Artificial Intelligence in Healthcare and Patient Data Protection: Challenges and Regulatory Responses in Sri Lanka

Abstract

Artificial Intelligence (AI) is increasingly integrated into healthcare systems, transforming medical diagnosis, treatment, and healthcare administration through data-driven decision-making. While the use of AI in healthcare offers significant potential for efficiency and improved health outcomes, it simultaneously raises serious concerns regarding the protection of patient data, particularly in jurisdictions with developing legal frameworks such as Sri Lanka, where healthcare information is highly sensitive in nature. The rapid adoption of AI-enabled healthcare systems presents substantial challenges for patient data protection in Sri Lanka. These challenges include issues relating to informed consent, data minimisation, accountability, transparency, and the regulation of automated decision-making in healthcare. This paper critically examines whether the existing Sri Lankan legal framework including the Personal Data Protection Act, adequately addresses the unique risks posed by the use of AI in healthcare settings. Employing a doctrinal legal methodology, the study incorporates limited comparative insights drawn from international data protection regimes, notably the European Union’s General Data Protection Regulation (GDPR), to identify regulatory gaps and best practices relevant to the Sri Lankan context. The analysis finds that while Sri Lanka has taken an important step towards establishing a comprehensive data protection regime, the current framework lacks explicit AI-specific safeguards necessary to ensure patient autonomy, meaningful consent, and accountability in AI-driven healthcare decision-making. The paper argues that Sri Lanka must rethink its approach to healthcare data protection by adopting AIsensitive regulatory responses. It recommends the introduction of sectorspecific guidelines for AI in healthcare, enhanced safeguards for automated decision-making, stronger consent and transparency requirements, and clearer accountability mechanisms for AI developers and healthcare institutions. Such reforms are essential to strengthening public trust in digital healthcare systems and ensuring the ethical and lawful use of AI in protecting patient data in Sri Lanka.