Health care AI regulations: What’s changing and what to do now
The U.S. is taking a two-track approach to regulating artificial intelligence in health care.
At the federal level, agencies such as the U.S. Food and Drug Administration, Centers for Medicare & Medicaid Services, and federal health IT regulators have issued guidance and requirements that address AI-powered devices, prior authorization, algorithm transparency and information sharing—but Congress has not passed a comprehensive national AI law for health care. As a result, the federal framework remains a partial solution built mostly through agency action rather than a single, unified statute.
That limited federal activity has left much of the policy responsibilities to state legislatures. According to the American Medical Association, 250 health AI-related bills have been introduced this year across 34 states, from disclosures, consumer protections, and payer use of algorithms to the role of human review in clinical and coverage decisions.
States are also increasingly focused on whether AI can be used to support decision-making without meaningful oversight, especially in areas such as prior authorization, mental health chatbots and clinical decision support.
Utah has emerged as one of the most interesting state models because it chose experimentation over prohibition. Under its Artificial Intelligence Policy Act, Utah created an Office of Artificial Intelligence Policy and authorized a regulatory sandbox that allows companies to test certain AI systems under government supervision and with temporary relief from some state rules.
In health care, that approach has been used to examine applications such as prescription renewals, giving regulators a real-world view of whether AI tools improve access, reduce delays and protect patients.
Other states are taking a less than experimental—but still active—approach:
- California has enacted transparency and safety rules for chatbots.
- Colorado has enacted oversight of automated decision-making technology.
- Massachusetts and Georgia have explored restrictions and disclosure requirements for AI used in mental health care and insurance coverage decisions.
- New York and Texas have advanced broader AI governance frameworks that could affect health care use cases, especially where patient safety or automated decisions are involved.
What can providers do?
Providers face a fragmented and fast-evolving AI regulatory landscape that demands proactive action, not passive monitoring. To prepare, organizations should focus on building adaptable governance, embedding oversight into decisions, and extending accountability across their ecosystem. Considerations include:
- Operationalize enterprise AI governance that can flex across state-by-state requirements and reduce compliance fragmentation.
- Embed human oversight, transparency and auditability into clinical and administrative workflows to meet rising regulatory scrutiny.
- Strengthen third-party risk management to ensure AI embedded in vendor solutions remains compliant and accountable.
