> we can easily imagine a scenario where patient consent is obtained and the extra computational analysis provides life-saving insight
In the US, the HIPAA Privacy Rule operates independently from the HIPAA Security Rule, for good reason. On their own, patients can do anything they want with their own data. But in the context of medical care, patients can't consent to having their personal health data processed in insecure systems. It is the same ethical reason that employees can't waive their rights to OSHA safety rules or why you can't consent to sell yourself as a slave. If you could waive security rules, then every doctor would include a waiver in their intake forms, and it's a race to the bottom. So unless OpenAI has a HIPAA-compliant data security infrastructure, it's illegal and unethical.
In the US, the HIPAA Privacy Rule operates independently from the HIPAA Security Rule, for good reason. On their own, patients can do anything they want with their own data. But in the context of medical care, patients can't consent to having their personal health data processed in insecure systems. It is the same ethical reason that employees can't waive their rights to OSHA safety rules or why you can't consent to sell yourself as a slave. If you could waive security rules, then every doctor would include a waiver in their intake forms, and it's a race to the bottom. So unless OpenAI has a HIPAA-compliant data security infrastructure, it's illegal and unethical.