Volume 1 · Issue No. 001

The Docket

healthcare ai & robotics — regulatory bulletin, sourced only from primary government record


Published July 3, 2026 7 primary sources cited

This week's split you need to know about: Texas now has two separate AI laws touching healthcare — most trackers report only one. Below is what actually changed, each item traced to the government document itself, not a summary of a summary.

This Issue

Texas splits AI governance from AI disclosure — most compliance checklists miss the second law

In effect

Texas didn't pass one AI law — it passed two, on different tracks, with different effective dates. HB 149 (TRAIGA), the broad AI-governance statute, took effect January 1, 2026. Separately, SB 1188 — the law that actually requires practitioners to disclose AI use in diagnosis or treatment to patients — took effect earlier, on September 1, 2025. A healthcare AI vendor selling into Texas who only checked TRAIGA has already missed a live disclosure obligation.

FedRAMP's Consolidated Rules for 2026 are live, not upcoming

In effect

The Low/Moderate/High baseline system is retired. FedRAMP CR26 replaces it with Certification Classes A through D, and took effect July 4, 2026 — already binding on cloud offerings seeking or maintaining certification, with early-adoption items mandatory before January 1, 2027. Compliance evidence is now machine-readable OSCAL, not a static PDF System Security Plan.

HIPAA's mandatory-encryption rule is still a proposal, not law

NPRM — not final

Widely cited as a "2026 encryption mandate," HHS OCR's Security Rule update — which would move ePHI encryption from addressable to required, at rest and in transit — remains an unfinalized Notice of Proposed Rulemaking published January 6, 2025. No final rule, no effective date. Once finalized, it carries a 60-day effective window and 240 days to comply.

Primary source: Federal Register, 90 FR 800

Colorado's AI Act deadline moved — again

Deadline shift

SB24-205's algorithmic-discrimination requirements for high-risk AI systems now take effect June 30, 2026, extended from the original February 1 date. HB26-1139, the healthcare-specific companion bill, adds a human-review requirement: AI cannot be the sole basis for a medical-necessity coverage denial.

Breaches & Incidents

Pulled from HHS OCR's reportable-breach filings (500+ records). Any healthcare breach qualifies for this section, not just AI-related incidents — compliance teams need the whole threat picture.

Utilization-management AI vendor Xsolis discloses breach affecting 1.4M individuals

Hacking/IT incident

Xsolis, a Tennessee-based AI vendor whose software drives prior-authorization and utilization-review decisions for health plans and hospitals, reported a network-server hacking incident affecting 1,396,519 individuals to HHS OCR on June 5, 2026. Notable for this beat specifically: it's a breach at a company whose core product is clinical-decision AI, not just a generic IT vendor — the same trust chain regulators are scrutinizing for algorithmic coverage denials is also a live cybersecurity target.

Primary source: HHS OCR Breach Portal

Minnesota Epilepsy Group hack shows mid-size specialty practices remain exposed

Hacking/IT incident

A network-server hacking incident at Minnesota Epilepsy Group, P.A. affected 80,061 individuals, reported June 5, 2026 — a reminder that OCR's largest recent filings aren't limited to hospital systems or national payers; single- specialty outpatient practices are equally reportable and equally targeted.

Primary source: HHS OCR Breach Portal

Wisconsin Dept. of Health Services: this cycle's most recent filing wasn't a hack

Unauthorized disclosure — paper/films

The most recently filed breach on record, submitted July 1, 2026, affected 8,157 individuals and involved paper/film records, not a network intrusion — a useful counterweight to a beat that otherwise skews toward "hacking/IT incident." Physical records handling is still a live reportable-breach category.

Primary source: HHS OCR Breach Portal
Subscribe

Priced to actually get subscribers first — not the eventual enterprise number. Every tier traces every claim back to the .gov document it came from.

Free $0 Monthly headline digest — what changed, no detail, no citations.
Team $79/mo Multi-state tracking, Slack/email alerts on same-day changes, shared seats for up to 5.

Get the next issue

One email a week. Cancel from the footer of any issue, no account needed.

// replace mailto target with Buttondown/ConvertKit endpoint before sharing