# Health Insurance Portability and Accountability Act Liability in the Age of Generative Artificial Intelligence

**Authors:** Dave Schoolcraft, Andrew C. Meltzer, Rohit Sangal, Aisha T. Terry, Katherine Robertson, Daniel Buckland, Sakib Motalib, Nicholas Genes, Rade Vukmir, Tayab Waseem

PMC · DOI: 10.1016/j.acepjo.2025.100317 · 2026-01-22

## TL;DR

This paper examines legal risks for healthcare providers using AI tools in emergency departments, focusing on HIPAA compliance and data privacy.

## Contribution

The paper provides practical legal guidance for clinicians using AI tools without proper agreements, highlighting HIPAA compliance risks.

## Key findings

- Emergency physicians risk HIPAA violations using AI tools like ChatGPT without a Business Associate Agreement.
- Post-breach mitigation steps are outlined for different types of protected health information disclosures.
- AI models can reidentify or reproduce protected health information, increasing privacy risks.

## Abstract

As artificial intelligence tools become increasingly integrated into emergency department workflows, healthcare providers face a growing risk of legal liability stemming from improper use, particularly with respect to data privacy and Health Insurance Portability and Accountability Act (HIPAA) compliance. This article explores a realistic clinical scenario in which an emergency physician inadvertently violates HIPAA using a publicly available AI tool, such as ChatGPT, Gemini, Llama, and Grok, without a valid Business Associate Agreement in place.

We review the legal framework of the HIPAA Privacy, Security, and Breach Notification Rules and delineate the respective liabilities of healthcare institutions and individual clinicians. Key distinctions are made between incidental, accidental, and unauthorized disclosures of protected health information, and we provide clear guidance on post-breach mitigation steps. The article also discusses the statistical likelihood of protected health information reidentification or reproduction by AI models and outlines risks associated with state-level data protection laws.

Ultimately, we offer practical recommendations for physicians seeking to leverage AI responsibly in clinical care, including verifying institutional Business Associate Agreements, understanding platform-specific privacy policies, and consulting with privacy officers before entering any patient data. As AI rapidly evolves, clinicians must remain vigilant in safeguarding patient information to avoid legal exposure and uphold ethical standards of care.

## Full-text entities

- **Species:** Homo sapiens (human, species) [taxon 9606]

---
Source: https://tomesphere.com/paper/PMC12859502