HIPAA / FERPA Privacy Issues
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act) are pivotal regulations governing the use of AI by university staff. In the realm of healthcare services provided by the university, adherence to HIPAA regulations is imperative to uphold patient health information confidentiality and security. AI systems employed in healthcare settings must comply with HIPAA guidelines to safeguard sensitive data and prevent unauthorized access or disclosure. Similarly, FERPA regulates students' privacy rights and educational records. Staff handling student data within AI applications must adhere to FERPA to protect students' personally identifiable information (PII) and maintain confidentiality. The integration of AI into university operations necessitates a meticulous approach to ensure compliance with HIPAA and FERPA, thereby upholding the privacy and security standards essential for the university's ethical and legal obligations.
- The Michigan Public Health Code (Act 368 of 1978) contains provisions related to maintaining the confidentiality of medical records and health information. Michigan law mandates health facilities, insurance companies, the Department of Public Health, and nursing homes to maintain the confidentiality of patient medical records, with limited exceptions. Specific confidentiality requirements exist for mental health records, HIV/AIDS records, abortion reports, prescription drug records, and various health registries like the cancer registry. AI systems may inadvertently access or process more protected health information (PHI) than necessary, violating HIPAA minimum necessary standards. Furthermore, responsibility for HIPAA compliance when using AI tools that learn and evolve over time remains unclear, posing risks of re-identification of de-identified PHI data used to train AI models.
FERPA
FERPA is a federal law safeguarding the privacy of student education records in all schools receiving federal funding from the U.S. Department of Education.
- FERPA (Family Educational Rights and Privacy Act) is a federal law safeguarding the privacy of student education records in all schools receiving federal funding from the U.S. Department of Education. The Revised School Code in Michigan (Act 451 of 1976) aligns with FERPA regarding parental access to student records and consent for disclosure. Student journalists at schools generally operate outside FERPA's scope when publishing stories, provided they obtain information legally and consensually from students, without improperly accessing protected educational records held by the school. Personally Identifiable Information (PII), encompassing data like full names, social security numbers, and biometrics, requires appropriate safeguards to protect individual privacy. AI models trained on student data must be carefully managed to avoid disclosing personally identifiable information and ensure compliance with FERPA. Transparency of AI systems remain critical for maintaining FERPA compliance, with regular monitoring of AI outputs essential to prevent the inadvertent disclosure of personal information.
For more information on FERPA go to these links: General FERPA Information and Family Educational Rights and Privacy Act (FERPA) Policy.
Key Aspects of FERPA Compliance In Relation to AI:
- AI and FERPA: AI models trained on student data must be carefully managed to avoid disclosing PII and ensure compliance. Transparency in AI systems is critical, with regular monitoring of AI outputs necessary to prevent inadvertent disclosure.
- AI platforms store prompt information therefore it's essential to be careful what information is entered.
- Any information related to students must be completely anonymized before being entered into an AI platform such as ChatGPT. Even information that has been anonymized must not be entered in such a way that it could be traced back to students.
- If unsure, do not enter the student data into an AI platform.
Need a refresher on HIPAA / FERPA?
These provide a certificate through NMU. Check out the NMU training links below, these links can be reached by logging into the NMU Vector Solutions Training Platform.
FERPA Overview (16 min)
FERPA In-Depth (40 min)
HIPAA Overview (16 min)
HIPAA In-Depth (80 min)
Examples of good and bad prompts related to HIPAA and FERPA may be seen below.
HIPAA
Prompt Type | Prompt | Explanation |
Good Example | "I need assistance generating a patient reminder system for our medical practice that complies with HIPAA regulations. The system should securely send appointment reminders to patients without disclosing any sensitive health information. Can you help me draft a message template for these reminders?" | This prompt clearly outlines the task while emphasizing the importance of complying with HIPAA regulations. It specifies the requirement to avoid disclosing sensitive health information in patient reminders, aligning with HIPAA's privacy and security standards. |
Bad Example | "I want to create a database using patient health records to analyze trends in our clinic's patient population. Can you help me extract and analyze this data using AI?" | This prompt raises red flags as it suggests accessing patient health records without considering HIPAA regulations. It lacks awareness of patient privacy rights and fails to address the need for proper authorization and data security measures required by HIPAA. Requesting access to patient health records without appropriate safeguards could lead to HIPAA violations and legal consequences. |
FERPA
Prompt Type | Prompt | Explanation |
Good Example | "We're developing a student performance tracking system for our university, ensuring compliance with FERPA regulations is our top priority. Can you assist in creating algorithms that analyze academic data while maintaining student privacy and confidentiality?" | This prompt demonstrates awareness of FERPA regulations and emphasizes the importance of protecting student privacy. It seeks assistance in developing algorithms that analyze academic data without compromising student confidentiality, aligning with FERPA's requirements. |
Bad Example | "I want to analyze student grades and attendance data to identify patterns using AI. Can you help me access this data and create predictive models?" | This prompt raises concerns as it suggests accessing student academic data without considering FERPA regulations. It lacks acknowledgment of the need to protect student privacy rights and fails to address the requirement for proper authorization and data security measures mandated by FERPA. Requesting access to student academic data without adhering to FERPA guidelines could lead to violations and legal repercussions.
|