Clingantry

The Ongoing Report of ClingantryThe Report

healthcare ai & robotics — regulatory & breach intelligence, sourced only from primary government record


13 entries · organized by urgency, newest first within each · RSS · Atom · browse by tag

Hot — just changed

In force now or within days. Act or verify first.

A federal cloud-security update is already in effect — check your vendor contracts

The federal government's rulebook for approving cloud software (FedRAMP) got a major overhaul, and it's already active as of July 4, 2026 — not something coming later this year. The old "Low/Moderate/High" security tiers are gone, replaced by new tiers called Classes A through D. If any of your software vendors handle government-adjacent data or claim FedRAMP approval, it's worth asking them directly whether they've moved to the new system, since some requirements become mandatory before January 1, 2027.

Primary source: fedramp.gov/2026

Indiana's new AI insurance law just took effect — insurers can't downcode your claims by AI alone

As of July 1, 2026, health insurers in Indiana can no longer use AI as the only basis to downcode a claim (pay it at a lower level than billed) — a human must review the patient's medical record first. Insurers also now have to disclose, in plain view, whenever AI was used to deny a prior authorization or downcode a claim. Two things for your team: your billing office should start watching downcoded claims for the required disclosures, and note the law cuts both ways — providers also can't submit claims generated by AI without a person involved in the claim reviewing them. Appeals get at least 180 days.

Primary source: HB 1271 — iga.in.gov

Reminder: paper records still count as a reportable breach, not just hacking

The most recent breach filed with federal regulators, on July 1, 2026, affected 8,157 people at the Wisconsin Department of Health Services — and it wasn't a computer hack at all. It involved paper and film records. Easy to forget when most breach news is about hackers: mishandled physical records are still a reportable breach, and still something your front-desk and records-handling procedures need to guard against.

Primary source: HHS OCR Breach Portal
Upcoming — dated deadlines

Signed into law with a known future effective date. Calendar these.

Alabama: starting October 1, AI can't be the one denying coverage — a clinician must decide

Alabama's new law (signed April 17, 2026, effective October 1, 2026) says a health insurer can't rely only on AI to decide whether care gets covered — any decision to deny or reduce coverage has to be made by a qualified healthcare professional. Insurers must also tell enrollees that AI is used in coverage decisions, base prior-auth determinations on the individual patient's medical history rather than group data alone, and certify annually to the state that their AI is monitored for accuracy and doesn't discriminate. If you're in Alabama, this is leverage: after October 1, an AI-only denial is something you can push back on by law.

Georgia (from January 2027): AI can help insurers process paperwork, but can't say no to care

Georgia's SB 444, effective January 1, 2027, draws a clean line: insurers may use AI in prior authorization to automate paperwork and reduce administrative burden — but an adverse decision (denying or reducing care) can't be issued until a qualified clinical peer has actually conducted the review and participated in the decision. The AI also can't override that clinician's judgment. If you operate in Georgia, nothing changes today, but this is worth having on your 2027 compliance calendar now.

Primary source: SB 444 — legis.ga.gov
Recent

Changed in the last weeks — worth confirming your teams have absorbed it.

Utah now requires insurers to say when AI reviews your preauthorization requests

Utah's SB 319, in effect since May 6, 2026, requires insurers to publicly post their preauthorization requirements on their website and to disclose whether AI is used when reviewing authorization requests. It also sets a maximum time insurers can take to answer an authorization request, and sets minimum periods an approval stays valid. Practical upshot for your utilization and scheduling teams: approvals should be faster to get and harder to have silently expire — and you can now find out whether a Utah payer is using AI on your requests just by asking.

Colorado pushed back its AI law deadline again — here's the date that matters now

Colorado's AI law (requirements around AI systems not discriminating against patients) now takes effect June 30, 2026 — pushed back from its original February date. A companion healthcare-specific rule adds a plain but important protection: your staff can't let an AI system be the sole reason a patient's coverage or care is denied. A human still has to be involved in that decision.

Texas actually has two AI laws, not one — and it's easy to miss the second

If you operate in Texas, there are two separate AI laws to know about, not one. The first, HB 149, is the broad rulebook for how AI systems can be used — it's been in effect since January 1, 2026. The second, SB 1188, is narrower but easy to overlook: it requires your staff to tell patients when AI was used in their diagnosis or treatment. That one has actually been in effect longer, since September 1, 2025. If your compliance team only checked the first law, you may already be missing a disclosure requirement that's been live for almost a year.

Even small specialty clinics are being hacked — not just big hospital systems

Minnesota Epilepsy Group, a single-specialty outpatient practice, reported a hacking incident affecting 80,061 patients on June 5, 2026. The takeaway for any smaller or specialty practice: attackers aren't only targeting big hospital networks or national insurers. If your organization is smaller, that is not protection — you're still a target, and this-size breach is common.

Primary source: HHS OCR Breach Portal

A major AI vendor used for hospital coverage decisions was hacked — 1.4 million patients affected

Xsolis — a company whose AI software helps hospitals and health plans decide whether a patient's stay or treatment gets approved — reported a hacking incident affecting 1,396,519 people on June 5, 2026. Why this one matters beyond the number: this isn't just a generic IT vendor, it's a vendor making decisions about patient care. If your hospital uses Xsolis or a similar utilization-review AI tool, this is worth a direct conversation with that vendor about what happened and whether your patients' data was involved.

Primary source: HHS OCR Breach Portal
Watching — proposals & pending

Not binding yet: proposals, drafts, and litigation that may change the rules above.

The White House wants to override state AI laws — the state rules you follow may be challenged

A December 2025 executive order (EO 14365) directs the federal government to push back on state AI laws it considers burdensome — including a Justice Department task force to challenge them in court, and reviews by Commerce and the FTC identifying which state laws conflict with federal policy. What this means for you: the state AI rules covered in this feed (Texas, Colorado, Indiana, Alabama, and others) are valid law today and you should keep complying — but some may end up challenged in court over the next year or two. Don't un-build your compliance program based on headlines; do expect uncertainty about which state rules survive.

If you buy AI-powered medical devices: the FDA's big rulebook for them is still in draft

The FDA has authorized over a thousand AI-enabled medical devices, but its first comprehensive rulebook for how these devices should be designed, validated, and monitored over their whole life — published as a draft in January 2025 — has still not been finalized. Why a hospital should care: once final, it will shape what documentation and ongoing performance monitoring you can demand from device vendors, especially for AI tools whose behavior changes with updates. Reasonable ask of vendors today: whether they're already building to the draft guidance rather than waiting.

No, HIPAA does not yet require encryption everywhere — that's still just a proposal

You may have heard that HIPAA now requires encrypting all patient data. It doesn't — not yet. Federal regulators proposed making encryption mandatory (it's currently just "recommended"), but that proposal has not been finalized into law as of this writing. There's no deadline to comply with yet. Once it is finalized, organizations would get 60 days before it takes effect and 240 days after that to actually comply — so there will be advance warning. Worth watching, not worth panicking about yet.