THE OKLAHOMA BAR JOURNAL 30 | MARCH 2026 Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff. entities, also impose contractual restrictions on the use and processing of PHI. Before undertaking de-identification, the covered entity, business associate or subcontractor should confirm that its contract does not contain a prohibition on de-identification and, likewise, does not restrict processing of de-identified information with AI. The use of AI to process health information can potentially result in a reportable breach.26 By way of example, a somewhat analogous scenario exists with regard to the use of protected attorney-client or work product information, with any protection being forfeited when used in conjunction with large language model AI.27 Before using AI to process PHI in connection with a permissible use, an evaluation of the AI tool is necessary to confirm that it is HIPAA compliant. The use of AI to process either PHI or de-identified health information may also trigger other obligations under HIPAA, such as patient authorization and consent issues28 or amendment of privacy practice notice documents,29 which are outside the scope of this discussion. It may be necessary to establish a specialized compliance function within an entity to address these issues. Authors’ Note: The authors acknowledge the assistance of Mallory Duncan, a 2026 J.D. candidate at the OU College of Law, whose research contributed to this article. ABOUT THE AUTHORS Jason T. Seay is a certified information privacy professional (CIPP/US). He is of counsel with the law firm of GableGotwals, where he maintains a regulatory and transactional practice focused on health care law as well as data privacy, security and governance. Philip D. Hixon is a shareholder with the law firm of GableGotwals, where he focuses on health care law and civil litigation. Mr. Hixon served as editor-in-chief of the third edition of Oklahoma Civil Procedure Forms and Practice (3d ed. 2024, Matthew Bender). He also represents District 6 on the OBA Board of Governors. Richard M. Cella is a former federal prosecutor and shareholder at the law firm of GableGotwals, where he represents businesses, including health care companies, in complex commercial litigation, regulatory enforcement matters and internal investigations. ENDNOTES 1. See, e.g., Blake Murdoch, “Privacy and Artificial Intelligence: Challenges for Protecting Health Information in a New Era,” BMC Medical Ethics 22, No. 122 (2021), available at https://bit.ly/4rApnZB. 2. Lauren Quinn, “Are Your Secrets Safe?: Imposing a Fiduciary Duty on Healthcare AI Developers Dealing with Sensitive Health Information,” 94 Fordham L. Rev. 383, 400 (2025), available at https://bit.ly/3ZI0wac (noting that “a[s] certain types of healthcare AI aim to identify patterns of predict predispositions, they may generate new health information that individuals do not want disclosed.”); see also W. Nicholson Price II, “Problematic Interactions Between AI and Health Privacy,” 2021 Utah L. Rev. 925, 928 (2021) (noting that “by enabling accurate and sophisticated inferences about health information from large sets of data that are not obviously tied to health, AI reduces the efficacy of trying to protect (or even identify what counts as) ‘health data.’”). 3. See, e.g., Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), Pub. L. 111-5, Tit. XIII, §§13001-13424 (Feb. 17, 2009) (enhancing HIPAA’s privacy, security and breach-notification requirements); see also Cal. Civ. Code §56.05 et seq. (Confidentiality of Medical Information Act); N.Y. Pub. Health Law §18 (patient access to records); Tex. Health & Safety Code §181.101 et seq. (Texas Medical Records Privacy). 4. 45 C.F.R. §160.103, “Individually Identifiable Health Information.” 5. 45 C.F.R. §160.103, “Protected Health Information.” 6. 45 C.F.R. §160.103, “Covered entity.” 7. 45 C.F.R. §160.103, “Business associate.” 8. 45 C.F.R. §164.506(a), (c). 9. 45 C.F.R. §164.501, “Treatment.” 10. 45 C.F.R. §164.501, “Payment.” 11. 45 C.F.R. §164.501, “Health care operations.” 12. 45 C.F.R. §164.506(c). 13. For health care entities with large patient populations, with historical data sets extending back years, or where multiple consent documents have been used over time, it can be difficult to collate what specific subsets of PHI are subject to which patient consent documents. Restricting AI processing activities to treatment, payment or health care operations can help alleviate the need to rely on patient consent for processing PHI. 14. “Data analytics” generally means the process of examining data to produce actionable insights. For example, using statistics, querying and computation to describe large trends or patterns identified in data. This is often referred to as “insights data.” 15. See OCR “Privacy Brief, Summary of the HIPAA Privacy Rule,” https://bit.ly/3ZPfJWT, last revised 05/03, page 4, De-Identified Health Information; see also 45 C.F.R. §§164.502(d)(2), 164.514(a) and (b). 16. 45 C.F.R. §164.514(b). 17. 45 C.F.R. §164.514(b)(1)(i)-(ii). 18. “Guidance on De-identification of Protected Health Information,” Nov. 26, 2012, https://bit.ly/4qYgIjw, page 10. 19. Id. at 13-14. 20. Id. at 15. 21. Id. at 18. 22. See identifiers listed in the sidebar on page 29. 45 C.F.R. §164.514(b)(2)(i)(A)-(R). Examples of things that may fall under the “any other unique” category include clinical trial numbers, barcodes from medical records or electronic prescribing systems and occupations or characteristics that set an individual apart. See Guidance on De-identification of Protected Health Information, Nov. 26, 2012, https://bit.ly/4kBKqc1, page 26. 23. 45 C.F.R. §164.514(b)(2)(i)-(ii). 24. Id. at 27. 25. See id. at 6. 26. See 45 C.F.R. §164.400 et seq. (Breach Notification Rule). 27. See Wesley Weeks, Nick Peterson and Rachel Tuteur, “Careless Generative AI Use Puts Attorney-Client Privilege at Risk,” Bloomberg Law News (Jan. 21, 2025), available at https://bit.ly/45NcFOH (visited Oct. 13, 2025); Ismail Amin, “Client Beware: The Utilization of Artificial Intelligence Platforms and the Potential Waiver of Attorney-Client Privilege,” JDSupra (Aug. 22, 2025), available at https://bit.ly/4qmlma6 (visited Oct. 13, 2025). 28. See 45 C.F.R. §§164.506(b), 164.508(a). 29. See 45 C.F.R. §164.520.
RkJQdWJsaXNoZXIy OTk3MQ==