HIPAA-compliance, Trust and Access must come before the Adoption of GPT-3 in Healthcare

GPT-3 needs to work in compliance with Health Insurance Portability and Accountability Act (HIPAA), earn trust from healthcare providers, and improve access to the tool. Neither can be achieved overnight.

Like Comment
Read the paper
Written by Dr. Emre Sezgin and Dr. Simon Lin Linwood

In their recent publication at NPJ Digital Medicine, Korngiebel and Mooney discussed one of the latest artificial intelligence methods of natural language processing (Generative Pre-trained Transformer 3 (GPT-3)), assessing realistic, unrealistic, challenging or feasible applications in healthcare delivery.1 However, there are three major elements of adoption of GPT-3 in healthcare, which should be considered during this assessment as major drivers in potential applications. These are (1) GPT-3 needs to work in compliance with Health Insurance Portability and Accountability Act (HIPAA), (2) technology providers need to earn trust from healthcare providers, and (3) technology providers should improve access to the tool. Neither can be achieved overnight.

 Similar to GPT-3, there was huge enthusiasm in healthcare delivery when Amazon Alexa virtual assistant was released in 2014. However, grand plans of healthcare providers fell through as developers realized that Alexa was not yet legally able to store or transmit private health information. It took Amazon five years to be HIPAA compliant and able to sign Business Associate Agreements with healthcare providers.2 Yet, there is still a long waiting list for Alexa “skills” to get HIPAA compliant. Therefore, efforts should be put forward as early as possible for GPT-3. Without HIPAA compliance, the adoption of GPT-3 in healthcare can be a false start.3

 In addition to legal requirements, trust is needed to be established among patients, healthcare providers and technology companies to adopt GPT-3.4 It is not uncommon for technology companies to claim the right that they can utilize their customer’s data to further improve the service or to extract additional commercial value. For instance, Google’s search engine regularly ingests customer’s query, removes sensitive information, and aggregates them into data sets to generate revenue through adWords. GPT-3 needs to be explicitly discussed about what will and will not do with a customer’s data. The data governance committee from healthcare providers needs to be aware and comfortable when they sign the service agreement with GPT-3.

 Lastly, the access needs to be ensured. Building large language models like GPT-3 can be very expensive. So, GPT-3 is innovating the business model of access. Currently, GPT-3 is privately controlled by OpenAI, where the healthcare providers can remotely run the program and pay the usage per token (approximately 4 characters or 0.75 words).5 However, this business model also limits open-access research and development, eventually improvements, such as, advancement in translation mechanism and all-inclusive equity-driven approaches in conversational agent development. A smaller open-source alternative, GPT-J,6 starts to emerge. GPT-J may enable healthcare developers to navigate HIPAA-compliance, to optimize the payment model, and to satisfy FDA’s requirements of software as a device (SaMD) faster.7


  1. Korngiebel, D. M. & Mooney, S. D. Considering the possibilities and pitfalls of Generative Pre-trained Transformer 3 (GPT-3) in healthcare delivery. npj Digital Medicine 4, 1–3 (2021).
  2. Rachel Jiang. Introducing New Alexa Healthcare Skills. Amazon (2019). Available at: https://developer.amazon.com/blogs/alexa/post/ff33dbc7-6cf5-4db8-b203-99144a251a21/introducing-new-alexa-healthcare-skills. 
  3. McGraw, D. & Mandl, K. D. Privacy protections to encourage use of health-relevant digital data in a learning health system. npj Digital Medicine 4, 1–11 (2021).
  4. Patient trust must come at the top of researchers’ priority list. Nature Medicine 26, 301 (2020).
  5. OpenAI API. OpenAI (2020). Available at: https://openai.com/blog/openai-api/. 
  6. Romero, A. Can’t Access GPT-3? Here’s GPT-J — Its Open-Source Cousin. Medium (2021). Available at: https://towardsdatascience.com/cant-access-gpt-3-here-s-gpt-j-its-open-source-cousin-8af86a638b11.
  7. Artificial Intelligence and Machine Learning in Software as a Medical Device | FDA. Available at: https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device.

Emre Sezgin

Digital Health Scientist, Nationwide Children's Hospital