Image Inputs Covered by HIPAA

We are working on a system to help us extract information from medical bills of our members. However, the BAA (Business Associate Agreement) signed by OpenAI that protects this sensitive information excludes Image Inputs from the zero retention policy, which is a requirement to protect medical information under HIPAA.

Is there a roadmap to include Image Inputs in the zero retention policy?

In the meanwhile, we will need to use an open-source tool like Pytesseract to first extract information from our bills and then pass that information to the GPT-4 Text model, while if Image Inputs were included in the zero retention policy, we would feed the model directly with the images and obtain better accuracy.

1 Like

One of the workarounds for this I have implemented for this is to section out only the elements of the page that need to be OCR’d that are not one of the 18 HIPAA personal identifiable data elements (name, dob, address etc) and then pass those to the model to be read and transcribed. That way you have no issue with compliance.

There are also some offline methods for image scanning, but those are not OpenAI products.

1 Like

That’s a good and creative idea. In our case, however, we receive medical bills in thousands of different formats depending on the medical provider, so there is not a one-size-fits-all way to section out the HIPAA elements from all these bill formats.

We tested some other tools, but by far, GPT-4 gave us the best results, even if we feed unstructured data extracted via tesseract. Being able to use the vision API for medical bills would improve our accuracy even more!

Indeed, I’m pulling in patient data from a PDF generated by a scanner, I use my offline vision model to read the name, address etc, and then pass GPT-4V the graphical machine output and the associated text in a number of predefined blocks that get processed and retuned, so far I’ve hit 100% accuracy on around 10k tests… I expect the true value to be in the high 9X.X range, it’s looking like 99.somthing so far, which is very impressive.

1 Like

Question then, you say that the BAA says that the image model is not part of the zero retention policy, does it also say that it is not covered by the BAA and HIPAA?

Reason I ask is that HIPAA does not explicitly say that zero retention is a requirement, just that data is appropriately protected if stored with breach protocols in place and a breach register, etc.

Only endpoints that are eligible for zero retention are covered by the BAA:

and /v1/chat/completions is eligible for zero retention except for image inputs

that forces us to not use the gpt-4-vision model, since we are not able to remove the personal identifiable data from our medical bills.

1 Like