State Privacy Laws Impacting AI and Machine Learning in Healthcare
In a recent discussion at the HIMSS 2025 conference in Las Vegas, regulatory attorney Adam Greene from the law firm Davis Wright Tremaine highlighted the implications of state privacy regulations on the use of consumer data in artificial intelligence (AI) and machine learning (ML) applications. Greene pointed out that laws like Washington State’s My Health My Data (MHMD) Act pose significant challenges for organizations seeking to leverage health data for AI developments.
Greene emphasized the need for strict adherence to these state laws, particularly when handling consumer health data that is not covered under HIPAA. He noted that the MHMD Act prohibits the use of non-health data to derive health conclusions without explicit consent from individuals. This is particularly relevant for AI projects, which often require extensive datasets to generate new health insights. Without prior authorization, organizations could find their AI initiatives impractical or even untenable.
During his interview with Information Security Media Group, Greene elaborated on the broader context of data privacy in AI and ML applications. He observed a notable absence of federal guidance on how organizations should handle HIPAA-protected health information when employing AI technologies, leaving many regulated entities in a state of uncertainty. This lack of clarity extends to other federal regulations that govern patient data, including 42 CFR Part 2, which concerns records related to substance use disorders.
In addition to compliance hurdles, Greene addressed the potential for privacy lapses in utilizing health information for AI purposes. He cautioned that organizations must navigate complex legal landscapes to avoid missteps that could lead to regulatory repercussions. The balancing act between innovation in AI and adherence to privacy laws is critical, as the federal government’s stance on numerous health data privacy and security issues remains ambiguous.
Greene’s expertise focuses on health information privacy and security, particularly the application of these laws to emerging technologies like AI and ML. His background includes serving as a senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a crucial role in enforcing HIPAA regulations.
For business owners, the conversation around state privacy laws and AI is an urgent reminder of the evolving cybersecurity landscape. As organizations pursue technological advancements, understanding and complying with the legal frameworks in place will be essential to mitigate potential risks and safeguard patient information. The implications of these regulatory challenges underscore the necessity for businesses to stay informed and proactive in their data management strategies, particularly in light of the increasing sophistication of cyber threats.
With the rapid advancement of AI technologies, the intersection of innovation, data privacy, and compliance requires constant vigilance. Organizations must be prepared to adapt to changing regulations while also ensuring that their AI initiatives do not inadvertently cross legal boundaries. This careful navigation is vital for maintaining trust and safeguarding the sensitive data that underpins the healthcare sector.
