Ranking Member Cassidy’s first RFI was part of a white paper entitled, “Exploring Congress’ Framework for the Future of AI,” (“AI White Paper”) which outlines the potential benefits and risks of AI, including in health care settings, and requests stakeholder feedback on potential AI legislation and regulation. Comments on the AI White Paper are due on September 22.
Ranking Member Cassidy also issued on September 7 a letter (“Health Data Privacy Letter”) requesting feedback from stakeholders on ways to improve privacy protections of health data, including possibly updating the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and through other legislative solutions. Comments on the Health Data Privacy Letter are due on September 28.
- Organizations should seriously consider submitting feedback to the Senate HELP Committee. This is a unique opportunity to have direct input into the policymaking process in Congress. It also offers a good opportunity to strengthen relationships with members of the powerful Senate HELP Committee and their staff. Specific instructions for providing responses on the AI White Paper and Health Data Privacy Letter requests for comment are included on the Committee’s website.
- Congress is paying close attention to what federal agencies are doing to regulate AI in the health care sector. But requests for information like these suggest that Congress is not going to cede its policymaking role to the agencies. Congress is looking to act and organizations that could be affected by laws and regulations on AI in the health care space would be wise to share their views.
AI Policy Developments and Exploring Congress’ Framework for the Future of AI
Ranking Member Cassidy’s AI White Paper acknowledges that AI in health care has a number of potential benefits, including helping to create new cures and treatments, improve patient care, help to ease administrative burdens, and reduce overall health care spending. But while there are numerous benefits, the AI White Paper also states that widespread use of AI tools carries significant risks, including a number specific to the health care context that may require legislation to manage.
The AI White Paper states that there are some areas, like drug development, that are particularly well-suited to incorporate AI. It commends the U.S. Food and Drug Administration (“FDA”) for encouraging use of AI in drug development and manufacturing, and states that Congress should likewise find ways to foster the use of AI for research and development.
Other areas clearly require updated laws and regulation. For example, the AI White Paper singles out the FDA’s framework for regulating medical devices, which was not designed with AI in mind. The AI White Paper concludes that Congress may need to weigh in to provide predictability and flexibility for AI-powered devices while also making sure that these devices are safe and effective. The AI White Paper also raises significant concerns about transparency, privacy, and security issues, especially when patient data is being used to develop AI systems and technologies.
The AI White Paper requests stakeholder feedback on potential AI legislation and regulation, including on the following topics:
- Supporting medical innovation (e.g., How can FDA support the use of AI to design and develop new drugs and biologics and in medical devices? What updates to the regulatory frameworks for drugs and biologics should Congress consider to facilitate innovation in AI applications?)
- Enhance detection and treatment of current and emerging diseases (e.g., What updates to the regulatory frameworks for medical devices should Congress consider to facilitate innovation in AI applications while also ensuring that products are safe and effective for patients?)
- Preventing bias and ensuring safety (e.g., What practices are in place to mitigate bias in AI decision-making? Who should be responsible for determining safe and appropriate applications of AI algorithms?)
- Relive workload of health care providers (e.g., What existing standards are in place to demonstrate clinical validity when leveraging AI?)
- Secure American’s health data privacy (e.g., Is the current HIPAA framework equipped to safeguard patient privacy with regards to AI in clinical settings? If not, how not or how to better equip the framework?
The AI White Paper is part of a wider Senate effort to develop legislation on AI. Earlier this year, Senate Majority Leader Chuck Schumer (D-NY) announced that the Senate would start discussing a high-level framework that outlines a new regulatory regime for AI and to engage leading AI experts to help inform future policies. In June 2023, Majority Leader Schumer released the SAFE Innovation Framework to outline policy objectives for committees to follow when developing bipartisan legislation. The Senate also recently announced that starting in September it will convene a number of private sector, civil rights, defense, research, labor and arts parties to provide insight on AI.
The Administration has also taken a number of actions in recent years to increase regulatory oversight of health AI systems and technologies. The White House released a Blueprint for an AI Bill of Rights last year as well as an executive order directing officials overseeing top government agencies to root out bias in AI tools. In addition, the FDA has issued frameworks, guidance, and other publications regarding the role of AI and machine learning (“ML”) in the development of drugs and biological products, Software as a Medical Device, and certain clinical decision support (“CDS”) tools. The Office of the National Coordinator for Health Information Technology also recently issued a proposed rule addressing tools that encompass AI/ML by proposing additional CDS/predictive decision support intervention certification criterion for developers of certified health IT.
In addition to the AI White Paper, Ranking Member Cassidy also released the Health Data Privacy Letter, which highlights the rapid development and widespread consumer use of technologies such as wearable devices, smart devices, and health and wellness apps. Specifically, the Health Data Privacy Letter expresses concern about the creation and collection of health data by these technologies, which may not be protected under HIPAA. It also notes that building trust in our health care system is essential and while HIPAA has effectively safeguarded privacy for decades, new technologies have raised new issues about privacy that were not contemplated when HIPAA was passed.
The Health Data Privacy Letter request stakeholder feedback on the following topics:
- General Privacy Questions (e.g., Which entities outside of HIPAA should be accountable for the handling of health data? Should different types of entities have different obligations and privileges?)
- Health Information under HIPAA (e.g., Should Congress expand the scope of HIPAA? What specific information should be included in the HIPAA framework?)
- Collection of Health Data (e.g., How should consumer/patient consent to an entity to collect information be structured to minimize unnecessary data gathering? When should consent be required and where should it be implied?)
- Sensitive health data, including biometric data and genetic information (e.g., How should genetic information collected by commercial services be safeguarded? What obligations and allowances should entities have when collecting, maintaining or disclosing biometric data?)
- Health adjacent data, including location data and financial information (e.g., How should location data that is being collected at a health care facility or website or other digital presence maintained by a health care entity be treated? What types of financial data should or should not be considered health data?)
- Sharing of health data (e.g., What, if any, framework should be imposed on third parties who use third-party data sources to supplement HIPAA data to uncover an individual’s health condition?)
- AI (e.g., What privacy challenges and benefits does the use of AI pose for entities that collect, maintain, or disclose health care data, whether within the HIPAA framework or without?)
- State and international privacy frameworks (e.g., How should the federal government proceed, considering the existing state patchwork of data and privacy laws)?
- Enforcement (e.g., To what extent should OCR and the FTC have a role in the safeguarding of health data? What duplication or conflict currently exists between how different agencies enforce violations of health laws?)
Congress and the Administration are working to keep pace with rapidly developing innovation in AI and in health care. We expect additional hearings, publications, regulations, and even potential legislation from Congress in the coming months. Organizations that may be impacted by new laws and regulations would be wise to work to be part of the policy conversation now.
Crowell is available to assist clients in drafting responses to these RFIs and helping clients to follow up and engage directly with policymakers on these issues. For more information, please contact the professionals listed below, or your regular Crowell contact.