Navigating AI Compliance: Insights from California's Latest Advisories
Healthcare policy and regulation attorney John Vaughan was interviewed at length for a Medtech Insight article analyzing two legal advisories from California Attorney General Rob Bonta concerning the use of artificial intelligence (AI) in the healthcare industry. The advisories aim to clarify how California law applies to AI in healthcare settings. Mr. Vaughan commented he expects Bonta to enforce vigorously the legal limits of AI use and offered insights into how the gap between state and federal regulations may create "traps for the unwary." For example, the California Genetic Privacy Information Act sets stricter standards for consent for the use of patient data than the federal Health Insurance Portability and Accountability Act (HIPAA), meaning manufacturers should take care to determine whether they own data received and whether they have appropriate consent to use it to remain in compliance with state regulations. Mr. Vaughan advised companies to consider the "consent flow," or ways in which patients may consent to one use of their data — such as diagnosing a condition — without consenting to another — such as training AI models.
"Make sure that from the time a patient gives consent for her data to be used until the product is finished that there is a way to trace that consent, because that is a really effective way for manufacturers to limit their legal risk," he said.
He also spoke about the state's corporate practice of medicine laws, which require medical decisions to be made by physicians instead of by a business. In practice, he explained, this means Bonta and state regulators could view the use of AI to reduce healthcare spending as illegal. In addition, he noted small and mid-size companies, particularly startups, will likely have the hardest time complying with California laws, and he cautioned businesses to consider carefully whether their operations implicate data privacy and other regulations.
"Folks really need to be careful about not making the category error that they're working in technology when the conduct involves healthcare," he said. "Because if the conduct involves healthcare, if it involves helping patients, if you're using healthcare data sets, you're in the healthcare business, and the healthcare laws apply to you. You're no longer just a tech firm."
READ: Navigating AI Compliance: Insights from California's Latest Advisories (Subscription required)
Mr. Vaughan also co-authored a recent Holland & Knight alert on this topic.