this the AI risk or register to pull from the ISO world, right? You can also secure what you don't know exists. There is AI everywhere. It is just plugged in, it is sucking in the data, it is taking the information. You're getting sold on it every day. So for AI and HIPAA, and even the penetration testing and vulnerability scanning, make sure you list it out. It could be as simple as a spreadsheet. It could be as simple as platforms like VRC, where we list out all of our items, all of our tools, and making sure we list out the chatbots, the automation tools, the SaaS platforms that AI embedded, making sure that those are set and those are dialed in because you need to know where the data is. You need to know where the data goes. You need to make sure you have that inventory. And then you're going to look at the risk. Like, what type of data goes here? Well, I'm going to use, you know, Gemini internally to do some work within our Google Docs. Okay, great. Well, GBT have been using for marketing. So we'll let that go. Great. Well, Claude, I'm going to use that for some data modeling. Oh, okay. Now, what type of data are we sending? Sending regulated data like PHI or financials? Or is it other types of data? Making sure that you know exactly what that data looks like before you actually get that, before you give that data, you give the key to your data to someone else. Next, we really want to perform this AI risk assessment. I like to call it an AI risk audit. You really need to know what's going on in your environment, who has access to what. You need to evaluate the data flows, evaluate the access controls, the vendor risk, and the outputs, and making sure that you treat AI like a new workforce member. That's what we're doing here, right? We're looking at like, how are we updating our policies? How are we making sure here at Van Ryan that we have the latest up-to-date information on data privacy policies globally here in the States? How does this look like? How is it tied into the AI policies? And we know each state is creating their own AI policies. Those are things the bots do well. Go gather the gather the data, bring it here to our team at Van Ryan, right? Or bring it to your team, and then your team acts like that human in the middle. And with the human in the middle, boom, you can make sure. I said boom, that's fun. That's why Don't here. I said boom. Anyway, you can make sure that the the data flow is correct, right? You can make sure that you're reducing the risk as you need. And for and also you need to make sure you lock down the PHI. Make sure everything is locked down. If AI is involved, there's a data encryption point-to-point end in. Your access controls and your audit logs are there. They are secure. You have everything locked down and making sure that they're everything applied to the same rules, no shortcuts. It doesn't matter if it's AI, it doesn't matter if it's just a web page, it doesn't matter if it's an application, it doesn't matter if it's your phone service, it doesn't matter what it is. The same rules apply and there's no shortcuts. Now, this one is big because this is this is something I'm I'm near and dear to my heart is training. Train, train, train. This is huge. Your business biggest risk is not AI itself, it's your people using AI incorrectly. Let me say that one more time. Your it's your people using AI incorrectly. You got to make sure your team knows what to use and how to use it. You make sure you communicate clearly on what tools you're gonna use, for what roles, for what data, and then going ahead and making sure that that workflow is created and that the team knows what to do. So here's where this is all going. Regulation is catching up, right? We're sitting here a month away as we as we record this podcast in May, where we're gonna have a new set of regulations. There's gonna be a little bit of light hip, light AI in there, but what we're really gonna see is a focus on penetration testing, focus on vulnerability scanning, but then also a focus on how your risk registered and how the data is going to be given or provided to large language models. You're gonna see more enforcement, you're gonna see more guidance, more expectations around AI governance. In organizations that get ahead now, you're gonna win. You need to stay ahead, you need to push ahead, you're definitely gonna win. It's not just in compliance, but it's it builds trust, speed, and scalability for your organization. So here's the bottom line AI is not the risk. Uncontrolled AI is the risk. If you don't have it controlled, you don't know where the data is going, that is the biggest risk to your environment and to your business. HIPAA is not going anywhere. It's actually gonna get strengthened in May, a month, a month from now, uh, is what we're gonna see. AI is not gonna slow down. It's gonna continue. So you're gonna continue to see all of those bits and pieces of new AI that plugs into your environment. So your job is simple: build a bridge between the two. Van Ryan, this is exactly why we're building the AI governance program, which we already have. We've already built free AI governance training and security training, which you can download and you can get going for your team today with certificates. And we do that in everything we do because compliance isn't merely enough anymore. You have to be proactive and make sure that you protect that signal. Forget about the noise. There's a lot of noise out there. Forget about all the noise and what people can fix and what things can do. Remember, there's still the regulation. Remember, there's still the compliance law that you are required to adhere to. All right. Thank you so much for joining us this week on the Van Ride Compliance podcast. Until next week, have a good one.