HIPAA Prevents State LEOs from Grazing for PHI -- Doesn't It?

h/t to Samantha Holvey's concise and timely weekly Whealth Care newsletter for addressing a question that is probably on every HIPAA-savvy reader's mind of late: "Can State Attorneys General just randomly scan out of state health records to see whether one of their residents may have committed a health care 'crime'?" This might apply to potentially pregnant patients seeking reproductive diagnosis and treatment, or parents of transgender minors seeking gender-affirming care not available at home.

Having been engaged with HIPAA since its earliest days, I was prepared to repeat my customary, reassuring, "HIPAA is better privacy protection than we had before" speech, but I quickly realized that this time, I was not so sure. See, when we were implementing the three pillars of HIPAA (Privacy | Security | Transactions and Code Sets), back in the aughts, people were most concerned about organizations within the industry misusing the data, or letting it leak out for commercial exploitation.

Very few were worried about a malevolent government. The pre-HIPAA government guardrails that had been erected were still in place, and HIPAA itself was relatively neutral on the matter. Or at least, we implementers were relatively complacent. We thought that, occasional abuse aside, law enforcement organizations would go through existing legal channels to obtain patient records in pursuit of fraud, theft, controlled substance misappropriation, or malpractice.

Now, state after state is passing laws that not only criminalize healthcare procedures that have been common practice for decades, they extend that criminality to procedures performed in states whose own laws preserves their legality. Private citizens can earn bounties by revealing someone has crossed a state line to pursue such treatment. Or even helped fund such an excursion.

And while CMS has published regulatory guidance that explains what sorts of inquiries are already unacceptable under HIPAA, they have also released a Notice of Proposed Rulemaking (NPRM) to tighten the federal regulations against potential state governmental fishing expeditions. The comment period on the NPRM has closed. Can federal regulations be far behind? HIPAA history says not to be too confidents. Some NPRMs were allowed to languish for years. Other draft regulations were never formalized into a Final Rule.

Transitioning from AI Gee-Whiz to B2B Results

We at CarePrecise are as fascinated as anyone about the miraculous capabilities -- and astounding failures -- of the new Large Language Model Artificial Intelligence tools now battling it out in cyberspace. But we've been around too long not to reserve some skepticism about the hype cycle. The other day I was chatting with an LLM about a new medical device. It initially pointed me to the manufacturer's site and some related promo material, but when I told it I'd rather read content from actual users of the equipment it suggested some sites I generally prefer not to use. When I asked instead for Facebook Groups, it gave me a list of suggestions with very specific Group names.

None of which turned out to exist.

So, when pressed for different information than it had been providing, my chatty AI tool employed a very human tactic: MSU.

This suggests to us that perhaps the best way to effectively use AI will be to point it to data you know is good -- specifically, your own data about your customers and prospects.

This approach is already taking root in pharmaceutical marketing. Directing AI tools toward rich, highly accurate reference data will, we think, become a key component in making the new technology produce credible, and actionable, results.