Medical reports: how to protect privacy from AI risks

The starting point of the argument is that the practice of uploading clinical analyses, X-rays and other medical reports onto generative artificial intelligence platforms asking for interpretations and diagnoses is becoming increasingly widespread. It is for this reason that the Garante della Privacy in recent hours has emphasised that this is an alarming phenomenon, both because of the risk of loss of control over health data of extraordinary importance for individuals, and because of the risk that artificial intelligence solutions not specifically designed for the purpose of providing the required indications and not made available to the public as medical devices downstream of the necessary tests and checks provided for by the sectoral discipline will provide incorrect indications.

Hence, the Garante's advice: those who use AI platforms should carefully assess the appropriateness of sharing health-related data with providers of generative artificial intelligence services and of relying on the answers automatically generated by such services, answers that should always be verified with a medical professional.

What to do? What to do? Under the first profile, in particular, the Garante draws attention to the advisability of reading the privacy notices that platform operators are obliged to publish in order to verify whether the health data contained in clinical examinations uploaded online for the purposes of the request for interpretation and/or diagnosis are destined to be deleted following the request itself, at a later stage, or to be retained by the service operator for the purposes of training its algorithms. Many of the best-known generative artificial intelligence services, in fact, allow users to decide the fate of data and documents uploaded online in the context of using the service.

The Authority therefore draws attention to the importance, recognised by both the European AI Regulation and the Consiglio Superiore di Sanità, of always guaranteeing qualified human intermediation in the processing of health data through AI systems. Human intervention, is the reasoning, is essential to prevent risks that could directly affect a person's health. Lqualified human supervision, among other things, must be ensured at all stages of the life cycle of the AI system: from development to training, testing and validation, before it is placed on the market or in use.

The subject had already been anticipated by the Authority in the Decalogue for the implementation of national health services through AI systems adopted in October 2023 (web doc. no. 9938038), in the context of which further personal data protection aspects had also been highlighted, which must also be ensured in the implementation of such systems to support the understanding of diagnostic reports: such as the presence of a suitable lawfulness prerequisite; the necessary and prior impact assessment; transparency and security obligations.