Lawmakers raise questions about security of health data shared with AI tools

Several lawmakers raised questions on Thursday about whether federal guardrails are needed to protect Americans’ healthcare data that is voluntarily uploaded into artificial intelligence-powered tools, including how best to address related privacy considerations.

While medical devices and tools using AI capabilities are covered by HIPAA in healthcare settings, other third-party technologies — such as wearable devices or apps that users can download — do not have to abide by the same standards. 

During a Senate Health, Education, Labor and Pensions Committee hearing, members of the panel from both parties said the lack of security around these types of AI-powered tools raises broader concerns about the integration of this type of data into Americans’ medical records, and whether or not additional regulatory measures are necessary.

Sen. Bill Cassidy, R-La., the committee’s chairman, said “it seems as if the future promise of these records would include AI giving clinical support,” but questioned “how can we take this information, upload it and allow it to be worked with by AI?”

“Who's liable?” he added. “Who gets to use the data that flows from it that might be for financial gain? What are the privacy issues? Have you all thought about these issues? Because ultimately, the promise of AI is that it's able to make us healthier, at least in health care and using medical records.”

Thomas Keane — assistant secretary for technology policy and national coordinator for health information technology at the Department of Health and Human Services — noted that HHS issued a request for information in December seeking public input “on how AI can be safely and effectively deployed in the healthcare system so that it is aligned with current standards.”

He said feedback solicited through the RFI would play a major role in informing any future regulatory measures. 

“We have so far received hundreds of responses and submissions that will help guide not only our policy and how AI can be deployed, but also the policies of our sister agencies, and we're happy to share that information with Congress as well, so that we can deploy this effectively and responsibly,” Keane added. 

Within the Trusted Exchange Framework and Common Agreement — or TEFCA — network, which was created by HHS and works to promote interoperability in the exchange of electronic health information, there are guardrails around what providers can do with patients’ data. These include restrictions on reselling information or sharing it with marketers. But Keane said “once a patient gets control of their information, they have freedom to do with it what they want.”

Cassidy said he didn’t think Americans fully understand the risks posed by sharing information with these third-party AI technologies, warning in a hypothetical scenario that uploaded genetic data could then be used to redline a person’s relatives for healthcare coverage. 

“Even though we have a law against it, somehow they can work around [it] because they now have access to my genetic data,” he said. “So, I do think there's some consumer safeguards that should be implemented, like a box that pops up, ‘Your data uploaded will be boom-boom-boom, now accessible for marketing,’ unless you say not.”

When pressed by Cassidy about whether HHS could use its current authorities — or needs additional congressionally-mandated authorities — to address privacy risks associated with inputting personally identifiable information into AI tools, Keane said “I don't think that we are able to regulate data that the patients have consented to be released.”

“What I can say is that the standards that we promulgate create a clean surface on which any future regulation or legislation can actually act effectively,” he added.

Sen. Angela Alsobrooks, D-Md., also questioned whether additional protections are needed to “ensure these technologies are safe, transparent and trustworthy for clinicians and patients,” including if “the current authorities across HHS are sufficiently growing the use of AI in clinical settings, or are these gaps in the federal framework that Congress should be paying attention to?”

Keane said he believes “that our RFI will surface that,” but that “we have sufficient authorities to certify health IT and to manage the nationwide network that we oversee to make sure that the AI that's deployed is safe and effective.”