The below article of written by myself and my son, Michael appeared in the January 22, 2026 edition of the Pennsylvania Law Weekly and is republished here with permission.
Michael is a Computer Science major focusing on Artificial Intelligence studies at Ursinus College outside of Philadelphia, PA. He provided the insight on the computer science aspects of the article and I focused on the legal points included in the article.
Expert Opinion/Legal Ethics and Attorney Discipline
Preserving Confidentiality When Using AI Platforms
By
Daniel E. Cummins & Michael J. Cummins
As the use of artificial intelligence (AI) rises in the practice of law, so does the concern for preserving confidentiality. Whether it be preserving one’s own client’s confidentiality as required by the Pennsylvania Rules of Professional Responsibility, or preserving the confidentiality of records related to an opposing party under the requirements of HIPAA, counsel must be careful.
This is particularly so with the rising trend of automation through the use of AI platforms for completing tasks such as streamlining review and summarization of documents, including medical records, in the practice of law. In this day in age, lawyers can upload documents to an AI platform and have the platform review the records and create a summary of the same. In fact, some insurance carriers are beginning to mandate that their defense counsel do so. This practice raises ethical and confidentiality concerns.
When utilizing an AI chatbot, such as Chat-GPT or Google’s Gemini, it may appear that it is entirely personalized and private to yourself. In reality, when utilizing any form of cloud based large-language models (LLM), there is a high risk that the company that provides the model will save, maintain, and even train future models based upon the data the user inputs.
In other words, if you provide a document for Chat-GPT to summarize or prompt a question, you are giving permission for OpenAI, the company that developed and owns Chat-GPT, to save and use that document or question for future training purposes. In addition to utilizing the information or documentation to train the model, this also leaves your documents vulnerable in the case of a data breach of the model provider.
However, this does not mean that this technology is completely useless. If you want to utilize an AI tool without the potential data security risks, you can locally host one within your organization.
How to Create Your Own Safe AI Platform
Using a designated device or server, you can download a model (there are free or pay-to-use options), design an interface for your organization, and run the model locally.
Once the model is running within your network, it will not even require an internet connection, meaning that all data and documents provided to the model will remain safely within your control within your office.
In order to take advantage of such a strategy, a law firm would likely need to hire an AI consultant company or professional to set up, design, and secure the system within one’s own office. There are also options to enter enterprise agreements with companies like OpenAI to establish a business relationship which does not allow them to retain the user input and data for training purposes.
Conclusion
While the use of AI platforms to automate certain tasks in a law office, such as the review and summarization of medical records, provides certain challenges, those challenges are not insurmountable.
Certain vendors who subpoena medical records for law firms have begun to provide AI generated summaries of medical records. Steps should be taken by law firms to ensure that these vendors are utilizing closed AI platforms that protect the confidentiality of the documents.
For those law firms that wish to begin to utilize AI platforms in-house, IT professionals can be retained to assist those firms in creating AI programs that prevent the information being handled from being disclosed outside of the office.
Daniel E. Cummins is the managing attorney at Cummins Law where he focuses his practice on motor vehicle and trucking liability cases, products liability matters, and premises liability cases. He also serves as a mediator for the Federal Middle District Court and for Cummins Mediation. He is additionally the sole creator and writer of the Tort Talk Blog at www.TortTalk.com.
By
Daniel E. Cummins & Michael J. Cummins
As the use of artificial intelligence (AI) rises in the practice of law, so does the concern for preserving confidentiality. Whether it be preserving one’s own client’s confidentiality as required by the Pennsylvania Rules of Professional Responsibility, or preserving the confidentiality of records related to an opposing party under the requirements of HIPAA, counsel must be careful.
This is particularly so with the rising trend of automation through the use of AI platforms for completing tasks such as streamlining review and summarization of documents, including medical records, in the practice of law. In this day in age, lawyers can upload documents to an AI platform and have the platform review the records and create a summary of the same. In fact, some insurance carriers are beginning to mandate that their defense counsel do so. This practice raises ethical and confidentiality concerns.
The Requirement of Confidentiality
Under Pennsylvania Rule of Professional Conduct 1.6, attorneys are required to protect the confidentiality of certain information that they are handling. Under Rule 1.6, titled “Confidentiality of Information,” it is provided, in pertinent part, that “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, except for disclosures that are impliedly authorized in order to carry out the representation … .”
The commentary to the rule notes that the rule of confidentiality “contributes to the trust that is the hallmark of the client-lawyer relationship.” With confidentiality, a client is encouraged to communicate fully and frankly with the lawyer on the subject matter of the representation. The rule also emphasizes that the lawyer may not disclose confidential information provided to the lawyer by the client except as authorized or required by the Rules of Professional Conduct or some other pertinent law.
As such, utilizing an AI platform that results in the inadvertent disclosure of a client’s private information could land an attorney in hot water with an unforgiving Disciplinary Board.
HIPAA Violations and Enforcement
The commentary to the rule notes that the rule of confidentiality “contributes to the trust that is the hallmark of the client-lawyer relationship.” With confidentiality, a client is encouraged to communicate fully and frankly with the lawyer on the subject matter of the representation. The rule also emphasizes that the lawyer may not disclose confidential information provided to the lawyer by the client except as authorized or required by the Rules of Professional Conduct or some other pertinent law.
As such, utilizing an AI platform that results in the inadvertent disclosure of a client’s private information could land an attorney in hot water with an unforgiving Disciplinary Board.
HIPAA Violations and Enforcement
In addition to attorneys needing to protect the private information of their own clients, lawyers also have to be careful with the confidential information of opposing parties, such as medical records of an opposing party.
HIPAA requires both physical and digital safeguards for patient data. In addition to mandating that medical files should not be left unattended in public areas, the law also requires that private health information must be stored digitally in a secured fashion that prevents unauthorized viewing.
The requirement of keeping an opposing party’s medical records private is mandated by HIPAA. Under the relevant law, failure to comply with HIPAA can result in civil and criminal penalties.
If a HIPAA complaint describes an action that could be a violation of the criminal provisions of HIPAA, the office for civil rights under the U.S. Department of Health and Human Services may refer the complaint to the Department of Justice for an investigation.
Criminal charges typically only arise where an individual “knowingly” obtains and/or discloses individually identifiable confidential health information. The question of whether such criminal penalties could be extended to lawyers handling medical records in a civil litigation matter is subject to dispute. The HIPAA law appears to limit criminal penalties to certain entities within the health care field. Yet, HIPAA also covers third parties that handle private health information on behalf of covered entities, including law firms assisting with medical-related legal matters.
In terms of any noncompliance that may result in the imposition of civil money penalties, the Secretary of the Health and Human Services Department has the discretion in determining the amount of the penalty based upon the nature and extent of the violation and the nature and the extent of the harm resulting from the violation. Civil penalties can range from $100 to $50,000 per violation, with additional penalties for repeat violations.
Based upon the stiff HIPAA penalties that can result from violating client confidentiality or the privacy of third parties, attorneys must be very careful in the use of artificial intelligence when using such platforms to review and summarize medical records and other private information that may arise in a civil litigation matter.
Local AI versus Third-Party AI
HIPAA requires both physical and digital safeguards for patient data. In addition to mandating that medical files should not be left unattended in public areas, the law also requires that private health information must be stored digitally in a secured fashion that prevents unauthorized viewing.
The requirement of keeping an opposing party’s medical records private is mandated by HIPAA. Under the relevant law, failure to comply with HIPAA can result in civil and criminal penalties.
If a HIPAA complaint describes an action that could be a violation of the criminal provisions of HIPAA, the office for civil rights under the U.S. Department of Health and Human Services may refer the complaint to the Department of Justice for an investigation.
Criminal charges typically only arise where an individual “knowingly” obtains and/or discloses individually identifiable confidential health information. The question of whether such criminal penalties could be extended to lawyers handling medical records in a civil litigation matter is subject to dispute. The HIPAA law appears to limit criminal penalties to certain entities within the health care field. Yet, HIPAA also covers third parties that handle private health information on behalf of covered entities, including law firms assisting with medical-related legal matters.
In terms of any noncompliance that may result in the imposition of civil money penalties, the Secretary of the Health and Human Services Department has the discretion in determining the amount of the penalty based upon the nature and extent of the violation and the nature and the extent of the harm resulting from the violation. Civil penalties can range from $100 to $50,000 per violation, with additional penalties for repeat violations.
Based upon the stiff HIPAA penalties that can result from violating client confidentiality or the privacy of third parties, attorneys must be very careful in the use of artificial intelligence when using such platforms to review and summarize medical records and other private information that may arise in a civil litigation matter.
Local AI versus Third-Party AI
When utilizing an AI chatbot, such as Chat-GPT or Google’s Gemini, it may appear that it is entirely personalized and private to yourself. In reality, when utilizing any form of cloud based large-language models (LLM), there is a high risk that the company that provides the model will save, maintain, and even train future models based upon the data the user inputs.
In other words, if you provide a document for Chat-GPT to summarize or prompt a question, you are giving permission for OpenAI, the company that developed and owns Chat-GPT, to save and use that document or question for future training purposes. In addition to utilizing the information or documentation to train the model, this also leaves your documents vulnerable in the case of a data breach of the model provider.
However, this does not mean that this technology is completely useless. If you want to utilize an AI tool without the potential data security risks, you can locally host one within your organization.
How to Create Your Own Safe AI Platform
Using a designated device or server, you can download a model (there are free or pay-to-use options), design an interface for your organization, and run the model locally.
Once the model is running within your network, it will not even require an internet connection, meaning that all data and documents provided to the model will remain safely within your control within your office.
In order to take advantage of such a strategy, a law firm would likely need to hire an AI consultant company or professional to set up, design, and secure the system within one’s own office. There are also options to enter enterprise agreements with companies like OpenAI to establish a business relationship which does not allow them to retain the user input and data for training purposes.
Conclusion
While the use of AI platforms to automate certain tasks in a law office, such as the review and summarization of medical records, provides certain challenges, those challenges are not insurmountable.
Certain vendors who subpoena medical records for law firms have begun to provide AI generated summaries of medical records. Steps should be taken by law firms to ensure that these vendors are utilizing closed AI platforms that protect the confidentiality of the documents.
For those law firms that wish to begin to utilize AI platforms in-house, IT professionals can be retained to assist those firms in creating AI programs that prevent the information being handled from being disclosed outside of the office.
Daniel E. Cummins is the managing attorney at Cummins Law where he focuses his practice on motor vehicle and trucking liability cases, products liability matters, and premises liability cases. He also serves as a mediator for the Federal Middle District Court and for Cummins Mediation. He is additionally the sole creator and writer of the Tort Talk Blog at www.TortTalk.com.
Michael Cummins, Daniel's son, is a computer science and philosophy major at Ursinus College with a focus on researching artificial intelligence.
Reprinted with permission from the January 22, 2026 edition of the "The Pennsylvania Law Weekly © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
Reprinted with permission from the January 22, 2026 edition of the "The Pennsylvania Law Weekly © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.