Regulations and considerations needed to legally use patient data for artificial intelligence (AI) and to align with data protection laws in U.S. and internationally

Abstract

Patient data use for AI system training is becoming increasingly integrated into clinical decision-making. Ethical and legal considerations along with compliance are among the challenges and considerations for proper data collection, use, and sharing. Ethical design and development of AI systems must include the transparency of the framework and an-depth informed consent to include the understanding of how the data will be used, who controls it, and how long it will be maintained. National and international guidelines set by the United States and Europe are essential to safely maintain and protect patient information and privacy. AI guidelines need to be clearly established for data ownership and use, therefore, contributing to patient care without compromising ethical obligations. Responsible adoption of AI creates high standards and data security for Protected Health Information (PHI) and patient privacy. Ethically created AI systems promote trust and advancements in dentistry contributing to enhanced patient care.

Keywords: Artificial intelligence, legal issues, ethical issues, data protection, ownership of data Introduction

Using patient data to train artificial intelligence (AI) in dentistry poses significant ethical and legal challenges. Patient privacy and autonomy must be carefully protected. In dentistry and medicine, where clinical decision-making can be highly personalized, training AI models on diverse datasets is therefore critical to being accurate and unbiased. The collection, use, and sharing of this personal information raises questions about consent, privacy, and legal responsibility of the data researcher and data storage entity. As AI relies on extensive amounts of clinical data to learn and improve its predictive abilities, we need to discuss the ethical and legal implications of using patient data in AI training for dentistry with considerations of the U.S. regulations of the Health Insurance Portability and Accountability Act (HIPAA) and of the General Data Protection Regulation in Europe (GDPR).

Key legal issues

HIPAA sets stringent rules and guidelines to protect patient data. AI training must also meet these standards. This includes provisions for anonymity, information and data security, and most importantly patient consent.^31,32

GDPR in Europe requires patients to be informed and give explicit consent to the use of their data. It also offers patients being given a “right to be forgotten”, meaning they can request their data be removed from the AI system or data set and no longer be used.^10,12,19,26

HIPAA Standards include de-identification including removal of names, Social Security numbers, geographic information, and any other key identifiers. If there is such an occurrence of de-identification not being possible, an Informed Consent should be developed in accordance with HIPAA.^31,32

Read related article: The human touch in digital dentistry: Preserving compassion while embracing AI

Data should be encrypted and protected with strict access to ensure privacy and integrity. Safeguard implementation to protect personal identifiable information should be developed in accordance with HIPAA’s Security Rule and the GDPR.^{10,12,19,26,31,32} Security protocols should be continuously monitored and reviewed, ensuring sustainability of protection. The emerging industry of blockchain technology may be one answer for data protection and encryption for security. Ingle, et al discuss the promise of blockchain technology; however, there is a lack of comprehensive literature review in this area.¹⁶ Goldsteen, et al discuss two alternate options for AI privacy tools having been tested in a real-world setting in the health industry. With the potential to infer personal information from trained AI models, Goldsteen feels adhering to strict restrictions is required to prevent a personal data breach.¹⁴ Legal liability, therefore, becomes an issue regarding lack of data protection and regulation adherence.

Determination of legal liability can be challenging when a trained AI system using patient data leads to incorrect clinical decision making, disclosure of patient information, or a data breach. If a data breach is discovered, affected patients and the Department of Health and Human Services are required to be notified.^31,32 Traditional malpractice insurance should consider the coverage of AI-driven errors or adverse outcomes. Cyber-security insurance should consider the coverage for a potential leak or data breach.

Transfer of information from the U.S. to other countries may violate HIPAA and GDPR regulations. An approved systematic control of data usage and transferal complying with both HIPAA and GDPR regulations need to ensure both data privacy and regulation. Continued compliance needs to be monitored and updated according to any local and international regulatory changes.^{10,12,19,26,31,32}

Key ethical issues

Informed Consent: Patients may not fully understand how their information will be used. This is especially true as AI systems evolve and need to be constantly updated with new data. Anonymity must be maintained. Data should be processed in a manner that removes personally identifiable information to protect patient privacy. Development of a system to overcome these privacy issues should be considered. Ownership of the data should be considered and recognition of ownership should be developed when dealing with AI system data.

Initial considerations are the patient, the practitioner or scientist gathering the data, or a third-party company. The process of using patient data should be transparent. Unlimited use of data allows for sharing, storing and mixing of data, possibly creating a very difficult standard for transparency and control. Generally, patients may never know how their data is being used or stored, and the Informed Consents may not cover the general or specific use of data. Data use needs to be controlled and monitored to ensure AI systems do not evolve into a continual development or broadening of poor or incorrect data quality. AI ethics should be defined and adhered to for a consistency in improving decision making and clinical outcomes.^{2,6,7,8,9,11,14,15,20,23,28,29,30,33}

Bonny et al discussed the topic initially brought about by Redman²⁵ regarding poor data sets and the effect on AI systems. “The precision of the annotations and labeling of the training dataset significantly influences the quality of predictions generated by AI systems. Poor outcomes may stem from wrongly tagged data. Clinic-labeled datasets could be of different quality, making the developed AI systems less effective”.⁶ Standardizations of data and data collection is a requirement for proper AI interpretation and problem solving. Due to the vastness of AI, the solution to the difficulty of interpretation may only be in the foreseeable future. However, the data interpretation is a key factor in the resolve of many human issues. Al-Namankany concluded that “Machine learning algorithms can be a promising way to enhance the prediction, detection, and management of ECC (Early childhood caries) by achieving high accuracy, sensitivity, specificity, and AUC values.”¹ This is an example of what AI systems can perform on a scale to change dentistry while protecting children from dental disease at such a young age.

Informed Consent

HIPAA required patients provide consent before their data can be used including for the use of AI training. However, AI systems can use this data for a variety of purposes, such as developing, testing, and validating algorithms. Patients may not fully understand these complications. Some patients may only consider the specific use of their personal data resulting in the limitation of information being gathered.  

Development of a comprehensive Informed Consent form should explain the use of patient data and how it will be used in the development of AI training. The Consent should advise the risks and benefits of sharing personal data. As development of AI technologies evolve, Consent forms should be updated to ensure patients awareness of the changes and continue to provide permission and protection.^{2,4,5,6,7,8,11,27}

Patient data needs to be anonymized using proven methods resulting in steadfast patient privacy. The concern is that anonymized data has the potential to be re-identified. This issue may be of special concern when combining the data with other data sources. Continual auditing of data anonymization processes should be developed to protect patient information and identification. If the process of anonymity cannot be obtained, the patient should be notified, and an additional Informed Consent should be obtained.  

Transparency and trust

Patients should be aware of the use of personal data and how it will be used. Transparency regarding data collection and its use should be explained, providing a complete understanding. The Informed Consent should also discuss the potential for future use of the data and how it may be used. This may require several consents or a general consent covering the infinite use of personal data with the understanding personal identifiable information will be anonymized.^{2,4,11,14,22,29,33} A systematic process needs to be developed to provide the patient, doctor, and scientist the opportunity to discuss the process and use of personal data.  

Ownership and control of data

One of the greatest difficulties will be to determine who owns the data. Clear data-sharing agreements should be developed defining who owns and controls the data. Ownership needs to be clarified, and regulations developed to decide what and how the owner can direct the use of the data. For patients governed under the GDPR, the right to access, update, and request to delete their data must be provided. Indirectly, this may state the patient has ownership of the information versus corporate or practitioner owned.^10,12,19,26 AI-driven healthcare should designate advocates to develop guidelines in accordance with local and international standards.

There should be clear guidelines on data commercialization, ensuring that AI companies cannot claim full ownership over patient data without proper consent and benefit-sharing with the individuals and practices that provide the data.^4,6,7,11 Ownership and Responsibility of data need to be well defined as these terms may fall under the same responsible party. Naik, et al discuss reasons for responsibility of data and the accuracy of non-biased data still being at risk to fail unintentionally. Other concerns may be that “People may accept decision-support system results without questioning their limits” and “When a medical diagnostic and treatment system is mostly accurate, medical practitioners who use it may grow complacent, failing to maintain their skills or take pleasure in their work.”²²  Several factors play a role in the responsibility of data and the practice of AI driven medically based systems.^{6, 22}

According to Naik, et al, Artificial intelligence systems need to have validation and to be evaluated according to the Association for the Advancement of Artificial Intelligence. They state “It is critical to establish, test, measure, and assess the dependability, performance, safety, and ethical compliance” of these systems prior to implementation.²² Using AI systems may also provide a level of reasonable accountability and a foundation for data results. The difficulty being the initial validation of the AI system and validation model.

As AI increasingly influences clinical decision making, safeguarding patient privacy, autonomy, and control over their data becomes essential. To ensure patient data is used ethically for AI systems training in dentistry and medicine, a comprehensive strategy is needed. A strategy that balances technological advancement and legal responsibility with the protection of patient rights. Ethical guidelines should be developed using transparency and informed consent which clearly define data ownership, how it is used and maintained. Collaboration between AI developers and medical professionals is crucial to strictly follow regulations set by HIPAA in the U.S. and international standards such as GDPR. By proactively and aggressively addressing these issues and establishing strong ethical and legal frameworks, the dental and medical communities can utilize AI developments while simultaneously preserving the trust of patients and practitioners. This creates a space where AI-driven systems and communities can evolve without bias and without undermining the ethical standards that are necessary in healthcare.

References

1. Al-Namankany A. Influence of Artificial Intelligence-Driven Diagnostic Tools on Treatment Decision-Making in Early Childhood Caries: A Systematic Review of Accuracy and Clinical Outcomes. Dent J (Basel). 2023 Sep 12;11(9):214. doi: 10.3390/dj11090214. PMID: 37754334; PMCID: PMC10530226.
2. Almoammar KA. Harnessing the Power of Artificial Intelligence in Cleft Lip and Palate: An In-Depth Analysis from Diagnosis to Treatment, a Comprehensive Review. Children (Basel). 2024 Jan 23;11(2):140. doi: 10.3390/children11020140. PMID: 38397252; PMCID: PMC10886996.
3. Anil S, Porwal P, Porwal A. Transforming Dental Caries Diagnosis Through Artificial Intelligence-Based Techniques. Cureus. 2023 Jul 11;15(7):e41694. doi:10.7759/cureus.41694. PMID: 37575741; PMCID: PMC10413921.
4. Ayad N, Schwendicke F, Krois J, van den Bosch S, Bergé S, Bohner L, Hanisch M, Vinayahalingam S. Patients’ perspectives on the use of artificial intelligence in dentistry: a regional survey. Head Face Med. 2023 Jun 22;19(1):23. doi: 10.1186/s13005-02300368-z. PMID: 37349791; PMCID: PMC10288769.
5. Mahesh Batra A, Reche A. A New Era of Dental Care: Harnessing Artificial Intelligence for Better Diagnosis and Treatment. Cureus. 2023 Nov 23;15(11):e49319. doi:10.7759/cureus.49319. PMID: 38143639; PMCID: PMC10748804.
6. Bonny T, Al Nassan W, Obaideen K, Al Mallahi MN, Mohammad Y, El-Damanhoury HM. Contemporary Role and Applications of Artificial Intelligence in Dentistry. F1000Res. 2023 Sep 20;12:1179. doi: 10.12688/f1000research.140204.1. PMID: 37942018; PMCID: PMC10630586.
7. Dhopte A, Bagde H. Smart Smile: Revolutionizing Dentistry With Artificial Intelligence. Cureus. 2023 Jun 30;15(6):e41227. doi: 10.7759/cureus.41227. PMID: 37529520; PMCID: PMC10387377.
8. Duggal I, Tripathi T. Ethical principles in dental healthcare: Relevance in the current technological era of artificial intelligence. J Oral Biol Craniofac Res. 2024 MayJun;14(3):317-321. doi: 10.1016/j.jobcr.2024.04.003. Epub 2024 Apr 13. PMID: 38645705; PMCID: PMC11031811.
9. Elendu C, Amaechi DC, Elendu TC, Jingwa KA, Okoye OK, John Okah M, Ladele JA, Farah AH, Alimi HA. Ethical implications of AI and robotics in healthcare: A review. Medicine (Baltimore). 2023 Dec 15;102(50):e36671. doi:10.1097/MD.0000000000036671. PMID: 38115340; PMCID: PMC10727550.
10. European Union. (2016). General Data Protection Regulation (EU) 2016/679. https://eurlex.europa.eu/eli/reg/2016/679/oj
11. Favaretto M, Shaw D, De Clercq E, Joda T, Elger BS. Big Data and Digitalization in Dentistry: A Systematic Review of the Ethical Issues. Int J Environ Res Public Health. 2020 Apr 6;17(7):2495. doi: 10.3390/ijerph17072495. PMID: 32268509; PMCID: PMC7177351.
12. Forcier MB, Gallois H, Mullan S, Joly Y. Integrating artificial intelligence into health care through data access: can the GDPR act as a beacon for policymakers? J Law Biosci. 2019 Sep 16;6(1):317-335. doi: 10.1093/jlb/lsz013. PMID: 31666972; PMCID: PMC6813940.
13. Giannakopoulos K, Kavadella A, Aaqel Salim A, Stamatopoulos V, Kaklamanos EG. Evaluation of the Performance of Generative AI Large Language Models ChatGPT, Google Bard, and Microsoft Bing Chat in Supporting Evidence-Based Dentistry: Comparative Mixed Methods Study. J Med Internet Res. 2023 Dec 28;25:e51580. doi: 10.2196/51580. PMID: 38009003; PMCID: PMC10784979.
14. Goldsteen A, Farkash A, Moffie M, Shmelkin R. Applying Artificial Intelligence Privacy Technology in the Healthcare Domain. Stud Health Technol Inform. 2022 May 25;294:121-122. doi: 10.3233/SHTI220410. PMID: 35612030.
15. He J, Baxter SL, Xu J, et al. : The practical implementation of artificial intelligence technologies in medicine. Nat. Med. 2019;25(1):30–36. 10.1038/s41591-018-0307-0
16. Ingle NA, Aloraini RA, Aljohany RS, Samater FM, Al Ageil AA, Alshahrani MM. Implementation of Blockchain Technology Across Different Domains of Dentistry: A Systematic Review. Cureus. 2023 Sep 18;15(9):e45512. doi: 10.7759/cureus.45512. PMID: 37868487; PMCID: PMC10585117.
17. Iqbal J, Cortés Jaimes DC, Makineni P, Subramani S, Hemaida S, Thugu TR, Butt AN, Sikto JT, Kaur P, Lak MA, Augustine M, Shahzad R, Arain M. Reimagining Healthcare: Unleashing the Power of Artificial Intelligence in Medicine. Cureus. 2023 Sep 4;15(9):e44658. doi: 10.7759/cureus.44658. PMID: 37799217; PMCID: PMC10549955.
18. Lin GSS, Ng YS, Ghani NRNA, Chua KH. Revolutionising dental technologies: a qualitative study on dental technicians’ perceptions of Artificial intelligence integration. BMC Oral Health. 2023 Sep 25;23(1):690. doi: 10.1186/s12903-023-03389-x. PMID: 37749537; PMCID: PMC10521564.
19. Meszaros J, Minari J, Huys I. The future regulation of artificial intelligence systems in healthcare services and medical research in the European Union. Front Genet. 2022 Oct 4;13:927721. doi: 10.3389/fgene.2022.927721. PMID: 36267404; PMCID: PMC9576843.
20. Miragall MF, Knoedler S, Kauke-Navarro M, Saadoun R, Grabenhorst A, Grill FD, Ritschl LM, Fichter AM, Safi AF, Knoedler L. Face the Future-Artificial Intelligence in Oral and Maxillofacial Surgery. J Clin Med. 2023 Oct 30;12(21):6843. doi: 10.3390/jcm12216843. PMID: 37959310; PMCID: PMC10649053.
21. Morita PP, Abhari S, Kaur J, Lotto M, Miranda PADSES, Oetomo A. Applying ChatGPT in public health: a SWOT and PESTLE analysis. Front Public Health. 2023 Jul 3;11:1225861. doi: 10.3389/fpubh.2023.1225861. PMID: 37465170; PMCID: PMC10350520.
22. Naik N, Hameed BMZ, Shetty DK, Swain D, Shah M, Paul R, Aggarwal K, Ibrahim S, Patil V, Smriti K, Shetty S, Rai BP, Chlosta P, Somani BK. Legal and Ethical Consideration in Artificial Intelligence in Healthcare: Who Takes Responsibility? Front Surg. 2022 Mar 14;9:862322. doi: 10.3389/fsurg.2022.862322. PMID: 35360424; PMCID: PMC8963864.
23. Obermeyer Z, Powers B, Vogeli C, Mullainathan S. Dissecting racial bias in an algorithm used to manage the health of populations. Science. 2019 Oct 25;366(6464):447-453. doi: 10.1126/science.aax2342. PMID: 31649194.
24. Reddy S. Generative AI in healthcare: an implementation science informed translational path on application, integration and governance. Implement Sci. 2024 Mar 15;19(1):27. doi: 10.1186/s13012-024-01357-9. PMID: 38491544; PMCID: PMC10941464.
25. Redman TC: If your data is bad, your machine learning tools are useless. Harv. Bus. Rev. 2018;2.
26. Report on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) . Europarleuropaeu. Available online at: https://www.europarl.europa.eu/doceo/document/A-7-2013-0402_EN.html
27. Sallam M, Barakat M, Sallam M. A Preliminary Checklist (METRICS) to Standardize the Design and Reporting of Studies on Generative Artificial Intelligence-Based Models in Health Care Education and Practice: Development Study Involving a Literature Review. Interact J Med Res. 2024 Feb 15;13:e54704. doi: 10.2196/54704. PMID: 38276872; PMCID: PMC10905357.
28. Semerci ZM, Yardımcı S. Empowering Modern Dentistry: The Impact of Artificial Intelligence on Patient Care and Clinical Decision Making. Diagnostics (Basel). 2024 Jun 14;14(12):1260. doi: 10.3390/diagnostics14121260. PMID: 38928675; PMCID: PMC11202919.
29. Stafie CS, Sufaru IG, Ghiciuc CM, Stafie II, Sufaru EC, Solomon SM, Hancianu M. Exploring the Intersection of Artificial Intelligence and Clinical Healthcare: A Multidisciplinary Review. Diagnostics (Basel). 2023 Jun 7;13(12):1995. doi: 10.3390/diagnostics13121995. PMID: 37370890; PMCID: PMC10297646.
30. Umapathy VR, Rajinikanth B S, Samuel Raj RD, Yadav S, Munavarah SA, Anandapandian PA, Mary AV, Padmavathy K, R A. Perspective of Artificial Intelligence in Disease Diagnosis: A Review of Current and Future Endeavours in the Medical Field. Cureus. 2023 Sep 21;15(9):e45684. doi: 10.7759/cureus.45684. PMID: 37868519; PMCID: PMC10590060.
31. U.S. Department of Health and Human Services. (2013). HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. https://www.hhs.gov/sites/default/files/nist-securityhipaa-crosswalk-02-22-2016-final.pdf
32. U.S. Department of Health and Human Services. (2013). HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. https://www.hhs.gov/sites/default/files/nist-securityhipaa-crosswalk-02-22-2016-final.pdf
33. U.S. Department of Health and Human Services. (2020). Summary of the HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
34. Vodanović M, Subašić M, Milošević D, Savić Pavičin I. Artificial Intelligence in Medicine and Dentistry. Acta Stomatol Croat. 2023 Mar;57(1):70-84. doi: 10.15644/asc57/1/8. PMID: 37288152; PMCID: PMC10243707.

---

About the author

Dr. Blankenship is a Board-Certified Orthodontist and currently serves as the Clinical Director at the Georgia School of Orthodontics (GSO). With over 25 years of experience in both General Dentistry and Orthodontics, he has become a respected leader and educator in the field. He lectures nationally on a wide range of topics, including Orthodontics, Cosmetic Dentistry, CAD/CAM Dentistry, and Dental Sleep Medicine/Sleep Apnea. Dr. Blankenship began his career in the U.S. Navy, practicing General Dentistry before transitioning to private practice. He later retired with the rank of Commander in the U.S. Naval Reserves.