AI is Coming to Healthcare Providers; Are You Ready?
By David H. Glusman, CPA/CFF, FABFA, CFS, Cr. FA, Partner, Advisory Services
Healthcare is anticipated to be one of the top industries for artificial intelligence (AI) systems. The Massachusetts Institute of Technology (MIT) says AI has the capability to transform healthcare in many different ways:
- Patient risk stratification and disease diagnosis
- Augmenting clinical workflows and patient monitoring
- Natural language processing and data analytics
- Machine learning applications
- Interoperability in machine learning
Regardless of usage, healthcare AI applications need high-quality data sources and rigorous standards. This will be particularly critical as AI tools emerge in the electronic medical records (EMR) space. Providers must consider the steps needed to ensure that their EMR system, providers, and contractors are hyper-focused on the safeguards and procedures required to protect their patient data.
Considering the rapid pace at which AI is finding its way into healthcare, here are a few basic steps to prepare and protect your organization:
1. Establish data sharing agreements
Create a formal agreement with the EMR system provider that clearly outlines the permitted use of patient data in AI systems. Specify that the data should only be used for purposes directly related to improving healthcare quality, research, or enhancing the EMR system’s functionalities. Ensure the policy aligns with relevant privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
2. Conduct due diligence
Before selecting an EMR system provider, thoroughly research their reputation, track record, and security practices. Look for EMR systems that prioritize data privacy and have a strong commitment to safeguarding patient information. HIPAA provides one level of safeguards for patient data, but due diligence should include the following additional items:
- Formal board of directors oversight for AI oversight, including independent supervision
- Leading AI expertise among employees
- Formal standards for validity, transparency, security, privacy, and accountability in AI applications.
3. Request transparency
Ask the EMR system provider to be transparent regarding how patient data is used in their AI systems. Inquire about their data anonymization and de-identification processes to ensure the vendor protects patient identities from AI misuse. Transparency is also required by the vendor to the standards, algorithms, and methods used to develop the AI application.
4. Implement data access controls
Healthcare providers should have strict access controls to limit who can access patient data within the EMR system. Ensure the EMR system provider has robust security measures, such as encryption, user authentication, and audit logs, to prevent unauthorized access.
5. Monitor data usage
Regularly monitor and audit the EMR system provider’s use of patient data in AI systems. Request periodic reports on how the vendor utilizes the data and confirm that it aligns with the agreed-upon terms.
6. Stay informed about updates
Maintain open communication with the EMR system provider and stay updated on any changes or updates to their AI systems. Ensure that they promptly address any concerns or questions regarding patient data usage.
7. Train staff on data privacy and the acceptable use of AI
Educate healthcare providers and staff on data privacy best practices, including the importance of protecting patient information, the risks of data misuse, and how AI functions, or may function, in a healthcare environment. Implement policies and procedures that promote a culture of privacy and security within the organization.
8. Regularly review contracts
It is recommended to regularly review the contract with the Electronic Medical Records (EMR) system provider. This review should be done with the help of healthcare legal experts familiar with the latest developments in AI legal protections and issues. This review ensures the contract is updated and includes all necessary amendments and additional safeguards related to patient data privacy.
9. Report any concerns
If there are any suspicions or concerns about the EMR system provider’s misuse of patient data via an AI application, discuss them with legal counsel and determine if you should report the issue to the appropriate regulatory authorities or governing bodies. This will help determine if the healthcare provider should initiate an investigation and ensure proper remediation actions are taken by management or the board.
By following these steps, healthcare providers can take proactive measures to protect patient data and minimize the risk of misuse in AI systems by their EMR system provider.
AI is here, and it isn’t going away. Healthcare providers must take proactive measures to prepare for both anticipated and unanticipated uses of healthcare data. By preparing for the inevitable, healthcare providers can offer patients better experiences while reducing risk for themselves.