HHS OCR’s continued enforcement under its Risk Analysis Initiative and ChatGPT Health considerations

March roared in like a lion for the U.S. Department of Health and Human Services – Office for Civil Rights (HHS-OCR) as it notched its twelfth settlement under its HIPAA Risk Analysis Initiative. On March 5, HHS-OCR announced a settlement with MMG Fusion, LLC (MMG), a software company that receives protected health information (PHI) from HIPAA covered entities and also communicates directly with patients of covered entities.

Four items stood out as being notable:

1. A December 2020 incident occurred when an unauthorized actor infiltrated the information system and led to a breach of 15 million individuals whose PHI was posted to the dark web.
2. Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities and correct any gaps.
3. The settlement amount was a meager $10,000 because the financial condition of MMG was considered.
4. A corrective action plan and three (3) years of monitoring by HHS-OCR is required.

As HHS-OCR Director, Paula N. Stannard stated, “As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

This brings us to the annual HIPAA Risk Analysis requirement and the inclusion of generative artificial intelligence (GenAI), including Chat GPT and Chat GPT Health in the evaluation process. There are two ChatGPT applications – one that is provider-based and is linked to the medical record and one that is consumer based; however, both allow the user to delete the inquiry and their medical chat histories. In light of Judge Rakoff’s Memorandum in United States v. Heppner, 25 Cr. 503 (SDNY) regarding the use of AI-generated materials being subject to disclosure because any privilege was waived when Mr. Heppner share information with a public facing AI platform, what are the ramifications if people delete this information in terms of meeting HIPAA requirements and spoliation of evidence?

AI medical scribe notes also raise an area of concern because they are predicated on audio recordings of patient-physician conversations. In turn, there is a built-in potential for breaches of patient privacy, as well as inaccuracy in transcribing. Moreover, the PHI becomes vulnerable in the event of a cybersecurity incident or reportable breach stemming from the inappropriate storage or transmission of PHI or the sharing, marketing or selling of PHI with third-party AI vendors.

Regardless of the AI application, providers need to be mindful of state laws, such as Texas SB 1188, which requires notice to patients when AI or GenAI is being utilized in documentation or treatment. This ties directly into informed consent – a sine qua non of a provider-patient treatment relationship.

In sum, HHS-OCR is not slowing down with HIPAA enforcement actions, including its HIPAA Risk Analysis Initiative, and AI’s rapid adoption coupled with hallucinations, informed consent considerations and patient privacy and security requirements should not be overlooked as part of an organization’s annual risk analysis.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.