HIPAA compliant AI Assistants with Rasa Stack

TL;DR: Rasa Stack provides a way to develop your HIPAA compliant conversational AI Assistants. It gives you the full functionality and flexibility to build scalable contextual assistants and chatbots while being in control of your data.

Why we talk about HIPAA

The Health Insurance and Portability and Accountability Act (HIPAA) was introduced in 1996 to set the standards for handling and storing sensitive patient data. The act outlines rules about managing and transferring protected health information (PHI). Under PHI we understand all medical records that can be used to identify an individual and data that was created, used or disclosed in the course of providing a health care service. All parties with access to PHI or that perform a function on it at any given point in time are impacted and need to show HIPAA compliance.

Requirements for companies to be HIPAA compliant

To be HIPAA compliant, a company needs to fulfil requirements in three main areas:

  • Administrative safeguards: concerned with the workforce of the company in relation to the protection of PHI like assigning a privacy officer
  • Physical safeguards: requirements of the access of PHI
  • Technical safeguards: concerned with rules around the handling of PHI including access control or security in transmission or storage

Implications for building contextual AI Assistants and bots

For teams building AI Assistants there are important consequences. Next to administrative and physical safeguards, companies are required to incorporate their assistants and bots in a HIPAA compliant infrastructure. The storage of conversation data, saved entities or personal details need to be in a safe, encrypted environment. Further, it requires companies to ensure an encrypted transition of data between services like NLU engine, dialogue management and databases.

Since 2013 these consequences do not only apply to providers of healthcare services but also their business associates. As a result, companies that have access or perform a function on PHI over their server at a particular point need to show HIPAA compliance. Starting with the channel that is used for the communication over the natural language understanding for intent recognition and entity extraction as well as the management of the dialogue and the storage of the data, every provider is affected. If a function is not carried out by your organization, this company with access to PHI is required to sign a BBA — an amendment for business associates showing HIPAA compliance of their services.

Developing HIPAA compliant AI Assistants with open source Rasa Stack

You can build HIPAA compliant AI Assistants using Rasa Stack. It is entirely open source, runs under the Apache 2.0 license and consists of Rasa NLU and Core. Rasa NLU performs intent recognition and entity extraction on the user message. As an example, it can detect the user intent find_doctor from a message like “I need a GP in 94301”. The message also includes two entities, namely the doctor type: GP and the postcode: 94301. Rasa Core, the ML-based dialogue manager, predicts the next action the AI assistant should perform taking user message, context and the current state of the conversation into consideration.

Since Rasa Stack is completely open source, it can perform the entire process from handling the user message over integrating with a database to sending a bot utterance completely on-premise. As a result, Rasa does not have access to the PHI at any point in time and is not counted as a business associate.

Rasa Stack is available in Docker containers making it easy to integrate into your current HIPAA compliant infrastructure. You can test how it works here.

Things to keep in mind

  • It is possible to build HIPAA compliant contextual AI Assistants with Rasa, but not all Rasa assistants are all automatically HIPAA compliant.
  • Performing natural language understanding and dialogue management is a significant part for your AI Assistant but not the only process involving PHI.
  • The communication channel to the patient, the transmission of data to or from a database as well as it’s storing and the hosting of Rasa Stack need to be HIPAA compliant.
  • Next to technical requirements, there are administrative and physical requirements which need to be fulfilled by a company offering a conversational service to its patients.

Open source is key to your development

We at Rasa believe that open source software is the way forward. It can be deployed and installed wherever you want — on-premise deployment or in a private HIPAA compliant cloud.

Additionally, open source brings the necessary transparency to deal with personal data, with the ability to trace where patient data is stored and how it is processed.

  • You can test our open source Rasa Stack here.

Compliance with HIPAA, GDPR and other upcoming data privacy laws like CCPA are crucial business operations. Want to talk about HIPAA and data privacy? Get in touch via hi@rasa.com if you’d like to chat.

*Disclaimer: This is not legal advice. HIPAA is an important regulation and has many legal ramifications. Professional guidance is always recommended.


Originally published at blog.rasa.com on February 27, 2019.