A GP finishes a consultation and asks ChatGPT to write a short journal note:<\/p>\n
\u201cSummarize this: 54-year-old man, chest pain last 3 days, using atorvastatin, previous MI.\u201d<\/p>\n
In a matter of seconds, the doctor receives a tidy journal note back.<\/p>\n
It seems effective - but what many people don't consider is that the patient data may have been sent to an external AI service. without a data processing agreement<\/strong>.<\/p>\n In many cases, this may be in violation of the privacy policy.<\/p>\n Many people are surprised by this - because AI itself is not illegal in healthcare. More and more doctors and therapists are testing AI tools to write journal entries, dictate referrals or summarize consultations.<\/p>\n Tools like ChatGPT do this impressively well.<\/p>\n But here an important question arises:<\/p>\n Is it legal to use AI on patient data?<\/strong><\/p>\n Short answer: The problem is that many general AI services is not designed for health data<\/strong>, and can therefore violate the privacy policy if used directly for record keeping.<\/p>\n This guide explains:<\/p>\n what the GDPR actually requires<\/p>\n<\/li>\n why general AI tools can be problematic<\/p>\n<\/li>\n what an AI system must have to be safe in clinical use<\/p>\n<\/li>\n<\/ul>\n The General Data Protection Regulation classifies health data as special categories of personal data<\/strong>.<\/p>\n This means that they have Stricter protection than regular personal data<\/strong>.<\/p>\n Examples of health information:<\/p>\n diagnoses and treatment history<\/p>\n<\/li>\n symptoms and clinical observations<\/p>\n<\/li>\n drug use<\/p>\n<\/li>\n test results<\/p>\n<\/li>\n discharge summaries and journal notes<\/p>\n<\/li>\n information about mental health<\/p>\n<\/li>\n genetic and biometric data<\/p>\n<\/li>\n<\/ul>\n The regulations can be found in GDPR article 9<\/strong>, which regulates the processing of sensitive personal data.<\/p>\n Source: Many doctors and therapists have tested this.<\/p>\n But in practice, it can create more privacy issues.<\/p>\n Rule of thumb:<\/strong> When you enter patient information into an AI tool, you are sending data to an external service.<\/p>\n In GDPR this is called data processing<\/strong>.<\/p>\n To make this legal, there must be a data processing agreement between the clinic and the provider<\/strong>.<\/p>\n If this does not exist, the processing may be in violation of the GDPR.<\/p>\n Source: Several AI services store data in the US or other third countries.<\/p>\n The transfer of health data outside the EEA requires special legal mechanisms, such as:<\/p>\n EU Standard Contractual Clauses<\/p>\n<\/li>\n Binding Corporate Rules<\/p>\n<\/li>\n Adequacy decisions<\/p>\n<\/li>\n<\/ul>\n This makes the use of general AI services legally more complex in the healthcare sector.<\/p>\n When patient data is sent to an external AI service, you need to know:<\/p>\n where data is stored<\/p>\n<\/li>\n how long they are stored<\/p>\n<\/li>\n who has access<\/p>\n<\/li>\n<\/ul>\n If this is not clearly regulated, it may violate information security requirements.<\/p>\n Breaches of data protection rules in the healthcare sector can lead to:<\/p>\n Supervision from the Danish Data Protection Agency<\/p>\n<\/li>\n fines of up to 20 million euros or 4 % of global turnover for businesses<\/strong><\/p>\n<\/li>\n compensation claims from patients<\/p>\n<\/li>\n in serious cases, supervisory proceedings against healthcare professionals<\/p>\n<\/li>\n<\/ul>\n This does not mean that AI is dangerous - but that The tool must be developed for handling health data.<\/strong><\/p>\n AI is not illegal in healthcare<\/strong>.<\/p>\n But the processing must have a valid processing basis.<\/p>\n The most common are:<\/p>\n Healthcare professionals can process health information if it is necessary for:<\/p>\n diagnostics<\/p>\n<\/li>\n treatment<\/p>\n<\/li>\n record keeping<\/p>\n<\/li>\n<\/ul>\n This is regulated by GDPR article 9 (2)(h)<\/strong>.<\/p>\n In Norway, healthcare professionals have statutory duty to keep records<\/strong>.<\/p>\n This follows from Health Personnel Act \u00a739<\/strong>.<\/p>\n If AI is used as a tool to fulfill this obligation, it may be legal - provided that privacy is safeguarded.<\/p>\n Source: To be used safely in clinical work, an AI system must normally have:<\/p>\n Regulates how patient data is processed.<\/p>\n To avoid complicated third country transfers.<\/p>\n Data must be encrypted both:<\/p>\n during transfer<\/p>\n<\/li>\n during storage<\/p>\n<\/li>\n<\/ul>\n Only authorized personnel should have access.<\/p>\n All accesses to patient data must be logged.<\/p>\n These are requirements that follow from GDPR article 32 on information security<\/strong>.<\/p>\n Source: AI in health requires solutions that are designed for clinical use.<\/p>\n Developed specifically for healthcare professionals, Medivox is designed to meet the legal and technical requirements that apply to the processing of patient data in the healthcare sector.<\/p>\n Among the measures are:<\/p>\n data processing agreement with all customers<\/p>\n<\/li>\n Storage of data in Norway<\/p>\n<\/li>\n encrypted transmission and storage<\/p>\n<\/li>\n access control and logging<\/p>\n<\/li>\n clear routines for deleting data<\/p>\n<\/li>\n<\/ul>\n We're also hosting a webinar where we'll demonstrate how AI can be used for record keeping, letters and documentation in clinical work.<\/p>\n You can see more about the webinar here:<\/p>\n Streamlining medical notes - how AI can free up doctors' time Go through these questions:<\/p>\n - Is there a data processing agreement? If you can't answer yes to these questions, you should consider the solution further before applying it to patient data.<\/p>\n Not necessarily.<\/p>\n If AI is used as a tool for diagnostics, treatment or record keeping, the treatment basis may be necessary health care<\/strong>.<\/p>\n But patients should be informed about how their data is processed.<\/p>\n It depends on the system.<\/p>\n Access may be necessary in certain cases, for example when troubleshooting. Yes.<\/p>\n AI can be used as a tool for writing journal notes, as long as healthcare professionals remain professionally responsible for the content of the journal.<\/p>\n The journal must still meet the requirements of the Health Personnel Act.<\/p>\n Not necessarily.<\/p>\n Even without a name, information such as age, diagnosis, symptoms or rare conditions can make a patient identifiable.<\/p>\n This means that also Partially anonymized information can be personal data under GDPR<\/strong>.<\/p>\n No, you don't.<\/p>\n But they normally need to be stored within the EU\/EEA<\/strong> if they contain personal data.<\/p>\n Only if this is explicitly regulated in the data processing agreement.<\/p>\n In many cases, this will require pseudonymization or anonymization of data<\/strong>.<\/p>\n Patients have the right to erasure in many situations.<\/p>\n But in the health service journal retention obligation<\/strong>, which often takes precedence over the right to erasure.<\/p>\n In a busy clinical environment, it's easy to test new tools to save time. It's understandable - the need for better tools in clinical documentation is great.<\/p>\n However, when patient data is sent to general AI services without a data processing agreement or control over where the data is stored, it can also create legal and privacy challenges.<\/p>\n AI can be a powerful tool for healthcare professionals.<\/p>\n But when patient data is involved, the solution must meet strict requirements:<\/p>\n privacy<\/p>\n<\/li>\n data security<\/p>\n<\/li>\n legal responsibility<\/p>\n<\/li>\n<\/ul>\n The most important question is therefore not if you use AI<\/strong>, but whether the tool is designed for handling patient data<\/strong>.<\/p>\n<\/blockquote>\n GDPR - General Data Protection Regulation Norwegian Data Protection Authority - Artificial intelligence and privacy Norwegian Data Protection Authority - Privacy and artificial intelligence (recommendations)
The challenge is what happens to the patient data after it is sent to an AI tool.<\/strong><\/p>\n
Yes - but only if certain requirements are met.<\/strong><\/p>\n\n
\nWhy health data is extra protected<\/h1>\n
\n
GDPR art. 9
https:\/\/gdpr-info.eu\/art-9-gdpr\/<\/a><\/p>\n
\nCan doctors use ChatGPT for record keeping?<\/h2>\n
If you have not signed a data processing agreement with your provider, you should not send patient data to the system.<\/p>\n1. Lack of data processing agreement<\/h3>\n
GDPR art. 28
https:\/\/gdpr-info.eu\/art-28-gdpr\/<\/a><\/p>\n
\n2. Data can be stored outside the EEA<\/h3>\n
\n
\n3. Limited control over storage and deletion<\/h3>\n
\n
\nWhat happens if patient data ends up in the wrong system?<\/h2>\n
\n
\nWhen can AI be legally used in healthcare?<\/h2>\n
1. Necessary for health care<\/h3>\n
\n
\n2. Fulfillment of duty of care<\/h3>\n
Health Personnel Act \u00a739
https:\/\/lovdata.no\/lov\/1999-07-02-64\/\u00a739<\/a><\/p>\n
\nWhat requirements must an AI tool meet in healthcare?<\/h2>\n
1. Data processing agreement<\/h3>\n
2. Storage within the EEA<\/h3>\n
3. Encryption<\/h3>\n
\n
4. Access control<\/h3>\n
5. Logging<\/h3>\n
https:\/\/gdpr-info.eu\/art-32-gdpr\/<\/a><\/p>\n
\nHow MediVox handles privacy<\/h2>\n
\n
\nWant to see how it works in practice?<\/h2>\n
https:\/\/events.medivox.ai\/<\/a><\/p>\n
\nChecklist: Is the AI tool you use GDPR compliant?<\/h2>\n
- Do you know where your data is stored?
- Is data stored within the EEA?
- Is data encrypted during transmission and storage?
- Is there access control and logging?
- Are patients informed about the use of AI?<\/p>\n
\nFAQ - frequently asked questions<\/h2>\n
Do I need patient consent to use AI?<\/h3>\n
\nCan the AI provider see patient data?<\/h3>\n
Then the access should be restricted and logged<\/strong>.<\/p>\n
\nAre AI journals legal in Norway?<\/h3>\n
\nCan I use ChatGPT if I remove names?<\/h3>\n
\nDoes data have to be stored in Norway?<\/h3>\n
\nCan AI tools use patient data for model training?<\/h3>\n
\nWhat happens if a patient requests deletion?<\/h3>\n
\nA situation many doctors recognize themselves in<\/h2>\n
As a result, many doctors have tried pasting a journal entry or epicrisis into an AI tool to help improve the wording or create a summary.<\/p>\n
\nConclusion<\/h2>\n
\n
\n
\nSources<\/h1>\n
https:\/\/gdpr-info.eu<\/a><\/p>\n
https:\/\/www.datatilsynet.no\/regelverk-og-verktoy\/rapporter-og-utredninger\/kunstig-intelligens\/<\/a><\/p>\n
https:\/\/www.datatilsynet.no\/regelverk-og-verktoy\/rapporter-og-utredninger\/kunstig-intelligens\/anbefalinger\/<\/a><\/p>\n