AI in healthcare:
the rules, in plain English.

Requires A PCCP lets a manufacturer pre-specify and get FDA authorization for future model changes as part of the original submission — so pre-approved updates don't each need a new submission. A PCCP must describe three things: the planned modifications, the methodology to develop/validate/implement them safely, and an impact assessment of benefits and risks.

Proposes The FDA's first comprehensive, total-product-lifecycle recommendations for AI devices — design, development, validation, transparency, and postmarket performance monitoring. It recommends manufacturers maintain a monitoring plan to catch performance drift after deployment. Still a draft as of June 2026 (comment period closed April 7, 2025).

Status Proposed sweeping certification and interoperability changes (new patient/provider/payer FHIR APIs, public-health data exchange, updated standards). A small TEFCA-related slice was finalized in late 2024; the bulk was formally withdrawn December 29, 2025, citing deregulation and "emerging AI technologies."

Proposes The live ONC AI rulemaking — and it runs the opposite direction. It would remove the HTI-1 AI source-attribute / "model card" and risk-management requirements from the Predictive DSI criterion, arguing there's no published evidence they improved care. Broadly deregulatory (proposes removing 34 of 60 certification criteria). Not finalized as of June 2026.

Proposes A major cybersecurity update that would require a technology asset inventory and network map explicitly listing AI software that handles ePHI, and would require the risk analysis to assess — before deploying an AI tool — what ePHI it accesses and where outputs go. Confirms ePHI in AI training data and models is within scope. Not finalized as of June 2026; outcome uncertain amid industry pushback.

Prohibits Unsubstantiated or deceptive AI capability claims ("AI washing"). The September 2024 sweep brought five actions (DoNotPay, Rytr, and others) against companies overhyping or misusing AI. Health-tech AI marketing — diagnostic accuracy, "AI clinician," compliance-automation efficacy — is squarely within this standard.

Prohibits Sharing sensitive health data with advertisers/third parties without consent. The FTC penalized GoodRx ($1.5M, its first Health Breach Notification Rule action), BetterHelp ($7.8M), and Cerebral for leaking medication, mental-health, and telehealth data via tracking tools. Its 2024 HBNR amendments expressly cover health apps not governed by HIPAA, and treat tracker/pixel leaks as reportable breaches.

Was The most sweeping federal AI action to date — directed an HHS AI Task Force, a health-AI assurance strategy, and an AI safety program for clinical errors. Rescinded on Jan 20, 2025; the HHS deliverables it ordered are now superseded.

Directs A national policy to remove barriers to AI leadership; ordered a review/unwinding of EO 14110 actions and mandated the AI Action Plan. The Plan's three pillars — innovation/deregulation, infrastructure, and global influence — promote rapid AI adoption in healthcare and call for regulatory "sandboxes," including for health.

Directs A "OneHHS" approach across CMS, FDA, NIH, CDC — deploy AI aggressively while applying OMB's "high-impact AI" risk-management controls (bias mitigation, monitoring, human oversight), with implementation milestones in 2026.

Requires Prohibits developing/deploying AI with intent to unlawfully discriminate, to manipulate people toward self-harm or crime, for government social scoring, or for unlawful biometric capture. Enforced by the AG (no private lawsuits), with a 60-day cure period and a regulatory sandbox. Healthcare-specific: TRAIGA's disclosure duty is broad (AI used "in relation to a health care service or treatment"); the specific requirement that a provider disclose to patients when AI is used in diagnosis or treatment comes from a separate Texas law, SB 1188 (see below).

Requires One of the first provider-facing AI disclosure laws. People in a regulated occupation (including healthcare providers) must disclose generative-AI use to consumers. A 2025 amendment (SB 226) narrowed proactive disclosure to "high-risk" interactions — which still generally captures use of health data for personalized advice. Created Utah's Office of AI Policy and AI "learning lab."

Prohibits AI systems from using terms or titles (e.g., "doctor," "nurse," "psychologist") in a way that implies care is being provided by a licensed human. Each prohibited use is a separate violation, enforced by the relevant licensing board.

Prohibits Offering — or claiming — that an AI system can provide professional mental/behavioral health care, and bars providers from using AI to deliver care directly to patients (support uses with provider review allowed). Also restricts AI for these services in public schools. Penalty up to $15,000 per violation.

Requires AI "mental health chatbots" must clearly disclose they are AI (before use, after 7 days of non-use, and on request); in-chat advertising must be labeled; and suppliers may not sell or share users' identifiable health information or inputs (limited exceptions).

Requires Licensed practitioners may use AI for diagnosis/treatment only within their scope and only if they review all AI-generated records per Texas Medical Board standards; also prohibits offshoring electronic medical records.

Requires After scaling back its broad AI act, Colorado passed two targeted health laws in mid-2026. HB 26-1139 requires AI coverage decisions to use the patient's individual history, requires a licensed clinician to review medical-necessity denials, mandates disclosure of AI use to regulators, and bars payer reimbursement for AI-delivered psychotherapy. HB 26-1195 restricts AI from conducting therapeutic communication except during live sessions with the provider present, and requires consent for AI session recording.

Requires Insurers (including health insurers) maintain a written AI governance program covering risk management, bias/data-quality controls, consumer notice, vendor oversight, and documentation available to regulators. As of early-to-mid 2026, roughly half the states (~24–25) had adopted it via bulletin. It's guidance, not a binding denial-of-care ban.

Context In 2025, legislators in 36 states introduced 168 AI-and-health bills, part of a record year for AI legislation generally. There is no single clean count of states with enacted healthcare-AI statutes — the honest summary is "dozens of states are legislating; a smaller subset have enacted binding health-AI or insurer-AI laws," and the pace is accelerating.