ONC, FTC, and AI: What Non-HIPAA Rules Still Apply

Written By Annalee Sharma

Not all health data is protected by HIPAA — but it is still protected. Here’s what you need to know. 

 🏛️ Key Non-HIPAA Rules to Watch: 

🛡️ FTC Health Breach Notification Rule (HBNR) 

If an AI tool is not covered by HIPAA, but collects identifiable health info (e.g. symptoms, diagnoses, conditions, medications), the FTC may treat a data leak as a reportable breach. 

🔎 Applies to: 

  • Health apps 

  • Non-HIPAA AI tools 

  • Consumer wellness platforms 

🖥️ ONC’s Information Blocking Rule 

If an AI tool integrates with your EHR or touches patient records, you must not block legitimate patient access — even if the tool is AI-driven. 

⚠️ AI-generated summaries or data shouldn’t delay or deny patients timely access. 

🧪 FDA Oversight for AI in Diagnostics 

AI tools used for diagnosis, risk scoring, or clinical recommendations may be subject to medical device regulation — especially if used without human review. 

 ✅ What to Do: 

  • Determine whether your AI tool is covered by HIPAA or FTC rules 

  • Map whether it touches the Designated Record Set (DRS) 

  • Log disclosures, breaches, or errors — no matter the tool's status 

  • Use HIPAA-conscious AI policies even with “non-HIPAA” tools 

Annalee Sharma
Previous

Red Flags in AI Privacy Policies: What to Look For
Next

Can AI Tools Replace Front Desk Staff? What Privacy Law Says