healthcare-ai-privacy
Installation
SKILL.md
Healthcare AI Privacy — HIPAA and AI Act Intersection
Overview
Artificial intelligence in healthcare introduces privacy challenges that sit at the intersection of established health privacy law (HIPAA, HITECH) and emerging AI regulation (EU AI Act, FDA regulatory framework, proposed state AI laws). Clinical decision support (CDS) systems, diagnostic AI, and predictive analytics operate on protected health information, creating obligations under HIPAA while simultaneously falling within the scope of AI-specific regulation when deployed in high-risk clinical contexts. This skill addresses the complete privacy lifecycle of healthcare AI — from training data acquisition through model deployment and patient interaction — ensuring compliance with both health privacy and AI governance frameworks.
Regulatory Landscape
Overlapping Regulatory Frameworks
| Framework | Applicability to Healthcare AI | Key Requirements |
|---|---|---|
| HIPAA Privacy Rule (45 CFR §164) | AI systems processing PHI at covered entities or BAs | Authorization or TPO exception for PHI use; minimum necessary; individual rights |
| HIPAA Security Rule (45 CFR §164.312) | ePHI used in AI training, inference, and storage | Access controls, audit trails, encryption, integrity controls |
| EU AI Act (Regulation 2024/1689) | AI systems deployed in EU healthcare or processing EU patient data | High-risk classification for medical devices; conformity assessment; transparency |
| FDA Regulatory Framework | AI/ML-based Software as a Medical Device (SaMD) | 510(k), De Novo, or PMA pathway; GMLP (Good Machine Learning Practice); total product lifecycle approach |
| FTC Act §5 | AI making health-related decisions affecting consumers | Unfair or deceptive practices; Health Breach Notification Rule for non-HIPAA entities |
| State AI Laws | Emerging state legislation (Colorado AI Act SB24-205, Illinois AI Video Interview Act) | Algorithmic impact assessments; notice and opt-out for automated decisions |