Your AI tools are touching PHI. OCR, ONC, and the FDA are watching.
From clinical decision support to patient-facing chatbots, AI in healthcare now triggers HIPAA, HHS HTI-1 transparency obligations, and — for many tools — FDA Software as a Medical Device requirements. Programs are led by Helena Rush and aligned to NIST AI RMF.
Regulations and rules already in force
Each item below is already in force or has a confirmed enforcement date. Sources are named so your compliance team can verify in minutes.
HIPAA Privacy & Security Rules
Any AI tool that creates, receives, maintains, or transmits PHI is subject to HIPAA. Vendors providing AI tools to covered entities are business associates.
Source: 45 CFR Parts 160 & 164
HHS HTI-1 Final Rule (Decision Support Interventions)
Certified Health IT must disclose source attributes for predictive Decision Support Interventions, including AI/ML — driving transparency obligations down the supply chain.
Source: 45 CFR § 170.315(b)(11); HHS HTI-1, effective January 1, 2025
FDA Software as a Medical Device (SaMD)
AI/ML-based software that diagnoses, treats, or manages disease may be a regulated device. The FDA maintains a public list of authorized AI/ML-enabled devices.
Source: FDA AI/ML-Enabled Medical Devices list (updated 2024)
EU AI Act — High-Risk: Medical Devices
AI used as a safety component of, or itself a medical device, is high-risk under Annex III. Obligations apply from August 2, 2026.
Source: EU AI Act, Annex III
These dates are not theoretical
Two enforcement deadlines have already passed. The next major one — EU AI Act high-risk obligations — is live below.
The Regulatory Clock Is Running
Two EU AI Act deadlines have already passed. The next — August 2, 2026 — applies to High-Risk AI across healthcare, finance, HR, education, and insurance. Full enforcement begins that date.
Source: European Commission AI Act Service Desk
Next Enforcement Deadline
2 August 2026 — High-Risk AI Full Compliance
45
Days
00
Hours
18
Minutes
11
Seconds
2 February 2025
PassedProhibited AI practices banned + AI Literacy (Article 4) obligations began.
If you have not acted, you are already non-compliant.
2 August 2025
PassedGPAI model obligations + governance infrastructure required.
If you have not acted, you are already non-compliant.
2 August 2026
NextHigh-Risk AI systems (Annex III) must be fully compliant. Article 50 Transparency rules apply. Full enforcement begins.
2 August 2027
UpcomingHigh-Risk AI embedded in regulated products (medical devices, aviation).
January 1, 2025
HHS HTI-1 DSI transparency in effect
Certified EHRs must surface predictive DSI source attributes, including AI/ML — patients and clinicians can ask for them.
Source: HHS HTI-1 Final Rule
Ongoing
HHS OCR HIPAA enforcement
Settlements regularly exceed $1M; AI tools that mishandle PHI are squarely in scope.
Source: HHS OCR Enforcement Highlights
August 2, 2026
EU AI Act high-risk medical AI obligations
Medical-device AI must meet documentation, risk-management, and post-market monitoring obligations.
Source: EU AI Act, Article 113
The cost of getting this wrong is no longer theoretical
Real cases. Named parties. Public records. These are the precedents your board, your auditors, and your insurer will reference.
Anthem, Inc.
$16 million HIPAA settlement
Largest HIPAA settlement to date — illustrative of the scale OCR can impose when controls fail. AI tools that touch PHI are subject to the same standard.
Source: HHS OCR Resolution Agreement, October 15, 2018
Premera Blue Cross
$6.85 million HIPAA settlement
Failure to conduct enterprise-wide risk analysis — the same gap most organizations have for their AI tools today.
Source: HHS OCR Resolution Agreement, September 25, 2020
BetterHelp
$7.8 million FTC settlement
Sharing health data with advertisers without consent — the FTC is now applying the same scrutiny to AI tools that share PHI for training.
Source: FTC press release, March 2, 2023
Mapped to the NIST AI Risk Management Framework
Every engagement is structured around the four NIST AI RMF Core functions. Your auditors and clients already recognize this language.
NIST AI RMF — Govern
Integrate AI into HIPAA Security Rule risk-analysis program; designate accountable owner.
NIST AI RMF — Map
Inventory AI tools touching PHI; classify clinical-decision impact; identify SaMD candidates.
NIST AI RMF — Measure
Validate clinical accuracy, equity across demographics, and HTI-1 source-attribute disclosure.
NIST AI RMF — Manage
Business associate agreements, breach response, post-deployment monitoring.
AI Governance & Compliance Studio
Two ways to start. One clear path forward.
Whether you need a fast read on your exposure or a deeper conversation about your governance strategy, NeuralEdge gives you a structured next step — never a sales pitch.
Free AI Readiness Snapshot
A 5-minute interactive self-assessment scored against the NIST AI RMF Core. See your readiness level immediately.
Get Your Free AI Readiness Snapshot30-Minute Compliance Review
A working session with a NeuralEdge consultant. Bring your questions, leave with a clear action list.
Book a 30-Minute Compliance ReviewFrequently asked questions
Is a chatbot using PHI a HIPAA business associate?
If the vendor creates, receives, maintains, or transmits PHI on your behalf, yes. A signed BAA is required, and the vendor's AI tooling is in scope of HIPAA Security Rule controls.
When does an AI tool become an FDA-regulated device?
When it is intended to diagnose, treat, cure, mitigate, or prevent disease, or when it influences clinical decisions in ways the FDA has defined as device functions. We help you triage and document the determination.
Does HTI-1 apply to my practice?
Directly to your certified EHR vendor — but indirectly to you. Patients and clinicians will start asking for the AI source attributes the rule now requires. Your governance must be ready to answer.
How fast can we be HIPAA + HTI-1 + AI-ready?
A defensible baseline (inventory, BAAs, risk analysis update, DSI transparency procedure) typically takes 4–8 weeks for a mid-sized practice or hospital department.