Clingantry

The Ongoing Report of ClingantryThe Report

healthcare ai & robotics — regulatory & breach intelligence, sourced only from primary government record


Tagged “federal” · 4 entries

The White House wants to override state AI laws — the state rules you follow may be challenged

A December 2025 executive order (EO 14365) directs the federal government to push back on state AI laws it considers burdensome — including a Justice Department task force to challenge them in court, and reviews by Commerce and the FTC identifying which state laws conflict with federal policy. What this means for you: the state AI rules covered in this feed (Texas, Colorado, Indiana, Alabama, and others) are valid law today and you should keep complying — but some may end up challenged in court over the next year or two. Don't un-build your compliance program based on headlines; do expect uncertainty about which state rules survive.

If you buy AI-powered medical devices: the FDA's big rulebook for them is still in draft

The FDA has authorized over a thousand AI-enabled medical devices, but its first comprehensive rulebook for how these devices should be designed, validated, and monitored over their whole life — published as a draft in January 2025 — has still not been finalized. Why a hospital should care: once final, it will shape what documentation and ongoing performance monitoring you can demand from device vendors, especially for AI tools whose behavior changes with updates. Reasonable ask of vendors today: whether they're already building to the draft guidance rather than waiting.

A federal cloud-security update is already in effect — check your vendor contracts

The federal government's rulebook for approving cloud software (FedRAMP) got a major overhaul, and it's already active as of July 4, 2026 — not something coming later this year. The old "Low/Moderate/High" security tiers are gone, replaced by new tiers called Classes A through D. If any of your software vendors handle government-adjacent data or claim FedRAMP approval, it's worth asking them directly whether they've moved to the new system, since some requirements become mandatory before January 1, 2027.

Primary source: fedramp.gov/2026

No, HIPAA does not yet require encryption everywhere — that's still just a proposal

You may have heard that HIPAA now requires encrypting all patient data. It doesn't — not yet. Federal regulators proposed making encryption mandatory (it's currently just "recommended"), but that proposal has not been finalized into law as of this writing. There's no deadline to comply with yet. Once it is finalized, organizations would get 60 days before it takes effect and 240 days after that to actually comply — so there will be advance warning. Worth watching, not worth panicking about yet.

← Back to The Report