WASHINGTON, D.C. — The Department of Health and Human Services' Office for Civil Rights (HHS OCR) has published a Notice of Proposed Rulemaking (NPRM) to significantly update the HIPAA Privacy Rule, specifically addressing the challenges posed by artificial intelligence-driven health analytics and the proliferation of pharmacogenomic data. The proposed rule, released on June 19, 2026, seeks to modernize the definition of "de-identified" health information and establish new guardrails for the use of protected health information (PHI) in machine learning models [Source: HHS OCR Proposed Rule].

The De-identification Challenge in the Era of AI

Under the current HIPAA framework, covered entities can share health data with third parties, including AI developers, if the data is "de-identified" using either the Safe Harbor method (removing 18 specific identifiers) or the Expert Determination method. However, the explosion of large language models (LLMs) and predictive analytics has rendered the Safe Harbor method obsolete. Modern AI can easily re-identify patients by cross-referencing remaining data points, such as rare disease codes, zip codes, and admission dates, with vast public datasets.

The proposed rule mandates a shift toward a stricter, AI-specific "Expert Determination" standard. It requires that any entity using PHI to train a machine learning model must conduct a "Re-identification Risk Assessment" that specifically tests the model's ability to memorize and regurgitate individual patient data. If an AI model can be prompted to output the PHI of a specific individual, the underlying dataset is deemed not de-identified, and the entity would be in violation of the Privacy Rule. This "model inversion" test represents a novel regulatory approach to data privacy in the algorithmic age.

Pharmacogenomics and the Genetic Information Nondiscrimination Act (GINA)

The NPRM also addresses the rapid integration of pharmacogenomic testing into routine clinical care. As EHRs increasingly include genetic markers that dictate drug metabolism (e.g., CYP450 enzyme variants), this data becomes a permanent part of the patient's medical record. The proposed rule explicitly classifies pharmacogenomic data as PHI, subject to the strictest levels of protection. Furthermore, OCR is coordinating with the Department of Labor and the EEOC to ensure that the use of this data by employer-sponsored health plans does not violate the Genetic Information Nondiscrimination Act (GINA).

The rule proposes a "Purpose Limitation" addendum for genetic data. Even if a patient consents to their pharmacogenomic data being used for clinical treatment, that same data cannot be used by the covered entity for secondary purposes, such as AI-driven risk modeling for life insurance underwriting or population health management, without a separate, specific authorization. This bifurcation of consent is designed to prevent the "mission creep" of genetic data in the era of integrated digital health platforms.

Business Associate Agreements (BAAs) and Cloud AI Infrastructure

The proposed rule clarifies the regulatory status of cloud providers and AI SaaS platforms that process PHI. Historically, if a cloud provider only stored encrypted data and did not retain the encryption key, they were considered a "conduit" and not a Business Associate (BA). The NPRM eliminates the conduit exception for any entity that provides AI analytics, natural language processing, or predictive modeling on PHI. Any vendor that touches the data to run an algorithm, even for a fraction of a second, must execute a comprehensive BAA, accepting full liability for HIPAA compliance, breach notification, and subcontractor oversight.

Algorithmic Transparency and the Right to Explanation

In a groundbreaking move, the proposed rule introduces a "Right to Explanation" for individuals whose health outcomes are determined by an AI algorithm. If a health plan uses an AI tool to deny a prior authorization, or if a hospital uses an algorithm to prioritize patients for a scarce resource, the individual has the right to request a plain-language explanation of the logic, the data inputs, and the error rates of that specific model. This provision aligns with emerging global standards for algorithmic transparency and aims to mitigate the risk of "automation bias" and embedded racial or socioeconomic biases in clinical decision support tools.

Conclusion: Balancing Innovation with Fundamental Privacy

The HHS OCR's proposed updates to the HIPAA Privacy Rule represent a necessary and complex recalibration of privacy law for the AI era. By addressing the vulnerabilities of de-identification, the sensitivities of pharmacogenomic data, and the opacity of algorithmic decision-making, the rule seeks to protect individual autonomy without stifling the innovation that promises to revolutionize clinical care. The 60-day comment period will undoubtedly be fiercely contested by the tech and healthcare industries, but the core premise is clear: in the age of artificial intelligence, the right to medical privacy must be as sophisticated as the technology that threatens it.

mahnoor
mahnoorStaff Writer

Comments (0)

No comments yet. Be the first to share your thoughts!