AI governance in US healthcare.
FDA Software as a Medical Device clearance, HIPAA Business Associate Agreements for AI tools, CMS guidance on AI in Medicare Advantage prior authorisation, and ONC algorithm transparency requirements for certified health IT.
Regulatory obligations at a glance
Key frameworks applying to AI in US healthcare. Map your AI systems against each.
AI used for diagnosis, treatment recommendation, or patient monitoring is a Software as a Medical Device requiring FDA 510(k) clearance or De Novo authorisation before clinical deployment. Using uncleared AI creates significant legal exposure.
HighAI tools processing protected health information require Business Associate Agreements. Most general-purpose AI tools (ChatGPT, standard Microsoft Copilot) are not HIPAA compliant without specific BAA and configuration.
High2024 CMS guidance requires Medicare Advantage plans to ensure AI-driven prior authorisation decisions are based on individual patient circumstances — not population-level statistical models. Plans with systematic AI denials face enforcement scrutiny.
HighCertified health IT must disclose to clinicians when predictive AI algorithms inform decision support recommendations, including what data and evidence base the algorithm uses to produce its outputs.
HighCalifornia SB 1120 requires licensed clinician review of AI coverage determinations. Colorado SB 24-169 requires insurer disclosure of AI in utilisation review. Several other states have similar laws in force or pending.
HighAI health tools must be accessible. AI diagnostic tools with materially lower accuracy for certain populations — including people with disabilities — may violate the ADA.
Medium