Clingantry

The Ongoing Report of ClingantryThe Report

healthcare ai & robotics — regulatory & breach intelligence, sourced only from primary government record


7 entries · continuous feed, newest first · RSS · Atom · browse by tag

Colorado pushed back its AI law deadline again — here's the date that matters now

Colorado's AI law (requirements around AI systems not discriminating against patients) now takes effect June 30, 2026 — pushed back from its original February date. A companion healthcare-specific rule adds a plain but important protection: your staff can't let an AI system be the sole reason a patient's coverage or care is denied. A human still has to be involved in that decision.

A federal cloud-security update is already in effect — check your vendor contracts

The federal government's rulebook for approving cloud software (FedRAMP) got a major overhaul, and it's already active as of July 4, 2026 — not something coming later this year. The old "Low/Moderate/High" security tiers are gone, replaced by new tiers called Classes A through D. If any of your software vendors handle government-adjacent data or claim FedRAMP approval, it's worth asking them directly whether they've moved to the new system, since some requirements become mandatory before January 1, 2027.

Primary source: fedramp.gov/2026

No, HIPAA does not yet require encryption everywhere — that's still just a proposal

You may have heard that HIPAA now requires encrypting all patient data. It doesn't — not yet. Federal regulators proposed making encryption mandatory (it's currently just "recommended"), but that proposal has not been finalized into law as of this writing. There's no deadline to comply with yet. Once it is finalized, organizations would get 60 days before it takes effect and 240 days after that to actually comply — so there will be advance warning. Worth watching, not worth panicking about yet.

Texas actually has two AI laws, not one — and it's easy to miss the second

If you operate in Texas, there are two separate AI laws to know about, not one. The first, HB 149, is the broad rulebook for how AI systems can be used — it's been in effect since January 1, 2026. The second, SB 1188, is narrower but easy to overlook: it requires your staff to tell patients when AI was used in their diagnosis or treatment. That one has actually been in effect longer, since September 1, 2025. If your compliance team only checked the first law, you may already be missing a disclosure requirement that's been live for almost a year.

Reminder: paper records still count as a reportable breach, not just hacking

The most recent breach filed with federal regulators, on July 1, 2026, affected 8,157 people at the Wisconsin Department of Health Services — and it wasn't a computer hack at all. It involved paper and film records. Easy to forget when most breach news is about hackers: mishandled physical records are still a reportable breach, and still something your front-desk and records-handling procedures need to guard against.

Primary source: HHS OCR Breach Portal

Even small specialty clinics are being hacked — not just big hospital systems

Minnesota Epilepsy Group, a single-specialty outpatient practice, reported a hacking incident affecting 80,061 patients on June 5, 2026. The takeaway for any smaller or specialty practice: attackers aren't only targeting big hospital networks or national insurers. If your organization is smaller, that is not protection — you're still a target, and this-size breach is common.

Primary source: HHS OCR Breach Portal

A major AI vendor used for hospital coverage decisions was hacked — 1.4 million patients affected

Xsolis — a company whose AI software helps hospitals and health plans decide whether a patient's stay or treatment gets approved — reported a hacking incident affecting 1,396,519 people on June 5, 2026. Why this one matters beyond the number: this isn't just a generic IT vendor, it's a vendor making decisions about patient care. If your hospital uses Xsolis or a similar utilization-review AI tool, this is worth a direct conversation with that vendor about what happened and whether your patients' data was involved.

Primary source: HHS OCR Breach Portal