Healthcare AI governance debate

Healthcare groups are debating how to govern AI coding agents as vendors push software that can assign billing codes with little or no human review. (hfma.org) Medical coding turns a patient visit into diagnosis and procedure codes that drive claims and payment, and several vendors now market “autonomous” coding for that work. HFMA reported in October 2023 that 60% of healthcare organizations surveyed said they either used autonomous coding or planned to, while 52% of finance professionals said they still did not know what the term meant. (hfma.org) The labor squeeze is part of the backdrop. A Solventum guide citing a November 2023 American Health Information Management Association survey said 66% of health information professionals reported persistent staffing shortages over the prior two years, and 83% reported increased or persistent unfilled positions in the past year. (solventum.com) That has pushed governance questions closer to the front of the buying process. Solventum said autonomous coding needs to hit the 95% accuracy level expected of human coders, and it listed privacy, security, transparency, and basic understanding of AI limits among the main reasons some health systems hesitate. (solventum.com) The compliance stack around those tools is familiar even when the product is new. The Health Insurance Portability and Accountability Act Security Rule requires covered entities and business associates to use administrative, physical, and technical safeguards for electronic protected health information. (hhs.gov) Federal cloud rules add another layer for vendors selling into government-linked work. The General Services Administration says FedRAMP is the governmentwide program for standardized security assessment of cloud products and services, while the Defense Department’s Cybersecurity Maturity Model Certification program verifies that contractors protect federal contract information and controlled unclassified information. (gsa.gov, federalregister.gov) That overlap helps explain why smaller compliance firms are pitching bundled services across healthcare, fintech, and public-sector work. Force Shield LLC says it offers ISO 27001 consulting and certification support, and markets itself as a cybersecurity and compliance adviser for small and medium-sized businesses. (forceshield.io, iso.org) The registration idea circulating in the debate goes beyond ordinary vendor paperwork. NIST’s Artificial Intelligence Risk Management Framework organizes AI oversight around “govern, map, measure, manage,” and proposals for an “Autonomy Passport” would move that logic into a more formal registry for who built, tested, approved, and operates an AI agent. (nist.gov) Health systems already have a legal reason to ask those questions before signing a contract. HHS says a cloud service provider that creates, receives, maintains, or transmits electronic protected health information on behalf of a covered entity or business associate must sign a HIPAA-compliant business associate agreement. (hhs.gov, hhs.gov) For now, the market is moving faster than any single rulebook. Buyers are being asked to evaluate not just whether an AI agent can code a chart, but which controls, contracts, and audit trails stand behind the result. (hfma.org, nist.gov, hhs.gov)