Three keys to enterprise-wide gen AI adoption in healthcare

By focusing on the three Rs—retrieval, roles and regulation—the industry can take the next step in leveraging the technology.

Healthcare organizations are eager to leverage generative AI for advanced use cases, such as claims management and prior authorization. However, the timeline for those applications depends on a company’s ability to safely and securely incorporate personally identifiable information (PII) or protected health information (PHI) within large language models (LLMs).

Since existing data protection and privacy restrictions prohibit direct sharing of this sensitive information with a public AI model—and building a private LLM can be a monumentally complex and time-consuming task—most healthcare companies are not yet pursuing such use cases.

But that doesn’t necessarily mean they can’t—just that they must adapt existing security and privacy protocols and apply them to generative AI-enabled workflows. We’ve become acutely aware of this at Cognizant TriZetto Healthcare Products, as we’ve been working diligently to integrate generative AI into our own products and develop, launch and scale more advanced use cases.

Here we’ll explore three key areas in which our organization is making strides—retrieval-augmented generation, role-based access and regulation—and how these efforts will ultimately help businesses leverage this technology at the enterprise level.

The three Rs of gen AI in healthcare

1.    Retrieval-augmented generation

To satisfy many generative AI use cases at the enterprise level, LLMs will need to reason based on enterprise data sets, including members’ healthcare data. Fine-tuning existing models with PII/PHI presents some challenges relative to synchronization of data, and ensuring appropriate HIPAA security and privacy controls are implemented.

This underscores the need for healthcare companies to find a way to integrate enterprise data with the reasoning engine—a process known as grounding—to provide the model with access to protected data without compromising security or privacy. Our design calls for relevant non-structured, non-protected data, such as help guides, desk-level procedures, tech support bulletins, etc., that can be indexed and stored in a specialized database. Parts of that data set could then be included within the prompt itself.

Figure 1

Healthcare organizations that employ an advanced retrieval-augmentation system, such as the one we are developing, can utilize few-shot prompts and/or embedding techniques. This allows our customers to generate outputs dependent on PII or PHI without widely exposing the data set or conventionally training the model.

2.    Role-based access

Healthcare organizations are no strangers to the concept of role-based access. Just as they need to apply and enforce certain rules when accessing member data for traditional activities, they also need to do so with respect to generative AI applications. This means they must have the ability within their software systems to control very specifically who is authorized to interact with different types of information both internally and externally.

Not necessarily—if the software or solution provider, and that provider’s API ecosystem, have the ability to incorporate and manage existing access controls within generative AI-related workflows. With this approach, instead of recreating elaborate access controls from scratch, we reused existing APIs to access these data sets and apply all relevant access rules. This ensures that all data access activities are validated and appropriate for the “human-in-the-loop” initiating the request.

3.    Regulation

Regulatory compliance has always been and will always be a critical issue for healthcare organizations. The advent of generative AI adds a new dimension to this issue, especially since the industry fully expects new region- or country-specific regulations will be introduced to address generative AI tools and solutions.

For the time being, though generative AI is a relatively new technology to many healthcare companies, regulatory compliance hinges on their ability to adhere to existing rules and regulations regarding patient data protection and privacy. Their ability to do so is contingent largely on their ability to securely retrieve data and manage role-based access, as discussed above.

For this reason, working with a trusted partner that is keenly aware of data regulations specific to the healthcare industry and has deep expertise in software development specific to this sector is imperative. Ideally, that partner would also be able to support other areas of the generative AI program, such as the overarching data strategy (including data integration beyond PII and PHI), platform implementation and operation, and ethical use.

Navigating the gen AI compliance landscape with speed and confidence

Out-of-the-box generative AI is truly remarkable and evolving at a rapid clip. However, in order to shift from consumer applications and the novelty of it all to enterprise deployment, companies will need to tackle the compliance issue.

Since most of today’s generative AI models have been trained wide and deep, further contextualizing the LLM to manage PII and PHI is of critical importance. This capability is essential for enabling more advanced use cases that will meet the needs of the healthcare industry, ultimately helping companies achieve better outcomes for all stakeholders.

Do you have questions about how your organization can pursue advanced use cases that require sensitive data? To learn more about how TriZetto’s platform can help your organization advance and mature your gen AI strategy while maintaining regulatory compliance, set up a consultation.