Jeff Wurzburg, healthcare partner at Norton Rose Fulbright
Photo: Norton Rose Fulbright
Regulatory enforcement around artificial intelligence in healthcare is in its early stages – but expect it to increase in the years ahead, says Jeff Wurzburg, healthcare partner at Norton Rose Fulbright, a global law firm.
Wurzburg says he expects that enforcement to mature through existing payment and oversight frameworks, rather than through a new AI‑specific regulator. But either way, healthcare organizations should be prepared for increasing oversight of their use of AI.
"As AI increasingly becomes embedded in everyday functions like utilization management, coding, clinical decision support and reimbursement determinations, regulators will focus less on the novelty of the technology and more on how it affects coverage determinations, medical necessity and claims accuracy," he explained.
"The core question will remain the same: Who is accountable for decisions that drive payment, and can those decisions be defended under Medicare, Medicaid and commercial payer rules when they are made, informed or accelerated by algorithms?" he continued.
Fraud and abuse laws
Looking ahead, the most significant enforcement risk will continue to come from oversight by CMS, the HHS Office of Inspector General, and the Department of Justice applying longstanding fraud and abuse laws, he added.
"Where automation replaces or compresses human judgment, I anticipate regulators are likely to closely examine whether AI tools embed improper financial incentives, produce systemic upcoding or denials, or obscure clinical responsibility," he predicted. "It is worth noting that state regulators and attorneys general are likely to play a role.
"Providers face a rapidly expanding patchwork of state laws that create compliance challenges for multi‑state operations and raise thorny preemption and harmonization issues when state requirements diverge from, or directly conflict with, existing federal regulatory frameworks," he continued. "As AI tools become more integrated and routine, I anticipate enforcement focusing on governance, documentation and oversight."
This raises the importance of internal governance and oversight for healthcare stakeholders that are using AI, he added.
The board's liability
For health system boards, potential liability arising from poor AI oversight will be judged through traditional nonprofit and corporate governance principles, Wurzburg advised.
"As AI tools become embedded in clinical decision support, revenue cycle, scheduling, staffing and utilization management, boards are expected to exercise active, informed oversight over risks that directly affect patient safety, quality of care, regulatory compliance and public funding," he said.
"While directors are likely not expected to understand the technical mechanics of AI, they are expected to understand where these tools influence clinical judgment, care pathways, or Medicare and Medicaid reimbursement, and to ensure there are clear accountability structures between management, clinical leadership and the board.
"My belief is the real exposure for health system boards will likely stem from process and governance failures, not isolated adverse events," he continued. "Regulators, accrediting bodies and plaintiffs' counsel are likely to ask whether the board received meaningful reporting on AI‑enabled systems being utilized, whether high‑risk uses were escalated appropriately, and whether the system maintained human clinical oversight consistent with Medicare Conditions of Participation and medical staff obligations."
Thus, with increasing use of AI, both known and unknown, boards that lack defined governance frameworks – for instance, designated committees, documented risk assessments, or regular quality and compliance reporting tied to AI use – may face heightened scrutiny and have greater risk, he added.
"In that environment, AI oversight becomes inseparable from core board responsibilities for quality, compliance and mission stewardship," he explained. "Board lapses are increasingly likely to be viewed as oversight failures rather than technology missteps."
The key risks in healthcare AI
From a regulatory and reimbursement perspective, the most immediate risk from AI in healthcare is fraud and payment integrity, Wurzburg said.
"With AI increasingly integrated into regulated healthcare decision-making, organizations that limit their review to standalone AI policies risk missing the larger exposure," he explained. "As AI tools are increasingly being deployed in coding, risk adjustment, utilization management and clinical decision support, enforcement agencies are likely to focus on AI driving reimbursement results that cannot be supported under existing coverage, documentation and medical necessity standards.
"The use of AI does not shift liability away from providers or health plans submitting claims to federal healthcare programs," he continued. "To the contrary, large‑scale automation raises the risk of systemic errors, such as embedded upcoding, inappropriate denials or algorithmic bias toward revenue optimization – all of which are fertile ground for False Claims Act scrutiny by DOJ and oversight by CMS and the HHS‑OIG."
As AI becomes embedded in clinical and operational workflows, health systems face heightened HIPAA risk from opaque data use, unauthorized Protected Health Information (PHI) disclosure, and misalignment between AI vendor practices and longstanding privacy and security obligations, he added.
The risk of discrimination
Another risk is discrimination, particularly where AI tools influence coverage determinations or clinical decisions, Wurzburg noted.
"One area that has been appropriately highlighted is algorithms trained on historical data that may replicate inequities across race, disability, age or other protected classes – creating exposure under civil rights laws, Medicare Conditions of Participation, and state insurance and consumer protection statutes," he explained.
"Health systems need to be acutely aware arising from AI systems developed and managed by third parties, and vendor use of AI," he continued. "Providers and plans remain accountable for regulatory compliance, data integrity and patient impact, even when decisions are the result of vendor technology."
It remains critical for entities to have aggressive due diligence with their vendors, ensure meaningful audit and indemnification rights are in place, and integrate oversight of AI into compliance and quality programs, he added.
Defense strategies
From a healthcare regulatory and reimbursement standpoint, defending investigations and cases with an AI component will focus less on the technology itself and more on whether the organization can demonstrate good‑faith compliance within existing regulatory frameworks, Wurzburg said.
"The underlying elements of these investigations and cases will remain focused on familiar underlying disputes such as payer and provider disputes, the False Claims Act, Medicare payment and coverage rules, and state insurance regulations," he continued. "Credible defenses will therefore emphasize that AI functioned as a decision support tool and were not a substitute for clinical judgment or compliance oversight.
"It will be important to demonstrate that use of AI was anchored to documented laws, regulations, policies and standards along with a human review process," he added. "Because AI systems are adaptive, probabilistic and often developed by a vendor, organizations are likely to take the position that disputed outcomes reflect emerging technology rather than knowing or reckless conduct."
Critical to such a defense will be demonstrating diligence, validation against conditions of participation and payment, payer rules, ongoing monitoring, and attentive corrective action when issues emerge, he said.
Meaningful oversight
"Finally, allocation of responsibility will play an important role," he noted. "Providers and plans will defend against liability by showing they did not blindly defer to AI outputs and retained meaningful oversight," he continued. "It is important that vendor arrangements preserve transparency and accountability.
"At the same time, regulatory ambiguity and uncertainty must be taken into account," he concluded. "Administrative law principles, such as whether guidance and requirements were provided via sub‑regulatory guidance instead of notice and comment rulemaking, should also be considered. Ultimately, healthcare organizations must continue to be nimble and willing to change with ever-evolving industry standards."
Follow Bill's health IT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.
WATCH NOW: Data management underlies value-based contracts
