The pace of change in the field of artificial intelligence (AI) is accelerating so quickly that regulators and legislators are having a hard time keeping up. And that’s especially true in the healthcare industry, where rapid new advances in AI technology are already starting to make healthcare professionals re-think the efficacy of the landmark 1996 Healthcare Insurance Portability and Accountability Act (HIPAA) and consider possible new protections for health data privacy.
How HIPAA established the modern foundations of health data privacy
One major result of HIPAA was the creation of the Privacy Rule, which establishes national standards to protect individuals’ medical records and other personal health information. According to HIPAA, covered entities include health plans, health care clearinghouses, and health care providers who electronically transmit any health information. Under the terms of this federal law, individually identifiable health information was known as protected health information (PHI). Healthcare providers needed to guarantee the security of this PHI, and then take timely measures to alert individuals if any identifying information had been compromised, such as through a data breach. The goal was simple: to protect health data privacy at all costs in the digital era.
At the time, HIPAA was considered a real breakthrough for health data privacy, since it forced health organizations to think in terms of protecting digital records, not just written records. But that was back in 1996, before the rise of the Internet boom, before the social media era, and certainly before the current era of artificial intelligence. In short, a lot has changed since then and the stakes are higher than ever before for health data privacy.
To underscore that fact, researchers at the University of California-Berkeley recently published a new study in the journal JAMA Network OPEN, describing just how easy it is for modern AI systems to sift through thousands of medical records, connect that information with other readily accessible health data, and then generate the identity of specific individuals. The lead researcher, Anil Aswani, noted that the study used two years’ worth of data from 15,000 Americans.
In the case of the Berkeley study, the health data being used by AI systems was step data – the sort of innocuous data that a FitBit activity tracker might collect during a workout or on a walk around town. The AI is able to identify individuals by learning daily patterns in step data, and then correlating that data with large repositories of demographic data. In short, as hard as healthcare institutions work to protect healthcare data, AI systems appear robust enough to “crack the code” and determine the identity of a person. As one researcher noted, the AI system is essentially “putting it all back together,” no matter the efforts made to pull out identifying health information.
The AI arms race
The Berkeley study is worrisome, of course, and points to the development of an unofficial AI arms race in the healthcare industry. On one side will be the AI systems attempting to break into healthcare data records and link names and identities to underlying health information, and on the other side will be AI systems trying to stop them. Now that more people than ever before are using fitness trackers and smartphones for health and wellness, the risks to health data privacy appear to be escalating.