AI can be concerning to large organizations managing their risk, and often for good reason. As the adoption and integration of AI tools moves forward, there is a simple control on the technology that is relatively easy to apply—imposing oversight and limitations on the technology in vendor contracts. That makes a lot of sense, particularly while more fine-tuned technical and policy controls are developed.
However “version 1” of these emerging AI contract provisions is often broad and blunt, hammering down uses of information and tools well beyond AI models. Over time I expect that the approaches will become more refined and targeted. But for now, some work and attention is required during contract negotiation to make sure that the AI clauses don’t inhibit the deployment and improvement of technology and services, and that they don’t create unexpected liability exposure. Below are a sample of these provisions and some possible responses.
The Provisions: Prohibitions against using any customer data—which can include de-identified information and customer user data—to train, fine-tune, or iterate on the vendor’s proprietary algorithms or AI tools. These provisions can be very broad and prevent the use of de-identified information and user data for purposes that have nothing to do with AI.
Possible Response: Define pathways in which de-identified data and user data can be used to enhance and improve technology and services while protecting customer confidentiality, and which also preserve other less controversial uses of such data. There is usually a way to do this, but it means refining contract provisions that start out being very broad and prohibitive.
The Provisions: Clauses requiring advance written notice and affirmative approval before any AI tool or capability is introduced into the platform. AI is typically defined very broadly to encompass not just LLMs but virtually any algorithm or machine learning functionality within the software.
Possible Response: Narrow the definition of AI so that it doesn’t reach all software functionality. Add pre-approval for the technology that is specified in an order form or statement of work, as well as updates to the features and functionality of that technology. This way, the approval for future tools can be the same procedure as a change order or adding new technology to the contract.
The Provision: In addition to other audit rights in the contract, an additional provision permitting audit of AI technology, which is often redundant.
Possible Response: There is already an audit or report/record inspection provision in the contract. There do not have to be two, possibly conflicting, provisions. Just use one report or record inspection if there are concerns about non-compliance that will also cover the AI risks.
Industry groups, such as the American Health Law Association or the National Venture Capital Association, are actively working to release standardized AI contracting templates specifically tailored to health care. Bespoke negotiation over basic AI definitions will likely diminish over time, and it is likely that contract negotiations will normalize around standardized risk tiers (e.g., Tier 1 for low-risk administrative tools, Tier 3 for high-risk autonomous clinical tools). But for the time being, some negotiation will be needed to make sure you can provide your technology and services as freely as possible and without excessive risk.
