Businessolver Blog

AI, Cybersecurity, and HIPAA: Vendor Checklist 

AI, Cybersecurity, and HIPAA: Vendor Checklist 
Posted on Thursday, May 9, 2024 by Brooke Salazar
Share:

AI and PHI: HIPAA Considerations for Evaluating Vendors 

Picture this: an Executive walks into your office to tell you that they are thinking about incorporating AI into human resources. How are you going to respond? Will your first thought be about HIPAA?  

For HR professionals, there are endless possibilities for AI in recruitment, performance reviews, and compensation models. But what about AI’s true potential as a tool for HR and benefits leaders, especially when it comes to benefits compliance and information security? What should you consider when evaluating vendors? 

Goals of AI implementation 

  • Understand and identify what features may make your job easier. 
  • Eliminate manual processes. 
  • Increase employee satisfaction with AI to drive personalization. 

The following are examples of what AI can deliver that do not include protected health information (PHI): 

  • Sending requested SBCs to members while easing HR’s administrative burdens and providing an immediate response to the member. 
  • Information on how to access health ID cards. 
  • Provide information about the claim resolution process.  
  • Providing contact information or websites for carriers in real-time, as opposed to waiting for an email response. 

What to look for in a potential AI solution 

  • When an employee requests a benefits document, can the AI send the requested benefits information? Does it have an audit capability to prove that the documentation was promptly sent? 
  • Is there a functionality to notify a human curator of the delivery of benefits documents to not inadvertently miss delivering the requested and regulated notice (e.g. the SBC) to the employee? 
  • Can the AI take questions about benefit claims? 
  • If the AI does not answer benefit claims questions, how does it prevent the entering of PHI into the platform?  Is the AI platform clear that it is not intended to resolve healthcare claims or answer questions about medical procedures etc.?  
  • If the AI is designed to answer explanation of benefits (“EOB”) questions, does the AI platform have HIPAA electronic security safeguards in place? 

What to look for when HIPAA security is a priority

Know what to look for in an AI solution, especially if HIPAA may be involved. Here are some good questions to ask: 

  • Does the AI support data encryption if the member enters PHI or health information into the platform while the PHI is in transit and at rest? 
  • If the AI uses PHI, do you have a business associate agreement with the AI in place?   
  • Can the AI live up to the requirements of a business associate agreement? 
  • Does the AI keep the PHI in the conversation logs and for how long? 
  • How does the platform protect against threats or hazards to the security or integrity of PHI? 
  • How does the AI protect against uses or disclosures of such information that are not allowed or required under the HIPAA Privacy Rule? 
  • How often does the AI review and change security measures to protect the PHI? 
  • Has the AI experienced past security breaches?  What happened and how did the provider respond? 
  • Does the AI have any insurance policies that would cover losses caused by cybersecurity and identify theft breaches? 
  • Does the AI have a service provider to annually obtain a third-party audit to determine compliant status with information security policies and procedures? 
  • How does the AI use and share any information gained on the AI platform? 

AI metrics to ask for, and any potential vendors should have, for credibility: 

  • Built-in analytics to identify what employees are thinking, regarding everything from workplace culture to the ease of use of benefits so HR can take a more productive approach to their needs. 
  • User Retention: The number of users who used the AI for a second time or more. 
  • Chat handoff: The percentage of interactions that were transferred to a human service agent. 

Data security should always be a top priority, whether you’re a small business or a large enterprise. For more information on the Security Rule and further HIPAA compliance resources, visit ComplianceDashboard’s blog. 

*ComplianceDashboard is now a part of Businessolver’s solution offerings. https://www.businessolver.com/news/businessolver-announces-key-acquisition-of-the-capstone-group/ 

**The above information is for educational and informational purposes only and should not be considered legal counsel or advice.  Prior to executing any agreement with what may or may not be a business associate, seek qualified counsel to review any agreements. 

Brooke-Salazar-Headshot
Brooke Salazar View All Posts