Update Your Business Associate Agreement for AI

A Business Associate Agreement (BAA) is a contract between a HIPAA (Health Insurance Portability and Accountability Act) covered entity and a third party that performs services involving Protected Health Information (PHI).  The BAA outlines how PHI can be used by a third party, what safeguards must be in place, and what is required in the event of a breach.

PHI includes the following:

• Names
• Addresses
• Birth Dates
• Social Security Numbers
• Medical Records
• Health Insurance Information and
• Other Data that Can be Used to Identify a Patient.

PHI must be protected when it is transmitted or maintained in any form.

Failing to have a BAA in place or exposing PHI can lead to penalties. Penalties for exposing PHI are structured into four tiers, based on the level of culpability and whether the violations were corrected in a timely manner. Fines range from a minimum of $141 per violation to a maximum of $2,134,831 per violation.

The current business climate introduces new risks and responsibilities due to Artificial Intelligence (AI) becoming widely available. AI may be used by third parties to deliver services but may also be used to train or improve AI models.   Your BAA should clearly define what data can be used and for what purpose.

Consider the following when drafting and updating your BAA:

• Define AI use cases clearly.
• Prohibit secondary use of PHI for AI training unless explicitly authorized.
• Mandate security protocols for AI systems, including encryption and access controls.
• Require subcontractor compliance if the AI vendor uses third – party services.
• Include transparency clauses for decision making, especially in clinical contexts

As artificial intelligence reshapes every industry, the responsibility to protect patient data becomes critical. By proactively addressing AI in BAA’s, organizations can ensure that the privacy of PHI is maintained.