HIO-301 basics - Certified HIPAA Security Updated: 2023

Regulatory Outlook

HIPAA

HIPAA, which was enacted in 1996, had many different goals, including making insurance transferable upon leaving employment, enabling electronic billing for medical costs, and, the most famous result, the authorization of federal privacy rules for health information. The Department of Health and Human Services (HHS) then made two regulations: the HIPAA privacy rule, which regulates private health information, and the HIPAA security rule, which regulates the manner in which healthcare providers control and protect health information.

Covered Entities

The organizations controlled by the HIPAA privacy regulation are called covered entities. A covered entity is any healthcare provider that electronically bills for its services. This covers almost all healthcare professionals. It also means that most medical device companies are not covered entities. However, some medical device firms that sell to patients and bill Medicare may qualify as covered entities and be bound by HIPAA. For example, a company that sells insulin pumps to patients and bills Medicare would be a covered entity. Some companies may have a subsidiary that is a covered entity while the rest of the company is not covered; such companies are called hybrids. The company can wall off the subsidiary, which is a covered entity, so that only that part of the company is bound by HIPAA.

Covered Information

HIPAA defines the covered information as PHI, which is any health-related information that may identify a patient. HIPAA takes an expansive view of what may identify a person. There is a list of 18 identifiers. Besides the traditional identifiers such as name, address, phone number, social security number, etc., there are some device-related identifiers, such as serial number or date of service when the device was used, that have proven quite to difficult to deidentify.

Almost any information from a patient file has to be carefully scrutinized to be sure it is not PHI. The definition is wider in the United States than it is in the European Union (EU), where more-traditional identifiers are used. Member nations of the EU are governed by the EU Directive on Data Privacy.

Disclosure of PHI

Authorization is the term used for a patient to allow some disclosure or use of PHI. HIPAA determines authorized uses of PHI by covered entities and what disclosures of PHI may be made. The HIPAA privacy regulation outlines when a covered entity must obtain authorization from the patient or approval from an institutional review board (IRB) or privacy board.

Note that the EU uses the term consent for this document while HIPAA uses authorization. For device companies, there may be an informed consent document created to comply with FDA clinical rules or the HHS Common Rule. This consent document may have a HIPAA authorization built into it, but the HIPAA authorization is not called a consent.

With several exceptions, a covered entity may use PHI within its organization without restriction by HIPAA. However, when it discloses information outside its boundaries, the covered entity must comply with the HIPAA privacy regulation's limitations and authorization requirements. The covered entity may disclose to third parties without authorization for three HIPAA-specified activities: treatment, payment, or healthcare operations (TPO).

Treatment. Treatment refers to communication of PHI needed to treat the patient, such as information flow between the covered entity and another healthcare provider, e.g., another doctor who is treating the patient. A general practitioner and a specialist may discuss their joint patient for the purpose of treatment without activating any authorization requirements under HIPAA. This treatment exception could involve a medical device company. For example, if a technical representative from a medical device company takes part in a surgery to help use or train surgeons on the company's equipment, that participation is part of treatment and does not require an authorization. Although it is wise to notify the patient before exposing his or her data or personal information to a company representative, there is no specific HIPAA requirement to do so under these circumstances.

Payment. Payment refers to the process of obtaining payment from payers such as insurance carriers. Although covered entities routinely ask for consent to disclose information to payers, and there may be consent requirements at the state level, there is no need for a HIPAA authorization for billing.

Healthcare Operations. The term healthcare operations refers to the internal mechanics of running the covered entity. PHI may be transmitted as part of normal business operations. For example, the covered entity may use PHI for internal quality assurance improvement practice.

Business Associates

Sometimes a covered entity receives assistance in performing activities that involve the use or disclosure of PHI under HIPAA. The person or entity providing the help is called a business associate. A covered entity may enter a business associate agreement (BAA) with another person or company that is providing services to the covered entity with regard to TPO. For example, the covered entity might outsource its billing department to a third party. In such a case, the covered entity would engage that biller with a BAA.

It is very unusual for a medical device company to need a BAA with any covered entity. In the early days of HIPAA, covered entities were wholesale shipping BAAs to everyone they purchased from. Since then, HHS has made it clear that the normal relationship between a medical device provider and a covered entity does not require a BAA.

It is only when a medical device company is acting on behalf of a covered entity that it needs a BAA. One narrow example is when a covered entity is prescreening patient records in preparation for research. It can do that without an authorization. However, if the covered entity allows a third party, such as a device company, onto its property to do such preliminary searching on the covered entity's behalf, it may then need a BAA to protect the PHI that the device company will access.

Access to PHI

There are a number of access points to PHI for a device company. Some information is necessary for the device company to have and some is thrust upon it. Common ways to be exposed to PHI include the following.

Treatment. As a device company, you have a role in treatment. For example, as previously discussed, a device company representative may attend the actual use of a device. Or, a doctor may call the OEM's technical services staff with questions about how a particular patient's anatomy or medical symptoms could affect the use of the company's device. Even though no name is given, the medical data may include HIPAA identifiers. Such treatment interactions between the medical device company and the covered entity are part of the treatment exception to HIPAA and therefore require no special authorization.

Accidental Exposure. A device company field representative may accidentally be exposed to PHI while at the site of a covered entity. For example, the representative might inadvertently see a patient chart while in a doctor's office. HIPAA calls this incidental disclosure. HIPAA allows such action without any repercussions under the regulation. Remember that PHI is still private and the company representative should not disclose what is accidentally seen to anyone else.

Clinical Trial or Other Research Information. There are three main routes for obtaining PHI from a covered entity for research: authorization, partial waiver from an IRB, or deidentification.

The most common way to obtain research data is through patient authorization. An authorization is built into the informed consent document in most medical device clinical trials. Once a company is in the process of having a patient sign a consent form, it is not much extra work to include the additional elements required for a HIPAA-compliant authorization. This method makes it possible to obtain wider access to use of the data. Most device companies want to harness the data to Improve future generations of devices and not just the immediate use. Such usage can be accounted for in a signed authorization.

A partial waiver means asking an IRB to allow PHI of a limited nature to be disclosed without a patient's authorization. For example, the site could strip out all directly identifiable information such as names, addresses, etc. The remaining identifiers might technically identify the patient, but the IRB may determine that the risk is low and allow disclosure without patient authorization. However, this process has proven difficult in practice simply due to the bureaucracy that has to be managed; companies have found the IRB interface to be too slow and laborious to use often.

Deidentification requires removing all 18 identifiers from the PHI, which can be difficult for device research. For example, because device serial numbers are often needed to correlate to other records, they are a hard identifier to do without. Similarly, dates of visits are often needed to correlate to device performance over time. However, deidentification is still a viable option for some research.

Compliance with FDA Regulations. A specific section of the HIPAA privacy regulation allows a covered entity to disclose information to a device manufacturer in order for the manufacturer to report to a public health agency, such as FDA. This exception is crucial because it allows a covered entity to communicate with a manufacturer to follow up on a complaint, provide data for a medical device report, track devices, or use information needed for quality system regulation compliance.

PHI after Disclosure

Once outside a covered entity, HIPAA rules no longer apply to this information. In fact, this must be stated in every HIPAA authorization. However, there are myriad state laws that control PHI in different forms, and if the PHI is obtained under a BAA, there are contractual obligations as well. Therefore, a device company should only take PHI when needed and must safeguard it, i.e., only those who truly need access to PHI should be allowed to see it. Device companies must also establish procedures to prevent accidental disclosure.

Conclusion

HIPAA has definitely made research more difficult for device companies. Each time that a company considers accessing PHI, it needs a thorough HIPAA analysis. Initially, device companies feared that the public health exemption was not broad enough and that covered entities would resist releasing the necessary PHI. However, over time, covered entities have cooperated and have generally allowed access to PHI that device companies need for compliance with FDA regulations. Therefore, life is more difficult with HIPAA, but certainly not impossible.

Copyright ©2009 Medical Device & Diagnostic Industry

Obtaining a CPC, CCA, or CBCS certification implies that an individual has met competencies in the field of medical billing and coding. Certification is invaluable to the student's career goals. Students have an opportunity to make confident, informed decisions about the national certification they prefer.

The Certified Professional Coder (CPC) test is offered by the American Academy of Professional Coders (AAPC). It is the gold standard entry-level coding certification for physician, or professional fee, coders.

The Certified Coding Associate (CCA) is offered by the American Health Information Management Association (AHIMA). It is an entry-level medical coding certification across all settings--physician practices and inpatient hospital.

The Certified Billing and Coding Specialist (CBCS) is offered by the National Healthcareer Association (NHA) and is currently an entry-level medical billing certification for physician practices. In the summer of 2021, the test will transition to an entry-level billing and coding certification, with the inclusion of ICD-10-CM, CPT, and HCPCS Level II testing.

Obtaining a CPC, CCA, or CBCS certification implies that an individual has met competencies in the field of medical billing and coding. Certification is invaluable to the student's career goals. Students have an opportunity to make confident, informed decisions about the national certification they prefer.

The Certified Professional Coder (CPC) test is offered by the American Academy of Professional Coders (AAPC). It is the gold standard entry-level coding certification for physician, or professional fee, coders.

The Certified Coding Associate (CCA) is offered by the American Health Information Management Association (AHIMA). It is an entry-level medical coding certification across all settings--physician practices and inpatient hospital.

The Certified Billing and Coding Specialist (CBCS) is offered by the National Healthcareer Association (NHA) and is currently an entry-level medical billing certification for physician practices. In the summer of 2021, the test will transition to an entry-level billing and coding certification, with the inclusion of ICD-10-CM, CPT, and HCPCS Level II testing.

The Army is expanding its pre-basic training course this month so that soldiers who fall below the service's physical fitness and academic standards can try to clear both hurdles at once -- rather than choosing one or the other track -- before entering boot camp.

And a new Army pilot program that is part of the so-called Future Soldier Preparatory Course, or FSPC, will also provide the pre-boot camp help to a small number of candidates whose entrance test scores fall below even the substandard scores required of others in the course.

The pre-basic course is designed to help recruits who are physically out of shape or have trouble taking tests -- and to get new soldiers into the Army as the service struggles with a historic recruiting slump. Until now, recruits could attend fitness or academic pre-basic training programs.

Read Next: 2023 Ain't 2022: More Americans Signing Up with Army Guard, Internal Docs Show

After several months of experience with the pilot program, and a success rate well over 90%, leadership is tweaking it to get more out of the pre-training by offering the two combined programs to prospective recruits. That means help getting into shape and scoring well on the Armed Services Vocational Aptitude Battery, or ASVAB.

"The graduation rate for both tracks is greater than 95%," Lt. Col. Randy Ready, a spokesperson for the U.S. Army Center for Initial Military Training, said in an email statement to Military.com. "From August 2022 to early May 2023, more than 8,500 students have attended or are currently attending the course, of which 6,188 students have already graduated and shipped to basic combat training."

Meanwhile, an adjustment to the academic portion of the FSPC has expanded eligibility to nearly all prospective recruits.

When the pre-basic training course was established in August, it was open to recruits with an ASVAB score between 21 and 30. An expansion to Fort Moore, Georgia, in January opened it to recruits with scores between 31 and 49. Now, a small pilot program that is capped at 100 has been started for recruits with ASVAB scores between 16 and 20.

Story continues

"The recruits in the limited pilot are not eligible for Dual Enrollment," an Army official with the Office of the Assistant Secretary of the Army, Manpower and Reserve Affairs, wrote in an email to Military.com. "They will only participate in the Academic Track of the FSPC."

It's an urgent problem encountered by military recruiters: trainees who have trouble meeting body fat standards, and those scoring low on the Army's job placement test.

The pool of civilians available for recruiting has shrunk to the lowest levels in years. The lack of qualified civilians has hurt recruiting, and Army leaders worry that it will affect readiness at a dangerous and chaotic moment in history.

Recruitment is "a critical readiness priority for us right now. We are challenged by the fact that a small number of young Americans, 23%, are qualified to serve," Gen. Randy George, vice chief of staff of the Army, said during testimony at a House Armed Services subcommittee meeting in April.

The FSPC was designed to alleviate two big stumbling blocks to joining the military: body fat requirements and low scores on the ASVAB, a test that gauges recruits' suitability for various jobs. By expanding the pool of people who could become pre-recruits and locking them into a training pipeline, the Army hopes to put more than 10,000 potential people per year in uniform.

Furthermore, it hopes to do so in a way that allows recruiters flexibility in matching recruits with interesting employment.

Recruits who have trouble with weight can focus on developing their fitness level. They have a discrete amount of time to reduce their body fat percent to within 2% of the required standard, after which they are sent to basic training.

Recruits who have trouble achieving a satisfactory score on the ASVAB go into a program focused on the basic academic skills needed to perform adequately on the test. Those who test lower than they would like are also offered an opportunity to go through the course. Upon finishing, they are offered an opportunity to renegotiate their contract, having qualified for other jobs.

While the FSPC promises substantial improvements to the recruiting pipeline and force generation, it doesn't solve a bigger dilemma facing the Army: how to grapple with cultural shifts.

The number of eligible prospective soldiers has been falling for more than a decade. About 71% of Americans were assessed as ineligible for service in 2017, and a Pentagon study in September found that 77% of young people would not qualify for military service without a waiver due to being overweight.

The decrease from already troubling numbers between 2017 and 2022 has been attributed partly to the pandemic -- when many young adults were not able to play team sports. Also, the end of the war in Afghanistan in 2021 played a role, reducing the perception among eligible young civilians that there was any urgent need to join, as there wouldn't be any fighting.

Experts have described this situation as a threat to the all-volunteer military.

Leaders hope that optimizing FSPC will help the Army achieve its recruiting goals, though time will tell whether it can produce enough soldiers to offset the problem of finding fit recruits.

"The secretary of the Army and the chief of staff of the Army have been clear that we are not going to trade quality for quantity," Ready said. "The basic standards for becoming a new soldier have not changed; rather, this program helps [provide] those young men and women who are struggling to meet the Army accession standard the help they need to overcome their personal challenge."

-- Steve Beynon contributed reporting.

-- Adrian Bonenberger, an Army veteran and graduate of the Columbia University Graduate School of Journalism, reports for Military.com. He can be reached at adrian.bonenberger@monster.com.

Related: Army Expanding Pre-Boot Camp Course for Overweight and Low-Scoring Applicants

This hands-on training emphasizes practical machine shop skills. At the end of the training, participants will have acquired basic machining theory, and will be able to accomplish basic machining tasks and other machine shop practices.

This training program also serves as a prerequisite for a higher level training program where students learn professional level skills in machining and fabrication. A firm prerequisite of this training program is passing the SFU safety course (or equivalent).

Scott Thompson has been writing professionally since 1990, beginning with the "Pequawket Valley News." He is the author of nine published books on syllabus such as history, martial arts, poetry and fantasy fiction. His work has also appeared in "Talebones" magazine and the "Strange Pleasures" anthology.

Articles, blog posts, and discussions about ChatGPT have flooded exact legal news. ChatGPT is a dialogue-based AI technology that provides textual responses to users’ natural language queries through an online chatbot interface. Although the technology is not new and varying degrees of AI have been present in our existing technologies for decades, AI research firm OpenAI made ChatGPT freely available for public use in late 2022 (and in March 2023 released a paid version powered by the improved algorithm GPT-4), showing the world the vast potential of state-of-the-art AI.

ChatGPT does not actually understand human conversation. Rather, it is powered by a large language model (LLM). LLMs are trained on enormous quantities of text (many trillions of words), spanning a variety of sources, to assign probabilities to word sequences, enabling the technology to predict text. After the model is equipped with this ability, humans pose questions to the model and rank its responses to teach the model the difference between accurate and acceptable responses and inaccurate and improper responses (such as hate speech).

LLMs are only as good as the data and training they receive. While the publicly accessible version of ChatGPT is impressive, its responses are often incorrect and unreliable, particularly when it comes to answering legal questions. However, the model continues to learn. Open AI has other, more powerful commercial offerings, and many competitive products are in development and rapidly emerging. In fact, AI-generated content is not limited to text. Other AI-generative technologies on the market are capable of creating images, music, and even video.

The public release of ChatGPT has sparked an inflection point for AI technology, prompting companies and their officers to ask many different legal questions concerning the technology’s use. Unfortunately, the answers are few and far between, because courts are only now being asked to apply existing law to these new technologies.

Practical Law asked a panel of leading practitioners to share their insights on key legal issues that ChatGPT and similar generative AI technologies present in the areas of:

(For more on key litigation issues in the context of generative AI, including the potential uses in litigation and risks and ethical issues for litigators, see ChatGPT, Generative AI, and LLMs for Litigators in the May 2023 issue of Practical Law The Journal.)

Q&A with Jeffrey Neuburger at Proskauer

The ChatGPT terms of use address rights in the questions posed by users (Input) and the content that ChatGPT provides in response to those inquiries (Output) by stating, “As between the parties and to the extent permitted by applicable law, you own all Input, and subject to your compliance with these Terms, OpenAI hereby assigns to you all its right, title and interest in and to Output.” While this license is a broad grant of OpenAI’s rights in the Output, it is not clear that the company has any IP rights in the Output to grant.

This point is reiterated in official Copyright Office policy, as currently stated in the Compendium of U.S. Copyright Office Practices (3d ed. 2021). There, the Copyright Office states that it “will not register works produced by a machine or mere mechanical process that operates randomly or automatically without any creative input or intervention from a human author” (see also In re Trade-Mark Cases, 100 U.S. 82, 94 (1879) (stating that copyright law only protects “the fruits of intellectual labor” that “are founded in the creative powers of the mind” and for a particular work to be classified “under the head of writings of authors … originality is required”); Burrow-Giles Lithographic Co. v. Sarony, 111 U.S. 53, 58-60 (1884) (describing copyright as being limited to “original intellectual conceptions of the author” and stressing the importance of requiring an author who accuses another of infringement to prove “the existence of those facts of originality, of intellectual production, of thought, and conception”)).

This exclusion of AI-created works from copyright protection does not necessarily extend to human-created works that only incorporate some AI-created elements. For example, the Copyright Office granted a copyright registration (orig. Reg. VAu001480196, canceled and reregistered as Reg. TXu001480196) for a comic book, Zarya of the Dawn, that contains AI-produced images. The registration covers the text and the author’s selection, coordination, and arrangement of the work’s written and visual elements but not the images themselves. Similar reasoning may apply to allow copyright protection for human-authored software that incorporates instances of AI-created commands or programs (though each registration would be a case-by-case inquiry).

Notably, the Zarya of the Dawn author argued that the images should also be protected because they created the text prompts that guided the AI, made various decisions about each AI-generated image, and revised selected images to suit their needs. The Copyright Office analyzed the AI application at issue and concluded that, unlike a tool that an author controls and guides to create a desired image, the AI application generated images in a way that was unpredictable and out of the user’s control. While it is possible that other AI offerings may require a greater degree of human control or authorship, in this case, the user’s contribution to the images was held to be insufficient original authorship to qualify for copyright protection.

These principles are discussed at length in a exact guidance released by the Copyright Office, Copyright Registration Guidance: Works Containing Material Generated by Artificial Intelligence (Guidance) (88 Fed. Reg. 16,190 (Mar. 16, 2023)). The Guidance sets out the Copyright Office’s view that copyright can protect only material that is the product of human creativity and that protectability of works including AI-generated content will be evaluated on a case-by-case basis. (For a summary of the Guidance, see Copyright Office Issues Registration Guidance on AI-Generated Content on Practical Law.)

One practical takeaway is that creators wanting to own copyright rights in their works (either to financially benefit from them or to be able to prevent others from copying the works) should consider whether to limit or avoid use of AI to generate content.

Similar to copyright ownership, the US Patent and Trademark Office (USPTO) has denied patent applications covering an AI-created beverage holder and light beacon because they were not human inventions. The Federal Circuit affirmed the USPTO’s decision (Thaler v. Vidal, 43 F.4th 1207 (Fed. Cir. 2022)). However, the USPTO has indicated that it is open to the possibility of AI-assisted inventorship and requested public comments on the subject (88 Fed. Reg. 9492 (Feb. 14, 2023); for more information, see USPTO Seeks Comments on Artificial Intelligence and Inventorship on Practical Law).

(For more on patenting AI inventions, see Artificial Intelligence: Patentability Considerations and Patenting Artificial Intelligence Inventions on Practical Law.)

The risk that OpenAI’s ChatGPT Output is infringing on others’ IP rights is an open million-dollar question and at the heart of several ongoing lawsuits against the company. For example, OpenAI is a defendant in litigation involving:

OpenAI makes no assurance that ChatGPT’s Output does not violate the rights of others, so this too is an open question. This issue may be reminiscent of the days of Napster, where rightsholders brought suit against the file-sharing service and its users who uploaded or trafficked in infringing copies of copyright works (although it should be noted that ChatGPT users were not involved in the original training and fine-tuning of the AI model and now have the option to disallow ChatGPT from using their inputs for future training purposes).

Fair use is a case-by-case analysis that turns on the nature of the challenged use and, among other things, the four fair use factors (for more information, see Copyright Fair Use on Practical Law).

Given that fair use is highly fact sensitive, one would need a deeper understanding of how each generative AI program trains and accesses works, how an output is displayed, how similar the output is to original works, and whether the user’s prompts evinced an intent to create an unauthorized derivative work. One could also imagine defendants citing older fair-use software cases that involved accessing source code without authorization and where disassembly of the code is the only way to gain access to the functional ideas within for interoperability purposes (for example, Sega Enters. Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992)).

Unlike copyright and patent, trademarks need not be created by a human author to be protectable. The language of the Lanham Act describes the universe of marks in the broadest of terms. ChatGPT might therefore be a useful resource for businesses that want to conjure possible ideas for marks that are available and not previously registered with the USPTO.

(For more on AI and its relevant IP considerations, see Artificial Intelligence: Key Legal Issues in the January 2023 issue of Practical Law The Journal.)

Q&A with Karla Grossenbacher at Seyfarth

ChatGPT could be a meaningful replacement for certain low-level tasks that require written work product in instances in which inaccuracy of the content would not give rise to legal or ethical issues. For example, ChatGPT may be leveraged to create content for cover letters, thank you letters, job descriptions, FAQs, and basic memos and PowerPoints on well-defined, discrete, and uncomplicated issues. However, it is not advisable to use ChatGPT for creating content that:

Setting aside what aspects of an employee’s job duties could be replaced by ChatGPT, employers have important decisions to make about the extent to which they want employees to use ChatGPT. Although it has the ability to perform certain tasks and free up employees’ time, ChatGPT should not be used for these purposes because employees may then:

There are two primary risks:

As discussed above, ChatGPT should not be used to provide legal advice or create documents that require the use of professional legal judgment. This can create a risk of malpractice claims if the information is inaccurate or otherwise flawed.

Using ChatGPT to create an employment policy is less problematic. In practice, HR professionals often search for and obtain draft policies from the internet and then revise them and have them reviewed by counsel before implementing them. Conceivably, an employment law attorney could do the same. The real issue is making sure that before the attorney presents a draft policy to a client, they have reviewed it and made any necessary changes based on their professional legal judgment.

Q&A with Avi Gesser and Megan Bannigan at Debevoise & Plimpton

Sharing confidential or sensitive company or client information with ChatGPT or other generative AI tools can pose many of the same risks that are associated with sharing that kind of information with any third party, such as that:

Before a company allows its employees to use generative AI tools, it should understand who at the AI developer can view data that the company inputs in the tool, the circumstances under which the data can be viewed, and whether the data is shared with anyone else, is used to train the model, and could be accessed by other users of the model. This information may be found in the Terms of Use and related documents (for example, the content policy, usage policy, sharing policy, and publication policy), which may provide a means by which users can opt out of having inputs added to training data for the model.

It is possible that limitations that the AI developer places on who can access input data and how it can be used will reduce or eliminate some of these risks.

Generative AI tools can be extremely useful for certain tasks, but they also can make mistakes or omit important information from certain responses. Getting commercial value from generative AI tools requires understanding what tasks they are good at, how to use them properly for those tasks, and what human review or approval is appropriate for ensuring quality control and risk mitigation for the tasks.

If a vendor is using a generative AI tool for work that it is doing for a company, the company should understand:

Some of these controls may be handled informally with the vendor, and some may need to be memorialized in contractual terms (for example, a requirement that the vendor disclose all proposed uses of generative AI for company work before actually using them, and a prohibition on inputting sensitive data about the company, its employees, or its clients into a generative AI tool).

The FTC recently published a blog post on its intention to pursue claims regarding false advertising for AI tools, entitled Keep Your AI Claims in Check, that identifies certain practices in marketing AI that may result in regulatory scrutiny, including:

Q&A with Robert Newman at Reed Smith

Generative AI tools are built on large quantities of data, often pulled from disparate sources, including across the open internet. Given this scale, it is likely that personal information will be included in certain data sets. Depending on the source and type of data involved, a patchwork of privacy laws and regulations may apply to both the development and use of generative AI tools, including:

Key privacy considerations include matters relating to consent, the scope of what constitutes personal information, data security, lawful grounds for collection and processing, data minimization, fairness, transparency, bias, individual choice, profiling, and automated decision-making.

Omnibus State Privacy Laws

In the US, omnibus state privacy laws continue to proliferate, with new or updated laws becoming effective in 2023 in at least California, Colorado, Connecticut, Utah, and Virginia. Consumers have a variety of rights under these laws, and these rights can be implicated in the context of generative AI. For example, consumers have the right to make requests to access, delete, and correct their personal information, and both developers and providers of generative AI tools will need to consider how to operationalize those requests in applicable jurisdictions.

State laws such as the CCPA require the provision of a notice at the point of collection of personal information, which can pose challenges to the development of generative AI tools. However, a recently expanded definition of publicly available information as an exception to the definition of personal information in the CCPA may be helpful in the context of certain data. (For more information, see California Privacy Toolkit (CCPA and CPRA) on Practical Law.)

Notably, the privacy policies for some generative AI tools specifically provide that material that is input into the tool through prompts may be used to Improve the tool. Accordingly, including personal information in those prompts can give rise to obligations under omnibus state privacy laws. Assessing the applicable generative AI platform terms and policies can help organizations determine how data input into open text prompts may be regulated or classified under the various laws. Additionally, the datasets used in generative AI models may include sensitive personal information for which opt-in consent could be required under laws such as the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Virginia Consumer Data Privacy Act (VCPDA).

Certain uses of generative AI can also implicate laws specifically regulating the use of automated decision-making technologies and profiling. For example, most of the omnibus state privacy laws in the US give consumers the right to opt out of profiling that aids decisions that produce legal or similarly significant effects concerning a consumer. The extent to which these laws apply to the use of generative AI tools depends on the use case, but they will require companies to be thoughtful in how and when generative AI tools are used.

These laws may also require an increased level of transparency about the inner workings of the underlying systems and algorithms. The California Privacy Protection Agency is currently working on a second set of regulations, which will focus in part on automated decision-making. As this technology increases in popularity, regulators are likely to enact additional laws specifically relating to AI and automated decision-making, such as the recently enacted New York City Automated Employment Decision Tool law (N.Y.C. Local Law No. 2021/144), which regulates the use of AI tools in connection with employee hiring.

(For a collection of resources to assist counsel in advising clients about US state-specific privacy, data protection, and cybersecurity laws, see State Data Privacy Laws Toolkit on Practical Law.)

Unfair and Deceptive Acts and Practices Laws

State unfair and deceptive acts and practices laws and Section 5 of the Federal Trade Commission Act (FTC Act) will also play a role in privacy and security enforcement in connection with generative AI, particularly with respect to disclosures relating to the use of such technologies. Additionally, developers and users of generative AI should be mindful that sector-specific US privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), and industry-specific rules may apply in a given context.

GDPR

From a GDPR perspective, developers of generative AI tools should consider the lawful basis for the processing of personal information needed to train their underlying models. Certain generative AI developers have identified legitimate interests to justify both model training and improvement of services. However, this lawful basis is not necessarily clear-cut and additional conditions need to be met if special category data is involved.

Recently, Italy’s Data Protection Authority (the Garante) suspended the use of ChatGPT. The regulator found that OpenAI lacked any legal basis to utilize certain publicly available information used to train its underlying model. The Garante highlighted several additional matters, including insufficient notice, data inaccuracies, and the lack of age verification to protect children.

Companies must also consider data subject rights obligations under the GDPR, with challenges presented by the large quantities of disparately sourced data that may be used to train the tools. As with the US omnibus privacy laws, individual rights to access, delete, and correct data also pose challenges under the GDPR. From a practical perspective, because information may be collected in significant quantities from across the web, identifying whether an individual’s data was collected and used may be challenging. (For more on the GDPR, its lawfulness of processing requirement, and data subjects’ rights, see Overview of EU General Data Protection Regulation on Practical Law.)

The EU Artificial Intelligence Act is currently pending, which will bring more formal regulation directly to the use of AI, including generative AI.

AI hallucination is generally viewed as a confident response from an AI engine that does not have a clear basis in its training data. In other words, it is a wrong response that nevertheless appears to be convincing. Because these responses may appear to be accurate and are provided with a sense of authority, users may erroneously rely on this output.

Mistaken reliance can have significant impacts in a wide variety of contexts, including health, employment, education, and law enforcement. This reliance, especially without a full understanding of the underlying model or seeing the sources of the output, can result in the proliferation of misinformation. Regulators contemplated these issues even before the exact rise in AI popularity, highlighting extra precautions companies should take when using automated decision-making in situations involving potential risk of harm to individuals.

Because much of generative AI is built using data sources pulled from the open internet, bias that may exist in this content could result in bias flowing through to the output. Businesses may be able to gain more control when leveraging smaller or more specialized generative AI platforms and have visibility into the content that is used to train the models. Some existing generative AI providers use human-level reinforcement in connection with training and work to optimize models based on human interaction and corrections.

Industry groups and some governments have proposed their own safeguards or implementation guidance aimed at identifying and managing bias. For example, the US government published the AI Bill of Rights in 2022, which outlines a framework that could be leveraged in connection with developing AI.

Companies using publicly available generative AI tools will likely want to:

Can companies distinguish themselves on data privacy, security, anti-discrimination, or other bases when using generative AI?

The explosive popularity of generative AI tools ostensibly makes these tools targets for attacks and exploitation. Given the centralized nature of data storage and the very large databases used in connection with generative AI tool development, these databases may be of increased value for malicious actors. Users may also learn to ask questions of generative AI tools that will elicit responses that include personal information or even sensitive personal information.

While this is a rapidly evolving area, there are several steps companies can take to help distinguish themselves in connection with generative AI. For example, users of generative AI can:

(For a collection of resources to assist counsel with the legal issues raised by AI, see Artificial Intelligence Toolkit on Practical Law.)

Company Further Expands Virtual Training, eLearning, and High-Consequence Meetings to Healthcare and Regulated Industries

WASHINGTON, May 31, 2023--(BUSINESS WIRE)--Class Technologies, Inc., the global leader in synchronous virtual classrooms, announced today that its flagship product is now HIPAA (Health Insurance Portability and Accountability Act) compliant. This achievement was made possible with the company’s recently acquired CoSo Secure Private Cloud, which has been granted the HIPAA Seal of Compliance by The Compliancy Group.

HIPAA Certification will allow Class to:

• Further expand support for virtual training and eLearning across healthcare providers and other regulated industries
  

• Provide organizations that must work with HIPAA-compliant vendors the ability to add virtual classroom and learning tools to their virtual meetings safely and confidently
  

• Support distributed workforces and healthcare professionals, with added security, privacy, and compliance protection

"Class now offers healthcare customers and those in highly regulated industries the assurance of HIPAA compliance and security to protect their highly sensitive information," said Michael Chasen, CEO of Class. "Achieving and maintaining HIPAA compliance demonstrates our continued commitment to expanding Class offerings into markets where customers demand, and are required to comply with, the most stringent regulatory and security requirements."

The Compliancy Group’s Seal of Compliance is the recognized third-party HIPAA compliance verification standard for healthcare institutions, vendors, and IT professionals across the healthcare industry. The Seal of Compliance verifies and validates technologies that satisfy rigorous HIPAA regulations. Organizations licensing the Class platform operating within CoSo’s Secure Private Cloud will have the necessary regulated precautions in place to protect sensitive information including PII, healthcare records, and HIPAA-specific data.

Story continues

"Through the integration of Class into the CoSo Secure Private Cloud, healthcare and pharmaceutical organizations engaged in virtual training are able to secure private, sensitive, and personal information such as medical history, and customer data to dynamically conduct highly sensitive activities," said Glen D. Vondrick, former CEO and now GM of CoSo Cloud, a Class company. "With rigorous safeguards and security measures, the Class platform hosted by CoSo Cloud is now fully compliant with HIPAA regulations to ensure customers’ confidential information is fully protected."

About Class Technologies, Inc.

Class is software developed by Class Technologies Inc., a company founded by edtech pioneer Michael Chasen. Class enables the secure and active learning of 10M+ users from 1,500+ institutions worldwide and is the largest provider of virtual classroom software for education. Class is headquartered in Washington, DC, with staff around the world. Schedule a demo at class.com and follow us on Instagram, Twitter, and TikTok at @WeAreClassTech.

About CoSo Cloud

CoSo Cloud LLC, a wholly owned subsidiary of Class Technologies, provides secure private-cloud managed services, custom software applications, and expert professional services for high-consequence virtual training and eLearning. Global enterprises and government agency customers rely on CoSo to complete their Adobe Connect, Captivate Prime, and Class.com solutions when security, compliance, and reliability requirements demand more from virtual meetings and learning management systems. CoSo Cloud is an Adobe, Class Technologies, SAP, and Zoom partner.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230531005435/en/

Contacts

Jordan Slade
MSR Communications
Jordan@msrcommunications.com

© 2023 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.