AI in Digital Health: the Legal Labyrinth of Transparency and Communication

The integration of artificial intelligence (AI) into digital health, particularly through chatbots and automated patient communication, is accelerating. While these technologies offer immense potential to enhance patient engagement and streamline care, they also introduce a complex and rapidly evolving landscape of legal and ethical obligations. This article analyzes critical regulatory frameworks, including emerging state-level AI disclosure laws and the federal Telephone Consumer Protection Act (TCPA), in the context of healthcare. It examines the nuanced interplay with the Health Insurance Portability and Accountability Act (HIPAA) and provides actionable insights for digital health companies, health systems, and providers to ensure responsible innovation. Key considerations include the necessity of transparent AI disclosure, the legal distinctions of automated communication post-Facebook v. Duguid, and the often-overlooked liabilities associated with a "human-in-the-loop" approach.

The discourse surrounding the future of healthcare is inextricably linked with the transformative potential of artificial intelligence. From AI-powered chatbots offering mental health support to automated text messages for medication adherence, digital health companies are pioneering AI integration to improve patient engagement, optimize workflows, and enhance care delivery. However, this wave of innovation carries a complex undertow of legal and ethical challenges. Stakeholders across the healthcare ecosystem—from agile startups to established health systems and individual providers—must navigate this new terrain with foresight and precision. This article delves into two critical domains of legal risk: the imperative for transparency in human-AI interactions and the shifting sands of automated communication regulations, offering insights that are frequently overlooked in the rush to adopt new technology.

The Transparency Imperative: User Awareness in the Age of AI Chatbots

A foundational principle for the ethical deployment of AI in healthcare is ensuring patients know when they are interacting with an artificial entity. As conversational AI becomes more sophisticated, the distinction between human and machine can blur, creating significant legal and ethical risks. Recognizing this, state legislatures are beginning to act. Laws in states like Texas and Utah now mandate that entities using AI for communication must provide clear and conspicuous disclosure to users, informing them that they are not interacting with a human (Enochs et al., 2024).

These regulations are not merely procedural hurdles; they are essential for establishing patient trust. A patient confiding sensitive health information to what they perceive as a human clinician does so with an expectation of empathy, professional judgment, and accountability. Discovering that the recipient was an algorithm can erode trust not only in the specific digital tool but in the provider or health system that deployed it. For digital health firms, this underscores that the "move fast and break things" ethos is fundamentally incompatible with the duties of care in medicine. Proactive, clear, and continuous disclosure is paramount to empower patients and foster the trust necessary for a functional digital therapeutic relationship.

The Evolving Landscape of Automated Communication: TCPA and its Progeny

While AI chatbots present challenges regarding the nature of communication, the method of initiating contact via automated texts or calls is governed by a separate and equally complex set of rules. The Telephone Consumer Protection Act (TCPA) has been a primary source of class-action litigation, and its application to healthcare communication remains a critical compliance area.

The Supreme Court's decision in Facebook, Inc. v. Duguid (2021) narrowed the definition of an "automatic telephone dialing system" (ATDS), seemingly providing some regulatory relief. The Court ruled that to be an ATDS, a device must have the capacity to either store or produce a telephone number using a random or sequential number generator. While this was a favorable outcome for companies using curated call lists, it is not a comprehensive shield. The ruling did not address the TCPA's separate prohibitions on using an "artificial or prerecorded voice," a clause under which AI-driven conversational agents could still fall. The legal interpretation of whether a sophisticated, AI-generated voice or text response constitutes an "artificial voice" is an evolving frontier that poses a significant, and often underestimated, risk (O'Brien & Schmid, 2021). Digital health companies must therefore not assume the Duguid decision grants them immunity, especially as state-level "mini-TCPA" laws may impose stricter or broader requirements.

The Critical Nexus: HIPAA, TCPA, and Shared Responsibility

A prevalent and costly oversight is the failure to appreciate the distinct, yet overlapping, obligations of the TCPA and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with one does not satisfy the requirements of the other. The TCPA governs the consent to be contacted, while HIPAA governs the privacy and security of the information within that contact.

Consider a digital health platform that obtains valid HIPAA authorization from a patient to manage their care. The platform then sends an automated, unencrypted text message containing Protected Health Information (PHI)—for instance, "This is a reminder for your appointment regarding your recent diabetes diagnosis." While the platform had permission to use the PHI under HIPAA, it may have violated the TCPA by sending an automated text without the correct type of consent. Furthermore, sending PHI in an insecure format violates the HIPAA Security Rule.

This creates a chain of liability. Health systems and providers who contract with digital health vendors must conduct rigorous due diligence. It is essential to verify that vendor protocols are compliant with both HIPAA and the TCPA and that vendor contracts include clear indemnification clauses for regulatory violations. Without this, a health system could find itself liable for the compliance failures of its technology partner.

References

Enochs, J., Hricik, S., & Hudalla, M. (2024, February 7). Do users know your health AI chatbot is AI? Reed Smith. https://www.reedsmith.com/en/perspectives/2024/02/do-users-know-your-health-ai-chatbot-is-ai

Facebook, Inc. v. Duguid, 592 U.S. ___ (2021).

O'Brien, J. M., & Schmid, E. (2021, April 8). AI-powered text messaging by digital health companies: Supreme Court raises the stakes. Foley & Lardner LLP. https://www.foley.com/en/insights/publications/2021/04/ai-powered-text-messaging-digital-health-supreme