Advancements in Healthcare Privacy at the National HIPAA Summit
From April 7-10, industry leaders and government representatives convened at the 43rd National HIPAA Summit to discuss advancements in healthcare privacy, cybersecurity, and regulatory practices. Attorneys from Morgan Lewis, Michael J. Madderra and Sydney Reed Swanson, addressed complexities arising from the integration of artificial intelligence (AI) in compliance frameworks following the Health Insurance Portability and Accountability Act (HIPAA). The discussion highlighted AI's impact on privacy and security obligations, significantly affecting data management and contractual agreements.
The keynote speech by the director of the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), examined shifts in regulatory and enforcement dynamics under HIPAA and the Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2). With AI increasingly integrated into operational workflows, new compliance and ethical challenges are emerging for industry stakeholders.
OCR Director Paula M. Stannard outlined enhanced enforcement priorities and upcoming modifications to HIPAA Privacy and Security Rules. The OCR forecasts increased enforcement of February 2026 Part 2 requirements and emphasizes comprehensive risk management plans. A significant focus remains on access rights to health records, particularly regarding parental rights over minors.
Proposed changes to the HIPAA Privacy Rule, aimed at strengthening individual information access, are under evaluation. Adjustments to HIPAA’s minimum necessary standard could impact privacy notices for covered entities. Proposed updates to the HIPAA Security Rule consider public feedback, aligning with broader national cybersecurity strategies.
Healthcare organizations explore AI capabilities to boost efficiency, such as real-time transcription of clinical encounters. While these technologies enhance efficiency, they raise concerns about patient notification, data integrity, and retention. The AI governance discussion highlighted the necessity for AI technologies to comply with the HIPAA Security Rule, addressing risks like data leakage and exposure of protected health information (PHI).
In the context of evolving requirements, best practices include robust data governance, expanded risk assessments, and regulation-compliant internal policies. Cross-border data handling remains a concern, requiring careful attention to national security and privacy regulations.
AI deployment also necessitates refining contractual terms, especially in business associate agreements (BAAs), to mitigate AI-associated risks. Ethical considerations around patient data use underpin regulatory actions, addressing public expectations for confidentiality and transparency. As AI integration in healthcare advances, maintaining compliance and engaging in ethical data practices remain critical for industry professionals, who must stay alert to regulatory developments and AI application challenges.