Photo of Carolyn Metnick

Carolyn Metnick is a partner in the Corporate Practice Group in the firm's Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams.

As artificial intelligence (AI) continues to transform the healthcare industry, hospitals, health systems, and provider organizations are increasingly recognizing the need for effective AI governance. But what exactly is AI governance, and why is it so crucial for healthcare organizations?Continue Reading Building a Robust AI Governance Program in Healthcare

With technology rapidly evolving and jurisdictions appearing blurred, it is increasingly important to be mindful of data flow and use. This is particularly true where patient data is being accessed by offshore subcontractors.Continue Reading Do You Catch Our Drift? Navigating the Waters of Offshoring and Patient Data

On May 17, 2024, Colorado Governor signed into law, Senate Bill 24-205, the Colorado Artificial Intelligence (AI) Act (the “Act”). The law will take effect on February 1, 2026 and the Colorado Attorney General will have exclusive enforcement authority. As previewed in our prior blog post, the Act focuses on consumer protection issues when companies develop AI tools and imposes obligations on developers (i.e., creators) and deployers (i.e., users) of “high risk” AI systems. “High-Risk” AI systems (“HRAIS”) are defined as any AI system that “makes, or is a substantial factor in making, a consequential decision.” A substantial factor means one that (1) “assists in making a consequential decision”; (2) “is capable of altering the outcome of a consequential decision”; and (3) “is generated by an artificial intelligence system.” A consequential decision is a decision that has a material legal or similarly significant effect on matters related to education, employment, financial lending services, an essential government service, healthcare services, housing, insurance, or legal services. This article specifically reviews the impact the Act has on healthcare services.Continue Reading Colorado’s Artificial Intelligence Act Impact on Healthcare Decisions

At last week’s America’s Physician Group Spring conference in San Diego, California, our team heard firsthand how physicians are leading efforts to integrate Artificial Intelligence (AI) applications in ambulatory and inpatient settings in major healthcare systems across the nation. Physician and IT leaders described in detail their organizations’ efforts to identify safe, cost-effective, desirable ways to leverage AI to enhance the efficiency and quality of patient care and reduce physicians’ administrative workload. Here, we highlight key approaches that have generated early success for various health systems and physician groups, as well as key pitfalls that participants looking to adopt these technologies need to account for in their planning.Continue Reading How Physicians are Pioneering Use of AI Applications in Ambulatory and Inpatient Care

If your organization has not updated its policies to comply with Utah’s Artificial Intelligence Policy Act (the “Act”), now is the time. As we noted in a prior blog post, this law took effect on May 1st. While it imposes certain AI-related disclosure obligations on businesses and individuals as a whole, the obligations for regulated occupations (which include those licensed by the Utah Division of Professional Licensing, such as clinical services provided by a licensed healthcare provider, including a physician or nurse), are stricter.Continue Reading Utah Providers – Are You Complying with the AI Policy Act?

This is the second post in a two-part series on PrivacyCon’s key-takeaways for healthcare organizations. The first post focused on healthcare privacy issues.[1] This post focuses on insights and considerations relating to the use of Artificial Intelligence (“AI”) in healthcare. In the AI segment of the event, the Federal Trade Commission (“FTC”) covered: (1) privacy themes; (2) considerations for Large Language Models (“LLMs”); and (3) AI functionality.Continue Reading Artificial Intelligence Highlights from FTC’s 2024 PrivacyCon

Last month, the Federal Trade Commission (“FTC”) hosted its annual PrivacyCon event, featuring an array of experts discussing the latest in privacy and data security research. This post, covering healthcare privacy issues, is the first in a two-part series on PrivacyCon’s key takeaways for healthcare organizations. The second post will cover topics on artificial intelligence in healthcare.Continue Reading Healthcare Highlights from FTC’s 2024 PrivacyCon

On November 2, 2023, the American Hospital Association and Texas Hospital Association, in conjunction with the Texas Health Resources and United Regional Health Care System, filed suit against the Secretary of the Department of Health and Human Services (“HHS”) and the Director of the HHS Office for Civil Rights (“OCR”) regarding OCR’s guidance on the use of online tracking technologies by HIPAA entities.[i] This action and its results will impact how healthcare entities must protect and may use certain information collected on their digital sites.Continue Reading Caught in the Web: Hospital Associations Sue OCR on Third-Party Web Tracking Guidance

California is taking steps through Assembly Bill 254 (the “Bill”), approved by the State’s Governor on September 27, 2023, to ensure that patient information collected through reproductive or sexual health applications enjoys protections under the Confidentiality of Medical Information Act (the “CMIA”).[1] In addition to applying to providers and plans, the CMIA applies to businesses that offer software or hardware to consumers, such as mobile applications, which maintain medical information for the purpose of enabling management of such medical information or to otherwise support diagnosis, treatment, or management of a medical condition.[2] As a result, software and application developers may need to consider the CMIA with respect to their obligations relating to this particular data. In addition to certain confidentiality requirements, the CMIA also prohibits certain marketing uses and disclosures and requires breach notification in certain qualifying instances.Continue Reading California Moves to Protect Medical Information Collected Through Reproductive and Sexual Health Applications

On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information