In an era rife with disagreement over practically every facet of the health care system, there appears to be little disagreement that machine learning and artificial intelligence have significant roles to play in the future of the health care industry.
According to a 2017 survey by Healthcare IT News and the HIMSS Analytics Market Indicator, about 5 percent of health care organizations are currently using AI.
In the next five years, however, that number is expected to grow to around 50 percent.
For hospitals wanting to innovate through machine learning or AI, it is critical that they do so in a way that ensures the privacy of patient data.
How Hospitals Use AI
Although the possibilities for incorporating machine learning and AI into hospitals are nearly endless, hospitals are using this technology in two primary ways: streamlining operational issues and improving clinical prediction and diagnosis.
Operationally, hospitals use AI for everything from reducing emergency room wait times to predicting and preventing insurance claim denials to discharging patients faster. IBM found that medical staff might spend around 10 percent of their time assisting patients with non-clinical issues such as adjusting room temperature, turning off lights and answering questions about visiting hours.
Thomas Jefferson University Hospital in Philadelphia is working with Harman Audio and IBM’s Watson to develop a voice command smart speaker built into a clock radio that ties into the hospital’s facilities management system. Patients will soon be able to ask the speaker to close the blinds rather than ring for a staff member’s assistance.
On the clinical prediction and diagnosis side, AI is being used in hospitals for such things as identifying patients at risk for stroke and sepsis to more accurately diagnosing breast cancer in biopsy tissue to customizing treatment options. El Camino Hospital in California used AI to tackle a ubiquitous hospital problem — patient falls — for which traditional prevention programs have proved unsuccessful. Hundreds of thousands of patients fall in hospitals every year, and each injury increases the cost of a hospital stay by around $14,000. El Camino Hospital partnered with a prescriptive analytics firm to develop technology that reviews large amounts of data and alerts staff when a patient is in imminent danger of falling. Six months after introducing this technology, El Camino Hospital reduced its fall rate by 39 percent.
Privacy Laws
Because there are no laws that specifically govern privacy in the machine learning or AI context, current privacy laws apply to these new technologies.
When these technologies receive or collect patients’ protected health information, hospitals must be sure to protect the privacy of that information as required by the landmark federal patient privacy law, the Health Insurance Portability and Accountability Act of 1996, or HIPAA.
HIPAA requires that hospitals safeguard patients’ protected information and accord certain rights to patients with regard to their own information; ensure the confidentiality, integrity and availability of protected health information; and protect information from potential threats.
Fortunately, the HIPAA standards were designed to be technology neutral — they do not require hospitals to use particular technology — to permit hospitals to implement new and promising technologies, so long as that implementation can be done in a HIPAA-compliant way.
HIPAA expressly does not preempt state laws that provide more stringent protections than HIPAA, and some individual states have begun enacting more robust laws to protect the privacy of their residents. For example, the Texas Medical Records Privacy Act requires that patients be notified specifically and in the manner prescribed that their protected health information is subject to electronic disclosure. California’s Confidentiality of Medical Information Act, in addition to providing stronger privacy protections than HIPAA, provides patients with a private right of action for violations of the act.
Additionally, hospitals might soon begin to collect biometric identifiers, such as a scan of a patient’s face geometry for use in facial recognition, to ensure that they have correctly identified the patient and matched the patient to his or her data.
A few states have begun to enact laws to protect the privacy of an individual’s biometric identifiers because, while some of an individual’s data such as a Social Security number or credit card number can be changed, changing the look of a person’s face is considerably more difficult.
Thus, for example, Illinois’s Biometric Information Privacy Act sets forth detailed consent, disclosure and destruction requirements for any private entity that captures or obtains an individual’s biometric identifiers.
How Hospitals Manage Privacy Issues
Hospitals using or developing AI have robust privacy programs, which involve routine training, audits and legal review. When they partner with third parties to conduct analytics or develop a technology, they are entering into HIPAA-compliant business associate agreements to satisfy their regulatory obligations and ensure that the third party adequately protects their patients’ privacy.
Additionally, hospitals are using their vast stores of data in a de-identified fashion to train machines to learn tasks. A computer does not need to know a patient’s name or demographic information to identify patterns indicating the existence of a tumor.
As hospitals increase their use of AI and learn to balance technology development with the privacy laws, the question becomes whether patients’ expectations of privacy will evolve as well.
—Shareholder Erin Eiselein and associate Anna-Liisa Mullis practice health care litigation at Brownstein Hyatt Farber Schreck