DPA explains: AI use in healthcare poses data protection risks

AI use in healthcare is becoming increasingly common, but raises critical questions about patient data security. Maire Iro, advisor at the Data Protection Authority, explains what healthcare workers must consider when using AI solutions.

Artificial intelligence has made medical documentation faster and more efficient – it can listen, transcribe, and help doctors and nurses work more smoothly. But this technological leap raises a question many healthcare workers may not have asked themselves: where do patient data go when they are entered into the system?

Maire Iro, public relations advisor at the Data Protection Authority, warns that every piece of patient data may travel a far longer and more complex path than the user imagines. AI applications often process data through external servers, which may be located in a different country or even outside the European Union – and this comes with strict data protection requirements.

What you need to know before using it

The EU General Data Protection Regulation (GDPR) sets particularly high requirements for healthcare data, as these are considered special categories of personal data. This means that healthcare institutions must clarify before implementing an AI application who the actual data processor is, where the data are stored, and under what conditions they are transmitted.

Using AI solutions in healthcare is not prohibited, but it requires careful preparation. A healthcare worker should not simply download some free application and start entering patient names, diagnoses, and treatment information without having examined the application's privacy policy and data processing terms.

Responsibility lies with the institution

It is important to remember that responsibility does not rest solely with the individual worker – the entire healthcare institution is accountable. The institution must ensure that the tools used comply with data protection requirements and must conclude necessary contracts with data processors. Therefore, it is advisable that decisions on adopting AI applications are made through collaboration between the institution's management, IT department, and data protection officer, rather than at the initiative of a single worker.