How Well Do You Know Your AI? – Compliance and Enforcement Risks in the Healthcare Industry
12/18/25
The healthcare industry continues to face greater and greater constraints, including increased patient demand, chronic disease and lack of resources. Artificial intelligence (AI) and machine learning (ML) tools are becoming more accessible and can help alleviate those constraints.
AI can be a useful tool for providers by allowing them to shift their energy from administrative tasks to direct patient care. It can assist with coding and billing or transcribing visit notes into patients’ medical records. AI may even be used to assist with diagnosis, drug discovery and personalized care.
At the same time, using AI in a healthcare practice has inherent risks. AI technology may create algorithmic bias, data privacy compliance concerns, or safety and transparency issues. AI uses algorithms to find complex non-linear correlations in a massive data set, but AI does not illustrate how it arrives at its results. AI may also have algorithmic errors as it may continue to generate work product based off prior data that is no longer accurate or complete.
In the healthcare industry, AI errors pose risks to the safety and health of patients and raises the question of who to hold accountable for any sort of damage done. As such, regulators are going to expect a level of human intervention with AI technology to limit these risks. Therefore, healthcare organizations need to have sound AI policies and procedures in place.
Compliance Practices
It is important for healthcare organizations to establish proper AI compliance practices. First, as you begin the procurement process, do your homework. What AI tool are you implementing and how do you intend to use it? Is it safe, accountable, valid, and reliable? Does the AI technology meet all necessary privacy and security requirements? What is the scope of the data utilized by the AI system? You will also want to ensure that you have carefully reviewed and negotiated the contractual license agreement for the AI system.
Second, once you have selected an AI system for your organization, you need to have a post-implementation monitoring process. Ongoing monitoring is necessary to ensure that the AI system does not diverge from its intended purpose. You should also implement regular updates to the system to ensure that it functions properly. In most cases, you will need a provider making the final, clinical decision. You will want to have a written AI compliance plan in place and depending on the size of your organization, you may also want to create an AI governance committee. You should train your employees who are engaging with the AI technology and may want to conduct periodic audits or risk assessments as a form of monitoring the technology.
Third, there can be certain state law notification and consent requirements. You will want to ensure that you have policies in place to notify patients regarding the use of AI technology and obtain their prior consent for the use of the technology, as necessary. You should also educate your patients about the limitations of AI and the potential for errors so that patients can make voluntary and informed decisions about their care.
Enforcement Risks
Healthcare organizations need to consider the applicable regulations that may impact the use of AI in their practice or organization such as HIPAA rules, FDA regulations, the False Claims Act, and state-level legislation.
If the AI technology does not meet the privacy and security requirements of HIPAA, healthcare organizations may face enforcement by the HHS Office of Civil Rights.
The Food and Drug Administration can also play a role in regulating and approving AI/ML medical devices. Healthcare organizations will want to ensure that they are utilizing approved devices and that the AI/ML devices do not exceed the bounds of their approved services. Penalties can be assessed against healthcare organizations that market unapproved services.
At the state level, the state attorney general may step in if providers are using AI tools in ways that misrepresent their services, impact personal privacy, or enable discrimination in the delivery of patient care.
The improper use of AI may also result in False Claims Act enforcement measures. For example, the Department of Justice conducted recent investigations into pharmaceutical companies and digital health companies regarding their use of AI in electronic medical record systems to determine whether the AI tool resulted in excessive or medically unnecessary care.
What’s Ahead?
Healthcare organizations will need to continue to monitor the ever-evolving AI regulatory landscape. We have seen certain states enact AI legislation, such as Utah, Texas, California, and Virginia. Most recently, on December 11, 2025, President Trump signed Executive Order 14365 titled “Ensuring a National Policy Framework for Artificial Intelligence,” aimed at reducing state level regulation and instead, establishing a unified federal approach to AI regulations. Members of Bodman’s Health Care Practice Group are monitoring these developments and will issue periodic updates as warranted.
Bodman PLC can provide guidance on this matter and other practical advice to meet your needs. To discuss these or any other legal issues affecting your organization, please contact Brandon Dalziel at (313) 393-7507 or bdalziel@bodmanlaw.com, Annalise Lekas Surnow at (313) 392-1059 or alekas@bodmanlaw.com or Grace Connolly (313)-393-7563 or gconnolly@bodmanlaw.com. Bodman cannot respond to your questions or receive information from you without first clearing potential conflicts with other clients. Thank you for your patience and understanding.