Privacy concerns
Using the OpenAI API
By default, the OpenAI API is not suitable for processing workloads that are subject to Health Insurance Portability and Accountability Act (HIPAA). In order to make the OpenAI API suitable for processing data subject to HIPAA, you must:
- Inquire with the OpenAI sales team to become obtain an Enterprise Agreement
- Request OpenAI sign Business Associate Agreements (BAA)
More information on this can be found in OpenAI's API data usage policies.
Do not use ChatGPT or DALL-E-2
At this time, we strongly recommend against and do not advise customers to use other OpenAI products for processing data subject to HIPAA, including but not limited to ChatGPT and DALL-E-2.
The use of OpenAI products pose serious privacy concerns especially when processing PII or PHI. Furthermore, OpenAI does not support signing a BAA for use of any product other than their API.
The OpenAI privacy policies can be reviewed here: https://openai.com/policies/privacy-policy
OpenAI API
OpenAI, while providing incredibly powerful tools, explicitly prompts users to not share sensitive data in their ChatGPT product. For that matter, any cloud-based ML inference and training should be done in an isolated environment where either:
- You own and control the flow and processing of data, or
- You have a BAA established with the service provider.
Before considering the use of OpenAI products in digital health applications, you must understand the privacy implications of using their service, sign an Enterprise Agreement with OpenAI, and obtain a signed BAA with OpenAI.
Azure OpenAI
If you're using Azure OpenAI, a human is in the loop who can review payloads for:
- Abuse monitoring, and
- Content filtering
In the regulated healthcare industry, this human-in-the-loop can be an explicit data privacy violation.
Azure has an answer to opt-out of these human review processes by requesting "limited access" to Azure OpenAI, but it's still not recommended for processing sensitive workloads, particularly PHI.
As quoted from Azure OpenAI documentation on:
"Customers who meet Microsoft’s Limited Access eligibility criteria and have a low-risk use case can apply for the ability to opt-out of both data logging and human review process."
Furthermore, you will still need to sign an Enterprise Agreement and obtain a signed BAA with OpenAI before Azure OpenAI can be in consideration for appropriate use.
Read more about data, privacy, and security for Azure OpenAI Service here.