We are exploring the use of generative AI models to summarize patient notes, but HIPAA compliance is a massive hurdle. Is it safe to use cloud-based AI, or is the risk of data leakage too high? How are other organizations handling the anonymization process before sending data to the model?
3 answers
The gold standard for healthcare right now is using "Zero Data Retention" (ZDR) agreements with providers of generative AI models. This ensures that your data is never used for training or logged permanently. However, even with ZDR, you should always run a local de-identification script first. Use a tool like Presidio to scrub Names, DOBs, and SSNs before the text ever leaves your secure environment. Many hospitals are also moving toward "On-Prem" private clouds where they can run models in an air-gapped environment, ensuring total control over the patient data lifecycle.
Do you think a hybrid approach—where a small local model handles the PII and sends only "clean" data to larger generative AI models—is feasible for your team?
Synthetic data generation is another way to train generative AI models without ever exposing real patient records to the cloud, maintaining strict privacy.
Patrick makes a great point. Synthetic data has been a lifesaver for our research department when they need to test model efficacy without legal risks.
That is a very interesting idea. It would allow us to keep the sensitive logic local while still benefiting from the superior summarization skills of the larger cloud models.