We are trying to build and train GPT that involves usage of HL7 messages as the main data source along with few others. While not explicitly mentioned, it is still a grey area for us, if we can submit HL7 messages to GPT-4 model in Production. The goal is to track the activities of the patient within a healthcare setting. Are we allowed to do so? Otherwise, we are just wasting our time.
This should be possible, but you might need some compliance statements and other paperwork.
I’ll ding @Foxabilo, as he knows more about this stuff than I do
If you’re wondering what HL7 is:
Health Level Seven (HL7) is a set of international standards used to provide guidance with transferring and sharing data between various healthcare providers.
HL7 should be fine so long as you have obtained a BAA with OpenAI to ensure your position in the chain is compliant.
As part of the BAA process you will need to outline your business proposition and give a detailed description of your use-case, so long as you are not asking the AI to make direct clinical diagnoses (any output from the AI should only be used as additional information for a qualified clinician to take into account) then I do not see an issue. The main thing to avoid is any situation where the output from the AI would be relied upon in a situation that could cause harm.
This BAA needs to be signed between us as in between me and OpenAI or any customer we get between them and OpenAI?
We are trying to build an auditing system using OpenAI as the main message analysis backend service. We are not going to provide clinical diagnosis of the patient.
What worried us was this statement by ChatGPT - “Yes, even when using the API, you should not send personally identifiable information (PII) or sensitive healthcare data to ChatGPT or any AI model. OpenAI’s policies and ethical guidelines prohibit the use of their models to process or handle sensitive and private information, including PII, medical records, or any other confidential data.”
Between you and OpenAI and also between you and any suppliers of services that may handle PHI along the chain.
Please don’t take what ChatGPT says about BAA’s as ground truth. Email firstname.lastname@example.org to let them know you wish to get the agreement signed and they will contact you with the information they require which will include a detailed explanation of the use case, the BAA is an agreement that any PHI data will be kept confidential and handled correctly, the API does not retain any data for anything but a minimum legal period and so complies with HIPAA regulations.
Thanks for the guidance. I will write to email@example.com and take it from there.