Wade’s Healthcare Privacy Advisor for November 6, 2024

Access & Privacy

• A new law took effect Friday, Nov. 1, in Texas, requiring hospitals to ask patients about their immigration status. It’s part of a mandate from the state’s Republican Governor, who wants to know exactly how much Texans are paying to treat undocumented migrants. The new rule is raising concerns about healthcare access and privacy.

AI Governance

• The Chief AI Officer role in healthcare demands a unique blend of skills, including AI policy, business strategy, technology expertise, and domain knowledge. UC Davis Health sought a Chief AI Officer to enhance AI governance, accelerate adoption, and collaborate on AI initiatives. The role involves strategic planning, education, and oversight to ensure responsible AI implementation.
• AI accountability is a critical aspect of responsible AI development and deployment. Privacy professionals play a key role in ensuring AI governance aligns with data protection and privacy practices, addressing concerns about bias, transparency, and ethical responsibility. By collaborating with legal and other stakeholders, privacy teams can help organizations navigate the complexities of AI regulation and mitigate risks associated with AI systems.

AI Risk Management

• An Associated Press investigation revealed that OpenAI’s Whisper transcription tool creates fabricated text in medical and business settings despite warnings against such use. These tools are known to produce fabricated text, or “confabulations,” which can lead to serious consequences in medical settings, such as incorrect diagnoses and treatment plans. Despite OpenAI’s advice against using Whisper in high-risk domains, over 30,000 medical professionals are reportedly using it for transcriptions. The tool’s inaccuracies are attributed to its reliance on predicting likely text rather than ensuring accuracy, often filling gaps with incorrect or biased information.

Corporate Compliance

• The DOJ’s updated ECCP policy document now requires companies to assess AI risks and ensure compliance with criminal laws. Companies must also provide compliance staff with access to relevant data and utilize data analytics tools to enhance compliance efforts.

Cybersecurity

• Healthcare organizations need stronger cybersecurity measures, including identity and access management, patching, phishing training, and robust backup practices, as cyber attacks continue to rise. HIPAA guidance alone is insufficient, and organizations should consider following more rigorous standards like NIST or HITRUST. Assuming a breach will occur and having an incident response plan in place is crucial.

Growth & Innovation

• Texas tech companies are revolutionizing healthcare through telemedicine, wearable devices, biotechnology, and AI. These companies are making healthcare more accessible, affordable, and effective by developing innovative solutions that improve patient care and empower individuals. Texas is poised to remain a leader in health technology, driving advancements and shaping the future of healthcare.
• The OMB has issued guidance to agencies on responsible artificial intelligence acquisitions. The guidance emphasizes the importance of managing AI risks, promoting competition, and improving information sharing. Agencies are advised to identify AI early in the acquisition process, engage relevant equities, and include contractual requirements to manage AI risks effectively.
• CISA is focusing on eliminating risky software-building practices, such as default passwords and memory-unsafe languages, to enhance cybersecurity. The agency has secured over 230 voluntary commitments from software manufacturers to meet cybersecurity goals within a year. CISA is also pushing for software companies to prioritize security features like MFA and make them difficult for customers to remove.
• A recent survey of healthcare security professionals reveals that nearly one-third are unsatisfied with their existing security frameworks, highlighting the industry’s struggle to keep pace with evolving threats. Budget constraints and lack of executive support are significant barriers to implementing new technologies. Despite the challenges, healthcare facilities are increasingly adopting converged security solutions that blend digital identity, physical security, and cybersecurity measures.

Legislation

• The Colorado AI Act requires developers and deployers of AI systems to disclose their use to Colorado residents. Developers of high-risk AI systems must protect against algorithmic discrimination and provide detailed documentation to deployers. Deployers must implement risk management programs and conduct annual impact assessments to mitigate risks of discrimination.