healthcare ai & robotics — regulatory bulletin, sourced only from primary government record
Published July 3, 20267 primary sources cited
This week's split you need to know about: Texas now has two separate AI
laws touching healthcare — most trackers report only one. Below is what actually changed,
each item traced to the government document itself, not a summary of a summary.
This Issue
Texas splits AI governance from AI disclosure — most compliance checklists miss the second law
In effect
Texas didn't pass one AI law — it passed two, on different tracks, with different effective
dates. HB 149 (TRAIGA), the broad AI-governance statute, took effect
January 1, 2026. Separately, SB 1188 — the law that actually
requires practitioners to disclose AI use in diagnosis or treatment to patients — took effect
earlier, on September 1, 2025. A healthcare AI vendor selling into Texas who
only checked TRAIGA has already missed a live disclosure obligation.
FedRAMP's Consolidated Rules for 2026 are live, not upcoming
In effect
The Low/Moderate/High baseline system is retired. FedRAMP CR26 replaces it with
Certification Classes A through D, and took effect July 4, 2026 —
already binding on cloud offerings seeking or maintaining certification, with early-adoption
items mandatory before January 1, 2027. Compliance evidence is now machine-readable OSCAL,
not a static PDF System Security Plan.
HIPAA's mandatory-encryption rule is still a proposal, not law
NPRM — not final
Widely cited as a "2026 encryption mandate," HHS OCR's Security Rule update — which would
move ePHI encryption from addressable to required, at rest and in transit — remains an
unfinalized Notice of Proposed Rulemaking published January 6, 2025. No
final rule, no effective date. Once finalized, it carries a 60-day effective window and
240 days to comply.
SB24-205's algorithmic-discrimination requirements for high-risk AI systems now take effect
June 30, 2026, extended from the original February 1 date. HB26-1139, the
healthcare-specific companion bill, adds a human-review requirement: AI cannot be the sole
basis for a medical-necessity coverage denial.
Pulled from HHS OCR's reportable-breach filings (500+ records). Any healthcare breach
qualifies for this section, not just AI-related incidents — compliance teams need the whole
threat picture.
Utilization-management AI vendor Xsolis discloses breach affecting 1.4M individuals
Hacking/IT incident
Xsolis, a Tennessee-based AI vendor whose software drives prior-authorization and
utilization-review decisions for health plans and hospitals, reported a network-server
hacking incident affecting 1,396,519 individuals to HHS OCR on
June 5, 2026. Notable for this beat specifically: it's a breach at a
company whose core product is clinical-decision AI, not just a generic IT vendor —
the same trust chain regulators are scrutinizing for algorithmic coverage denials is
also a live cybersecurity target.
Minnesota Epilepsy Group hack shows mid-size specialty practices remain exposed
Hacking/IT incident
A network-server hacking incident at Minnesota Epilepsy Group, P.A. affected
80,061 individuals, reported June 5, 2026 — a reminder that OCR's
largest recent filings aren't limited to hospital systems or national payers; single-
specialty outpatient practices are equally reportable and equally targeted.
Wisconsin Dept. of Health Services: this cycle's most recent filing wasn't a hack
Unauthorized disclosure — paper/films
The most recently filed breach on record, submitted July 1, 2026, affected
8,157 individuals and involved paper/film records, not a network intrusion —
a useful counterweight to a beat that otherwise skews toward "hacking/IT incident." Physical
records handling is still a live reportable-breach category.