Artificial Intelligence & Cybersecurity

Many health and dental care organizations have already begun implementation of various forms of artificial intelligence (AI) technology into their operations (e.g., AI phone menus, AI transcription, etc.). Although the use of AI has its benefits, cybersecurity must be considered, because under HIPAA’s Security Rule, you are required to ensure the security of all PHI that is received, stored, and transmitted.

The National Institute of Standards and Technology (NIST) is an organization that develops best practices and standards for infrastructure, systems, networks and more. NIST has developed guidelines for cybersecurity in the AI era titled “Cybersecurity Framework Profile for Artificial Intelligence.” You can find the guidelines here. These guidelines focus on ways that organizations can secure their AI systems, defend against cyberattacks, and thwart AI threats.

It can be very helpful to share NIST guidance with your IT vendor, who should also be involved in implementation of AI technologies. Your IT vendor can identify areas of risk and help to mitigate them. Some of the NIST guidance may be difficult to understand for those who are not IT experts. However, the guidance may assist you in identifying risks you hadn’t even considered when adopting AI.

Foundationally, you should have a business associate agreement (BAA) with any vendor that provides AI services, and which will access, transmit, store, or work with EPHI. Be sure to obtain the BAA prior to granting any access to EPHI.

In addition, all AI technologies should be evaluated as part of your Security Risk Analysis (SRA) to identify any vulnerabilities and risks associated with the products. Corrective actions may be identified during the SRA to reduce/mitigate risks that are present. Again, your IT vendor will be an important resource in this area.

Hazard Communication Standard Exemptions

Hazard Communication Exemptions

The simplest way to determine whether a product is considered hazardous is to rely on the determination of the manufacturer. Since most hazardous products are obtained from medical, pharmaceutical, and janitorial supply companies, you can request that a current SDS be provided for each product you purchase from them. The Hazard Communication Standard requires that they provide SDSs to purchasers with the first order of their products and upon request.

Hazard Classification

In some cases, you may request a SDS for a product and be informed by the manufacturer that the product does not contain any hazardous chemicals, as defined by OSHA, or that a hazardous chemical comprises less than 1% of the total product or 0.1% for carcinogenic ingredients. In these cases, the product is considered non-hazardous and a safety data sheet is not required. Whether the notification is verbal (by phone) or by letter, you should record the information or maintain the notice provided for future reference. You may retain the letter or SDS in a file that is separate from SDSs for hazardous products.

Many manufacturers will create a safety data sheet even though a product contains no hazardous ingredients or contains less than the amounts specified above (1% or 0.1% of a carcinogen). When a new safety data sheet is received, section 3 of the product’s safety data sheet should be reviewed for information on ingredients. If there are no ingredients listed in this section, or listed ingredients each comprise less than 1% of the product (0.1% if carcinogenic), you may then determine that a safety data sheet need not be maintained for employee review.

Aside from reviewing the chemical composition of a product, from that point the decision whether to include a product in your Hazard Communication Plan can become confusing.

Specific Exemptions

In addition to those products that are considered non-hazardous due to their composition, the Standard exempts certain products (i.e., consumer products, cosmetics, OTC medications, and most sample drugs), due to the way in which the products are used. You are not required to maintain SDSs for these items even though the products may contain hazardous ingredients in amounts above the minimum threshold (1% or 0.1%). Note – while there are exemptions, you always have the option to maintain SDSs for all products (exempt and non-exempt, if available). All exemptions (that pertain to medical/dental settings) are covered in this article.

Consumer Products

OSHA exempts consumer products from Hazard Communication requirements, with the condition that “the employer can show that it is used in the workplace for the purpose intended by the manufacturer or importer of the product, and the use results in a duration and frequency of exposure which is not greater than the range of exposures that could reasonably be experienced by consumers when used for the

purpose intended.”  In other words, if the product is available to regular household consumers and is used in the same manner and with the same frequency/duration that a normal consumer would use it, then it is exempt from Hazard Communication requirements. For example, isopropyl alcohol and bleach may be purchased and used by any member of the general public. However, the frequency of use is probably much greater in a medical/dental practice than in a home. Therefore, the products would not be exempt. On the other hand, window cleaners, furniture polish, kitchen cleansers, etc. are most likely used with the same frequency and duration as with normal consumers and, therefore, would be exempt.

The Hazard Communication Standard also exempts foods, drugs, or cosmetics intended for personal consumption by employees while in the workplace.

OTC Medications and Samples

There are two specific exemptions pertaining to drugs within the Hazard Communication Standard. They are as follows:

  • Drugs that are dispensed by a pharmacy to a healthcare provider for direct administration to a patient.
  • Any drug when it is in solid, final form for direct administration to the patient (i.e., tablets, pills, capsules).

As you can see with both exemptions, there is minimal opportunity for employee exposure to hazardous chemicals. If tablets or capsules are broken open, crushed or otherwise manipulated before administration, they will NOT meet the criteria of this exemption, and will require SDSs.

It is important to note that here is no blanket exemption for injectable or liquid medicines. Many of our customers have been misinformed about this fact. A safety data sheet should be requested for every injectable and liquid, whether it is an immunization, medication or hazardous drug. You may then review section 3 of the SDS to make an individual determination of whether the injectable is hazardous (or contains a hazardous chemical in concentrations of at least 1%, or 0.1% of a carcinogenic chemical). As stated previously, you should maintain any documentation (i.e., the SDS or letter) that demonstrates that a product is non-hazardous and therefore exempt from requirements. If it is determined that a SDS is required for any product, the employer should ensure that the product is properly labeled with hazard information and included on the practice’s chemical inventory.