Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 608. AI Isn’t the Problem, Lack of Governance Is – A PSA for Group Practice Leadership.

 

Liath Dalton 

This is a really important and vital PSA. And what prompted this discussion today is that we have been seeing a surge in panicked calls and emails from group practice leaders who have discovered, through one means or another, that one or more clinicians on their team have been utilizing ChatGPT or similar AI tools to assist in writing or polishing progress notes.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And so when that’s happening, there are a number of HIPAA and ethics issues and practice leadership issues that are occurring and that need to be addressed. Because essentially, when we’re talking about these AI tools like ChatGPT in particular, there’s no HIPAA Business Associate Agreement. It is not a appropriate place for any client information to be entered or exist. It hasn’t been something that’s been vetted by the practice’s security officer.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Typically, when this is occurring, it’s because there’s no internal AI specific policy,

 

Evan Dumas 

No, yeah.

 

Liath Dalton 

and there hasn’t been any structured training around this.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So the big issue is that these are not theoretical risks. This is not abstract. It’s happening right now. And so unfortunately, ignorance is not bliss, right?

 

Evan Dumas 

No.

 

Liath Dalton 

It is a liability. So instead of getting into the scary parts about it, we thought we would talk about the concrete, simple steps that you as a practice leader can take now to address what is kind of immediately pressing about AI use within your practice.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

There are other components that sort of build on this foundational block that we’re going to be talking about today. But like everything with compliance and a good security and risk management program in your practice, things should be implemented incrementally, in order of priority, and in a way that is supportive of the practice’s holistic strength and fortification, not disruptive.

 

Liath Dalton 

So what we’re talking about today isn’t this massive policy and procedure update and new risk analysis and extensive formal, lengthy training, because that’s not necessary to address the highest priority items. Those pieces come next, right? So we’re going to take things in sequence.

 

Liath Dalton 

All right, let’s contextualize this a little bit as well, because it’s really important to know that AI itself is not the villain. It is not inherently unethical, it is not inherently prohibited. The primary issue is governance, because everything needs to be within the framework of what is HIPAA compliance compatible, what meets ethical responsibilities and what aligns with the practice’s, policies and procedures for safeguarding client info. So really, the problems that arise with AI are in this context, primarily a governance issue. What do we mean by a governance issue,Evan?

 

Evan Dumas 

Yeah, it’s one where you don’t talk about it, and if you don’t talk about it, people are going to come up with their own ways of doing things. They’re not going to know how to do it. They’re going to get a fuzzy idea of what PHI, is to just sort of tell you what we’re going to talk about in a second. And so people are making it up their own way. You don’t have a structure for folks. You haven’t talked about it, and so you have, there hasn’t been any governance. It’s like a lack of governance on how these tools are used and when they’re used. And that can, that can be fixed.

 

Liath Dalton 

Absolutely, totally fixable. Basically, the challenge is that if you haven’t addressed AI use explicitly in your practice, you have unmanaged risk. And the reality that we’re seeing is that if you have a strong policy that has a prohibition on use of personal services with client info, that in practice, is not alone sufficient for addressing this issue. And the the main reason for that is that folks often do not have a fully fleshed out or accurate definition of what counts as Protected Health Information. And so even though your practice might have a policy that prohibits use of personal services for handling client info, that clinicians are thinking that they are sufficiently removing identifiers from the information that they’re inputting into AI tools, into personal AI tools. So that in their assessment, it isn’t PHI that they’re putting in, so therefore they’re not violating practice policies and it’s okay. This is, this is really where things can be going awry, even if you have good policies that, in theory, should be preventing this, it can break down in the practical application. So that’s why it’s so essential to have this explicit conversation and process that we’re going to outline.

 

Liath Dalton 

So let’s dig in a little bit to the whole PHI, and what actually counts as PHI discussion, because this is where it’s kind of the, the origin source for a lot of the issues that we’re we’re seeing currently from those distressed practice leaders that we’ve been talking to. So PHI is not just name, date of birth, insurance, ID, address, those really clear identifiers.

 

Liath Dalton 

Remember, that under HIPAA there are 18 identifiers which, if any part or derivative of those identifiers is included, then it is not de identified. It is protected health information, meaning it’s subject to HIPAA, and all of the HIPAA standards apply to how that information must be state safeguarded.

 

Liath Dalton 

So, the often overlooked item on the list of 18 identifiers is about any unique or individually identifiable information particular to a client or a patient, that is not contained in the other 17 identifiers, and that really includes clinical narrative, trauma history, particular family dynamics, unique life circumstances, it can also include relational patterns, certainly diagnostic impressions, any information that relates to a particular individual.

 

Liath Dalton 

And here is really a standard that we use at PCT that is super helpful, because it gets away from looking purely at the 18 identifiers and really contextualizing it, which is: if a client would recognize themselves in what you, or your clinician, wrote, it is identifiable.

 

Liath Dalton 

So if the prompt that a clinician is putting into ChatGPT has their summary of the main points of discussion within a session, and issues addressed, interventions utilized or suggested, even if it’s not including name, date of birth, any other identifiers that is still PHI, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And that’s something a client is going to recognize.

 

Evan Dumas 

Oh definitely.

 

Liath Dalton 

They don’t need their their name or date of birth, but if they’re reading a summary of the session and things that they said and things you or the clinician said to them during the session, they’ll recognize that, right?

 

Evan Dumas 

Mhm.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

So this is another instance, to quote something that our favorite therapist-attorney Eric Strom often says, which is that HIPAA is the floor, not the ceiling, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So even if those particulars are removed, even if some details are changed, even if they think it’s pretty general or generic that is not de-identified under HIPAA. As we said, de-identification under HIPAA has really specific legal standards. Evan, do you think there are any instances in which narrative, clinical information can really be de-identified, and where a client wouldn’t be able to recognize themselves in it?

 

Liath Dalton 

So that can be a really useful standard to impart to your team and use as kind of the baseline. It’s really important that we correctly identify what constitutes PHI. It’s very broad. And in the context of AI, a lot of information system security experts, leaders in the field, are concerned that even information that has been fully de-identified, according to HIPAA’s de-identification standards, which are really specific and include either the Safe Harbor method, which is removal of any and all of the 18 identifiers, or there’s an expert determination method, that even if information is fully de-identified, according to those in the context of AI that re-identification is very possible, not just plausible, but probable, right?

 

Liath Dalton 

Geez, not easily. No, like you’d have to cut it down to such a smallest snippet of a narrative as to make it so generalizable that I don’t think an AI model would even help you understand it. So, no, the narrative is unique to the client. That’s why they come to therapists for for their work. And so in that case, no.

 

Liath Dalton 

Exactly.

 

Liath Dalton 

So this really is not a gray area. We don’t want it to be a gray area either, because it being clear and black and white makes it much easier to then govern what is and isn’t acceptable.

 

Liath Dalton 

So basically, the issue is that when PHI is entered into a non-vetted AI system, without a HIPAA Business Associate Agreement in place between the practice and the service provider for that AI tool or system, and without policy governance, that is a HIPAA disclosure.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And a HIPAA breach is when an unauthorized or unpermitted use or disclosure of Protected Health Information occurs. So technically speaking, this sort of usage of client information with a non-vetted, approved, and governed AI tool is a HIPAA breach.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And this isn’t even getting into the ethics pieces, where we have enough clarity now from each of the primary ethics codes from the American Mental Health Counseling Association, the NASW, the APA, and I think we also explicitly have some from the AMFT now too, that if client information is being used with AI for any clinical purposes, then client informed consent is mandatory.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

That’s not, not a negotiable, not a well, the client isn’t interacting with the AI themselves, so informed consent isn’t necessary. If client information is being used to have AI assist in generating clinical documentation, that’s a clinical use of AI. Because the client’s record, the progress notes, and everything that is in the designated record set is part of clinical care. So the informed consent piece is also essential. And in a group practice context, the informed consents are something that are being managed on a practice wide basis, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So it’s very unlikely that a clinician has, aside from the the HIPAA issues, also gotten informed consent that meets the standard of sufficient informed consent for clinical use of of AI, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Because part of the informed consent standard is that the clinician be able to explain how their information is used and risks and benefits. And if this isn’t a tool that they have deep knowledge of and that has been fully vetted by practice leadership and the security officer, that they’re going to have the the knowledge that would allow them to actually meet that that standard for what needs to be disclosed and shared and addressed in order to get it informed consent right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So we’re going to get very shortly into exactly what to do now, but just wanting to extend a bit of grace and understanding as well to the clinicians that are going this route and why this is happening. Because it really is not coming from malicious intent, or that they think they’re doing something wrong and are just going to get away with it, right?

 

Liath Dalton 

There, from each of the instances that we have, have seen and been helping practices navigate, the clinician did not think they were doing anything wrong.

 

Evan Dumas 

No.

 

Liath Dalton 

They thought that they had removed enough identifying information, that it wasn’t PHI, that it wasn’t a violation of practice policies, and that it was so generic that the informed consent piece wasn’t required. So in the clinicians’ minds, they were just trying to use a tool to support their work, but weren’t doing so in a way that was was problematic to their understanding.

 

Liath Dalton 

And of course, this is all happening in the the context of a lot of clinicians feeling overwhelmed, and documentation being sort of one of the most challenging and often least joy-giving aspects of being a clinician, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And, when they see that AI tools can be efficient and supportive, they can think, if they’re removing identifiers, that it’s harmless. The issue here, of course, is that the lack of malicious intent and the lack of correct definitions of what constitutes PHI, do not remove compliance responsibility. And in a group practice setting the practice as the HIPAA covered entity is the HIPAA responsible party. So under HIPAA, workforce actions are the practice’s responsibility. Another way that we say that is if a team member violates HIPAA, they are violating HIPAA basically on behalf of the practice, in terms of responsibility and liability scope. It’s not just their individual actions that are somehow separate from the practice as the entity, because the practice as the HIPAA covered entity has the responsibility to to govern.

 

Liath Dalton 

Alright, before we move on to the what to do right now, Evan, what is the last sort of takeaway on this section?

 

Evan Dumas 

Yeah, it’s the if you don’t know what they’re doing, that doesn’t remove your liability. In fact, that that is a liability. Not knowing is definitely a liability.

 

Liath Dalton 

Yes.

 

Liath Dalton 

So we want you to know, but even before sort of trying to go backwards and find out what’s been happening and how to correct and mitigate, we want to stop all of this in its tracks and prevent it from occurring, going forward from here on out.

 

Liath Dalton 

So like we said, we’ll talk about what to do if you discover past unauthorized and inappropriate use in an upcoming episode, but right now, this is what needs to happen.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Number one issue clear, and this can be really succinct, written guidance immediately. This is not a full policy document.

 

Evan Dumas 

No.

 

Liath Dalton 

This is just a written prohibition on the use of any non-vetted AI tools.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Which are going to be any AI tools that are not practice provided and controlled for any client related information.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

We want this to be explicit too. So the this prohibition needs to be encompassing progress notes, treatment plans, emails about clients, case consultation, summaries, any content containing Protected Health Information, any content relating to an individual client.

 

Evan Dumas 

Yep, yeah.

 

Liath Dalton 

That’s that is extensive as it needs to be. And this absolutely should be addressed in writing, so that there is no sort of gray area or leaving it up to people remembering what was said in a conversation correctly. We want them to, anytime they have a question about, can I use this AI tool or not? They don’t have to recall a conversation or speak to practice leadership. They can just look at this short sort of memorandum that you provide to everyone.

 

Liath Dalton 

Can this also and should it also be paired with a conversation or brought up in a team meeting? Yes, absolutely. But if it’s going to be a minute before your next team meeting, you still want to be issuing this written guidance and requirement in in the immediate term, right?

 

Liath Dalton 

So the the next piece is that we really want, as part of your addressing this with your your team, to clarify what constitutes Protected Health Information.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Don’t assume that your clinicians understand this.

 

Evan Dumas 

Oh, no.

 

Liath Dalton 

Evan, how frequently do we see HIPAA covered entities, HIPAA Business Associates not having a correct understanding of what constitutes PHI and sort of perpetuating a general misunderstanding of those?

 

Evan Dumas 

Oh, all the time. Same with the clinicians I work with. I feel like either our education has failed us or it didn’t get in detailed enough. I know I was even told initials are just fine when they are totally identifying. So I really think the concept of what PHI is not a common sense concept to most folks.

 

Liath Dalton 

Right.

 

Liath Dalton 

And I think part of the issue in terms of the training that folks get is that when you’re talking about protecting client confidentiality and privacy in your grad school program, that’s under the more broad ethics umbrella, not specifically HIPAA, right? And so talking about using initials in a calendar, for example, as opposed to a full client name, can still be supportive of preventing identification of the individual, if someone happens to see that it’s less identifying than a full name. And I think that sort of discussion and training about how to limit identifiers has gotten conflated with what is de-identified under HIPAA, right? So there are a lot of points of failure in this honestly, and then it becomes something that gets perpetuated in when they’re doing supervision or practicum agency work, like these inaccurate definitions just sort of get established and then propagated and continue on. And unfortunately, the reverberation is pretty strong.

 

Liath Dalton 

So if there, if there is one fundamental thing that, if your whole team understands is going to be most supportive of effective compliance and risk management and meeting ethical needs as well, it’s going to be correctly understanding what actually constitutes PHI. So provide your team a clear definition of it, an explanation of the narrative and context based identification piece, and add this as one of the practice’s main mantras and standards, that if a client would recognize themselves, it’s not de-identified, it is PHI. Spell it out, make it concrete.

 

Liath Dalton 

Please do check out the show notes for resources to support you in this, because we have a number of articles about what constitutes PHI, including that if the client would recognize themselves, standard how de-identification works and doesn’t under HIPAA and in the context of AI. So those are supportive free articles that we’re going to link in the show notes, and you can include those if helpful when making this communication to your team. There is also a one hour on demand CE training on all about how to define PHI, and so we’ll include that too. I don’t think that that is necessary to assign a specific CE training, but it’s an option there, and maybe it would be something that a clinical director or other leadership team member might feel helpful if just having a really nuanced and fleshed out definition and practical application examples of PHI in terms of being able to then address this with team members.

 

Liath Dalton 

The next piece is training your team. And this is not just a quick chat message, right?

 

Evan Dumas 

No.

 

Liath Dalton 

So it’s really important that they get documented training, that they have space for questions, that they understand the clear expectations and clear consequences of not. following this, actually, this would constitute a interim policy directive and clarification.

 

Liath Dalton 

So in terms of training the team, I think we don’t just want to be, and this is actually so important, we don’t just want to be saying you can’t do this right? We want to be also saying we understand you weren’t doing this thing that was problematic out of any malice, but because you were trying to meet needs, and so here are alternative compliance compatible, ethically sound ways to meet that same need to like, solve for the problem that you were trying to address. Or here are additional resource supports around efficient and effective documentation, right? If, if documentation is is one of the main pain points that AI is being turned to to help address, then we don’t want to just say, don’t use the thing that is helpful. We want to say, here are other tools and resources to help you manage this, this need that you’ve identified, right?

 

Liath Dalton 

We want to be presenting solutions and support, just not a list of what can’t be done. That’s a really important culture setting piece as well, that can be super pivotal to having a effective compliance and risk management program within a practice. So the last piece, and this isn’t explicitly or specifically for the immediate short term, because immediate short term, again, is just addressing the written guidance need and the explicit contents of that, as well as clarifying what constitutes PHI and some initial supportive training.

 

Liath Dalton 

The last piece, that isn’t in the immediate term, is that if your practice is going to use AI tools that will interface with client information in any way, it needs to follow a thorough vetting process. So the vetting should be done by the practice security officer. We’ll get into all the details and nuances of what this entails, but the super high level version is that any AI tool that’s used with client info has to be practice provided and controlled, formally vetted, evaluated for data retention and data use, have the necessary HIPAA Business Associate Agreement in place. Have very clear usage policies and procedures as well. So it’s not a sort of thing where you can just say, use it, use it carefully. It’s got to be a very structured process for evaluation and approval, and then once something has been evaluated and approved, then it there needs to be very specific usage guidance in the the form of policy and procedure.

 

Liath Dalton 

So if you are thinking, oh, before we put a prohibition on AI use, we need to be able to provide an alternative AI tool that is practice provided and sanctioned. I’m going to say that’s not something that can happen as rapidly as you need to be making this prohibition really clear and explicit,

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

Right? Okay, so just to reiterate the immediate steps of issuing that brief but very clear and specific written guidance, clarifying what constitutes PHI as well, some supportive training, and then on a leadership level, if you want to start considering practice provided AI and and tools that meet the HIPAA and ethics needs, that’s a more extensive vetting process, and we’ve got support for you on on that. So really, this is just another example of how quickly AI is evolving,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

and how it’s it’s use is is filtering into so much and that this needs to be something that is intentionally addressed, frequently addressed, and explicitly addressed, right?  So while AI is moving really fast, your governance needs to move faster.

 

Liath Dalton 

And it’s something that, like we just said in those three steps to take now, it can be addressed quickly and concretely, but it has to be addressed. If you haven’t addressed this yet, now is the time. And so we’ll have an upcoming series of two episodes devoted to what to do if you have had an authorized AI use occurring, and then the bigger, full policy and procedure and risk analysis framework for complete AI governance. But right now, just take a deep breath.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And this is all about what is actionable and addressable, not in too disruptive of way. It doesn’t require like that the full kitchen sink be thrown at this, either. So this doesn’t have to be too time consuming or burdensome, but it is really essential. So take those few concrete steps right now and that will dramatically reduce risk and set the stage for being able to tackle the remaining components, and we, of course, will be providing resources and guidance and support for tackling those remaining pieces. But like with all things HIPAA, let’s take it one step at a time.

 

Evan Dumas 

Mhm, exactly.

 

Liath Dalton 

All right, folks, thanks for listening, and we hope you have found this helpful, and we’ll look forward to chatting with you next week. Take care, everyone.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.