Bailee Brown of Amundsen Davis LLC writes:
… In January 2025, the Department of Health and Human Services (HHS) published a proposed rule to revise HIPAA’s Security Rule requirements to protect against breaches and cyberattacks.
The rule would establish that electronic protected health information (ePHI) used in AI training data, prediction models, and algorithm data that is maintained by a regulated entity for covered functions is protected by HIPAA. It will require heightened risk analysis and risk management activities, including a written inventory of a covered entity’s technology assets that includes AI software that creates, receives, maintains, transmits, or interacts with ePHI, and regular monitoring of authoritative sources for known vulnerabilities and prompt remediation in accordance with patch management programs.
The rule will also apply to AI use by business associates.
Read more at JDSupra.