Dean Levitt
When it comes to healthcare, privacy, and security are paramount. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. But is Google's AI Bard HIPAA compliant? Let's delve into the details.
What is Google's AI, Bard?
Bard is an artificial intelligence system designed to engage in natural, human-like conversations. It's a powerful tool that can be used in various applications, from personal assistance to business operations. However, its use in healthcare settings raises questions about its compliance with HIPAA regulations.
Is Bard covered under Google's business associate agreement?
There's a primary item to consider when it comes to Google and its ability to provide HIPAA compliant services, and whether that extends to their AI tool, Bard.
First, let's start with a quick recap of the terms. HIPAA is a federal law that protects the privacy of an individual's personal health information, otherwise known as protected health information (PHI).
As we've previously discussed, HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Bard, the service would certainly fall into the category of business associate if it's servicing customers that would store, process, or transmit PHI on its email platform.
Google does sign a BAA for certain services, as outlined in their support documentation. However, Bard is not one of these services. As part of Early Access Apps is not included under Google's HIPAA Business Associate Addendum.
This means that Google does not sign a BAA for Bard, a critical component of HIPAA compliance.
Is Bard covered under Google's HIPAA functionality?
Google's HIPAA functionality covers a range of services, primarily within Google Workspace and Google Cloud Platform (GCP). Unfortunately, Bard is not included in this list. This means that while Google does offer HIPAA compliant services, Bard is not one of them.
Related: HIPAA Compliant Email: The Definitive Guide
How does Bard handle inputted conversations?
According to Bard's FAQ, conversations are used for training the AI system. They state, "We take your privacy seriously and we do not sell your personal information to anyone. To help Bard improve while protecting your privacy, we select a subset of conversations and use automated tools to help remove personally identifiable information. These sample conversations are reviewable by trained reviewers and kept for up to three years, separately from your Google Account."
While this indicates a commitment to privacy, it does not necessarily equate to HIPAA compliance. Without a BAA in place and specific assurances about the handling of PHI, healthcare organizations should exercise caution.
The Bard FAQ states, "Please do not include information that can be used to identify you or others in your Bard conversations."
Medical training and Bard
Bard also claims to not be trained on medical data, saying when asked, "I am not designed to be used in a HIPAA compliant manner. I do not have the security and privacy features that are required to protect patient health information. Additionally, I am not trained on medical terminology, so I may not be able to provide accurate or helpful information about medical conditions or treatments."
Conclusion
While Google's AI Bard is a powerful tool with potential applications in healthcare, it may not currently be HIPAA compliant. Without a BAA in place and its exclusion from Google's HIPAA functionality, Bard should not be used in situations where it may come into contact with PHI.
