HIPAA is a federal law that sets national standards for protecting the privacy and security of patients’ health-related information, among other things.6 Physicians must follow HIPAA regulations to avoid potential legal consequences.7 While HIPAA provides a minimum standard for health information privacy, states can enact more stringent rules to better protect their citizens.8 Make sure to learn the patient privacy and security rules in your state prior to using LLMs to aid in patient care.
One of HIPAA’s primary functions is to ensure patients have control over their health-related information.9 This includes, but is not limited to, any information related to a patient’s physical or mental health, the medical care they received or the cost of their medical care.10 If a patient refuses consent, their health-related information cannot be shared with an LLM.11 If a physician violates HIPAA by sharing protected health information without consent, they may face civil or criminal penalties.12 However, only the Secretary of the U.S. Department of Health and Human Services can enforce these penalties, not the individual affected by the violation.13 In other words, a patient cannot sue a physician because the physician violated the security and privacy requirements of HIPAA.
Integrating an LLM into an existing electronic health record, such as Epic, may help ensure that all patient information is stored and shared through a secure system. However, physicians should exercise caution when using LLMs and ensure they fully comply with HIPAA regulations.
While physicians need to be mindful of the legal implications of using LLMs to share patient information, physicians can also benefit from these powerful tools in ways that don’t require a patient’s consent. If a physician uses an LLM to generate general health information without including any identifiable patient data, they would likely be safe from HIPAA violations. For example, a physician could use an LLM to summarize current research on rheumatoid arthritis, provide general tips for symptom management or offer common medication side effect information. In these cases, the physician would not share any health-related information that could identify a specific patient.
Conclusion
LLMs offer significant benefits in the field of medicine. They have the potential to assist physicians in generating patient handouts, responding to patient messages and even suggesting diagnostic and treatment options in the future. LLMs cannot replace the expertise of physicians in providing humanistic care to patients. Instead, they can help physicians manage an ever-increasing workload and improve communication between patients and clinicians.
