Coding Corner: Artificial Intelligence and the Need for Security

Often, I talk about the importance of documentation.  For many, the creation of this documentation increasingly relies on the use of artificial intelligence (AI) to generate the patient note.  While I am old school and prefer the handwritten note, the use of AI is here to stay.  With the increased use of this emerging technology must come consideration of the security risk for the exposure of a patient’s personal health information (PHI).      

I recently audited a patient’s medical record where, in the physician’s narrative, it stated, “the doctor decided” to order an x-ray.  At the meeting I had with the physician, I asked him if he often referred to himself in the third person when writing his notes.  He stated that he had been using AI software to prepare his notes and that he “usually caught those mistakes.”  I spoke with a couple of other physicians on the subject, and they really liked AI note-generating software because they could use their cell phones to capture information during a visit with a patient.  The program would generate a patient note that would then be integrated into the patient record with the access they had on their phone to their electronic health record (EHR) software.  

The flow of information and potential access to patient PHI gave me great pause.  Following some research, I reviewed an article about using personal cell phones to access a patient’s PHI. There are HIPAA guidelines about access to a patient’s PHI and about the electronic encryption of the information.  As I delved further into the topic, I thought about a physician recording a patient conversation to use AI software to create an office note.  I wondered, what if they were using a cell phone in the office?  What type of encryption did it have, and did it meet the requirement set forth under HIPAA?  How secure was their personal cell phone?  Could someone hack into their phone?  If so, could a hacker further access PHI information on the AI software or get into the EHR software through the potential weak link of the physician’s personal phone?  What if the physician lost his or her phone or someone took it from the counter by the nurses’ station? What if the physician was doing this task at the end of the day at their home?  How protected would PHI be if someone really wanted to access it through the personal cell phone of a physician?  

My conclusion, and I am still looking for rules from payers, is this: if you are going to be using and accessing the PHI of a patient, do not use your personal device.  Have a duly encrypted office device that is kept secure with password protected access.  Keep it on a secure network and leave the device locked securely in your office at the end of the day.  

I may not like that my PHI is given to an AI program, regardless of whether I am told it self-erases my information once the note is generated.  It is out there in the cyber world.  As a consultant, I want to advise you that your office take a look at the security of the access to that information from a “weakest link” perspective.  The cell phone that you carry around with you everywhere should not be a key to the door of your patient’s PHI.  Be smarter than the bad elements that are seemingly trying to hack into everything out there that is electronic.  Protect yourself, your patients, and your practice.