ChatGPT and HIPAA Compliance

In the United States, where healthcare providers are subject to HIPAA Privacy Rule, the use of ChatGPT with protected health information could lead to stiff penalties.

ChatGPT and HIPAA ComplianceChatGPT has garnered a great deal of attention in recent months. Briefly stated, ChatGPT is an artificial intelligence technology capable of composing natural language text, successfully passing college-level exams, or even writing computer code.

Developed by OpenAI and unveiled in November 2022, ChatGPT quickly emerged as a newsworthy technology. College students are using it to generate term papers, for example, challenging education leaders to seek alternate technologies that can detect whether a term paper appears to have been generated by AI.

ChatGPT has many legitimate uses as well that leverage its ability to programmatically make sense of natural language text. The technology could theoretically be used, for example, in conjunction with OCR software to decipher handwritten text, such as doctor’s notes in a patient’s medical records.

For now, though, that’s only a theoretical possibility. In the United States, where healthcare providers are subject to HIPAA’s Privacy Rule, the use of ChatGPT with protected health information could lead to stiff penalties. In fact, the creators of ChatGPT clearly warn against feeding their AI model with confidential information.

OpenAI’s terms of use state that the organization “may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use, and the actions you take...” The ChatGPT FAQ page states that “we review conversations to improve our systems and to ensure the content complies with our policies and safety requirements.” It further indicates that “Your conversations may be reviewed by our AI trainers to improve our systems.”

In other words, there is currently no way to use ChatGPT with protected health information (PHI) while still remaining HIPAA compliant. Healthcare providers and other covered entities cannot currently use the technology in any way that could potentially touch upon PHI.

In order for OpenAI to serve the healthcare industry, the company will need to change its terms of use and privacy practices, incorporate safeguards at its data centers, and encrypt data both in transit and at rest. Currently there is no evidence that OpenAI engages in any of these practices as standard operating procedure. As with any service provider, they would also need to provide covered entities with a signed business associated agreement (BAA).

Covered entities that are subject to HIPAA must always be mindful that the technology companies they work with should be fully prepared to take responsibility for safeguarding PHI. At WestFax, we understand HIPAA compliant fax inside and out. Our HIPAA compliant Healthcare Fax complies with the highest standards the industry has to offer.

Your fax platform provides a critically important communication link between your organization, the other organizations you interact with, and the patients you serve. At WestFax, privacy and security are central to everything that we do, including our business practices, policies, procedures and personnel training. With multiple options to integrate fax into your processes and applications, we offer maximum interoperability for organizations that manage patient information on a day-to-day basis.

Sign up today for a WestFax HIPAA Basic plan; or if you’d like to sign up for one of our plans, visit our Healthcare Fax page to learn more. Contact us today at 800-473-6208 to discuss your needs; we can help you understand how our HIPAA-compliant cloud fax can work for you.

Discover more