AI – “Everybody at the bar gettin’ tipsy”

© Limitless Visions - stock.adobe.com

If you’re familiar with Shaboozey’s hit song, you’re likely also familiar with the lyrics – “[o]ne, here comes the two to the three to the four.” Let’s consider generative artificial intelligence (AI) and what’s evolving in health care.

One, HL7 FHIR (Fast Healthcare Interoperability Resources) is a standard predicated on internet standards used by other industries, which “defines how healthcare information can be exchanged between different computer systems regardless of how it is stored in those systems.” Utilized for exchanging electronic health records (EHRs) between different systems, it is an application program interface (API) that enables the sharing of healthcare data to occur. Notably,

The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) builds on CMS' previous rule by outlining requirements for additional information that certain payers must provide via the Patient Access API and new requirements for certain payers to implement three additional APIs: Provider Access API, Payer-to-Payer API, and Prior Authorization API. The APIs finalized in CMS-9115-F and CMS-0057-F must meet certain technical standards to drive interoperability and increase provider and patient access to health information.

The take-away is that covered entities should be keeping pace with CMS instructions because API and FHIR compliance tie into HIPAA compliance.

Now, recent proposed and actual legislation. Here comes the:

Two, proposed legislation (HR 238 – “Healthy Technology Act of 2025”) introduced in Congress by Congressman Schweiker, would amend the Federal Food, Drug, and Cosmetic act to establish that AI and machine learning technologies would qualify as a practitioner eligible to prescribe drugs involved if authorized by the state involved and “approved, cleared, or authorized under 510(k), 513, 515, or 564.” Given the infancy of AI, as well as the number of hallucinations and concerns for HIPAA violations, this legislation is unlikely to pass.

To the three, on Jan. 22 the New York Assembly passed the New York Health Information Privacy Act (New York HIPA) and was sent to the Governor for her signature. New York HIPA seeks to impose strict requirements on entities that handle health or wellness-related consumer data. It is substantially akin to Washington State’s My Health My Data Act (MHMDA). Significantly, while New York HIPA exempts HIPAA-covered entities, it is limited only to the extent that covered entities are processing HIPAA PHI. Stated another way, while patient medical records may be excluded from New York HIPA’s application, other personal information medical providers and their business associates collect that has historically not been treated as PHI is likely to be subject to the provisions.

To the four, California’s Governor issued the Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare (HC Advisory). In addition to the fact that the California Attorney General has the authority to take enforcement action against creators, marketers and users of AI systems if those AI systems result in a violation of California Law. Violations under the Unfair Competition Law may include: (a) falsely advertise the accuracy or utility of AI systems, or (b) create, market or disseminate an AI system that does not comply with federal or state laws, including civil rights and privacy laws. Notably, the corporate practice of medicine law can also be triggered.

In closing, “someone pour me a double shot of whiskey” because appreciating where state and federal laws have overlap can reduce compliance anxiety, understanding what other laws may be implicated can be daunting but also required, and treating any sensitive personally identifiable information (PII), including individually identifiable health information (IIHI) with the same care that HIPAA requires can mitigate not only the risk of an attack but also the risk of a government enforcement action – whether from a state or a federal government agency.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.