Healthcare AI Compliance Briefing

2025–2026 Regulatory Timeline

Healthcare AI faces a compressed compliance window. Here’s what’s coming and when:

The Consent Litigation Wave

Ambient AI scribes have become one of healthcare’s most widely-adopted AI categories. They also became a significant liability exposure in 2025.

Sharp HealthCare: The Template Case

Filed November 2025, Saucedo v. Sharp HealthCare alleges that since Abridge’s deployment in April 2025, over 100,000 patient encounters may have been recorded without adequate consent. The complaint includes several allegations that create templates for future litigation:

• Auto-inserted consent statements — The AI allegedly inserted false attestations into medical records claiming patients had been "advised of and consented to" recording when they had not
• CIPA violations — California’s Invasion of Privacy Act allows $5,000 per violation (or three times actual damages) for wiretapping
• CMIA violations — Confidentiality of Medical Information Act claims for unauthorized disclosure
• Negligence claims — Failure to implement adequate consent procedures

The "Capability Test" Expansion

Perhaps more concerning is the emerging "capability test" from Ambriz v. Google LLC (2025). The court held that an AI vendor can be liable as a third-party eavesdropper if it merely possesses the technical capability to use intercepted data for its own purposes—regardless of whether it actually exercises that capability.

Most AI vendors’ terms of service reserve rights to use customer data for model training. Under the capability test, this reservation alone may create CIPA liability even if training never occurs.

HIPAA’s AI Blind Spots

HIPAA was written for fax machines and filing cabinets. While its principles apply to AI, significant gaps exist:

BAA Coverage Gaps

The Audit Trail Problem

HIPAA’s Security Rule requires audit controls for PHI access. For AI systems, this means logging not just who accessed data, but what the AI did with it:

• What PHI was sent to the model
• What the model output was
• What version of the model was used
• What safety controls executed
• Whether output was modified before display

Most AI platforms provide application-level access logs. They don’t provide inference-level audit trails. This creates a compliance gap that governance committees are increasingly identifying.

What Governance Committees Are Asking

Health system AI governance committees have evolved rapidly. In 2023, they asked if you had policies. In 2024, they asked about your certifications. In 2025, they’re asking for evidence.

The New Questions

Based on conversations with health system CISOs, CMIOs, and compliance officers, here are the questions that now regularly appear in procurement reviews:

From Attestation to Evidence

The fundamental shift is from trust to verify. Policy documents and attestation letters no longer satisfy sophisticated governance committees. They want:

• Cryptographic proof that controls executed on specific interactions
• Audit trails that can be independently verified
• Real-time dashboards showing compliance status, not annual reports
• Incident evidence that can be produced within hours, not weeks

This is the "evidence gap" that’s stalling healthcare AI procurement. Vendors can describe their controls but can’t prove they ran.

Ambient AI Scribe: The 2025 Flashpoint

Ambient AI clinical documentation is healthcare’s killer app—and its biggest compliance headache. Every major health system is either deploying, piloting, or evaluating ambient scribes. Most are underestimating the liability exposure.

The Consent Challenge

In California and other "all-party consent" states, recording a conversation without all parties’ consent is illegal. Doctor-patient conversations have heightened protection as "confidential communications."

Yet many ambient AI deployments rely on:

• Implicit consent — "The patient didn’t object when I mentioned we use AI"
• General consent forms — Buried in admission paperwork signed weeks earlier
• Verbal mention — Not documented, hard to prove in litigation

The Sharp lawsuit shows where this leads. Explicit, documented, per-encounter consent is becoming the standard.

Best Practice Framework

Recommendations for 2026

For Healthcare AI Vendors

1. Upgrade your BAA — Standard cloud BAAs don’t cover AI-specific risks. Work with counsel to add model training prohibitions, inference logging requirements, and AI incident definitions.
2. Build evidence infrastructure — Governance committees want proof controls ran. Implement inference-level logging with cryptographic verification.
3. Prepare for state AI laws — Map your products against Colorado’s new ADMT transparency framework (SB 26-189) and other emerging state regimes. Identify where your technology could materially influence a consequential decision, and stand up the notice, disclosure, and human-review workflows those laws expect.
4. Document consent workflows — For ambient AI, create auditable consent capture that can withstand litigation discovery.

For Health Systems

1. Audit existing AI deployments — Particularly ambient scribes. Verify consent procedures meet CIPA/CMIA requirements.
2. Strengthen vendor diligence — Add AI-specific questions to security questionnaires. Require evidence, not just attestations.
3. Establish AI governance — If you don’t have a formal AI governance committee, create one. If you do, update its charter for 2026 requirements.
4. Plan for state law compliance — Colorado’s new ADMT law (SB 26-189) reaches technology used to materially influence consequential decisions, including health-care services. Map your exposure ahead of the January 1, 2027 compliance date.

Related Resources