Health‑AI governance tightening

Health systems are moving from AI pilots to rulebooks as regulators, privacy enforcers and hospital boards tighten oversight around clinical software and patient data. (fda.gov) In the United States, the Food and Drug Administration said in guidance dated January 29, 2026 that some clinical decision support software for health professionals falls under device oversight, while other functions do not. The agency separately said on January 6, 2025 that developers of artificial intelligence-enabled device software should document lifecycle management and marketing submissions for safety and effectiveness. (fda.gov 1) (fda.gov 2) At the same time, the Department of Health and Human Services said the Health Insurance Portability and Accountability Act Security Rule still governs electronic protected health information, and on December 27, 2024 proposed its first major Security Rule update since 2013. The proposal would tighten cybersecurity requirements for health plans, clearinghouses and many providers that handle patient data used in AI systems. (hhs.gov 1) (hhs.gov 2) Outside federal health law, artificial intelligence rules are spreading into broader state and international regimes. Colorado’s artificial intelligence law covers “high-risk” systems used in consequential decisions and, after a 2025 delay, is set to take effect on June 30, 2026, while the European Union’s AI Act is being phased in through August 2, 2027. (aicompliancedocuments.com) (europa.eu) The practical effect is that one hospital tool can sit under several layers of control at once: device review for diagnostic claims, privacy and security rules for patient records, and artificial intelligence governance for bias, transparency and human oversight. A 2025 review in *npj Digital Medicine* said many administrative healthcare AI tools still fall outside formal regulation and depend on internal governance by developers and users. (fda.gov) (nature.com) That is pushing boards and compliance teams to ask basic questions about where training data came from, whether outputs can be audited, how models drift after deployment and who can override a recommendation before it affects care. A 2024 governance framework article in the National Library of Medicine said oversight should cover bias, equity, transparency, explainability, data handling and safety. (pmc.ncbi.nlm.nih.gov) The procurement fight is shifting too, because buying an outside model does not buy away accountability. In a February 2026 analysis for *Pharmaceutical Executive*, Komodo Health executive Rathi Suresh said life sciences companies choosing between building and buying must weigh speed against control, talent needs and long-term risk. (pharmexec.com) Vendors can deliver faster deployment, but core judgment and safety controls are becoming harder to outsource as regulators ask who validated the model, who monitors it and who is responsible when it fails. The Food and Drug Administration’s recent device guidance and the European Commission’s AI Act rollout both point toward more documentation, traceability and post-market oversight rather than one-time approval. (fda.gov) (europa.eu) The result is a narrower lane for health AI: faster adoption is still possible, but only with evidence trails, privacy controls and named humans in the loop. For hospitals, insurers and drugmakers, governance is becoming part of the product rather than paperwork after launch. (hhs.gov) (europa.eu)