Healthcare AI Regulations 2025: New Rules, Compliance Requirements, and What Providers Need to Know

Federal Regulatory Initiatives

Two federal rulemaking tracks reshaped healthcare AI in 2025: the FDA’s lifecycle approach to AI-enabled medical devices and ONC’s interoperability and algorithm-transparency updates to the Health IT Certification Program. Together, they set expectations for safe iteration, risk management, and usable transparency at the point of care. ([fda.gov](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial-intelligence))

FDA: Predetermined Change Control Plans (PCCPs) and lifecycle oversight

The FDA’s final guidance, issued August 18, 2025, explains how a Predetermined Change Control Plan lets a manufacturer pre‑specify model updates (scope, methods, validation, impact assessment) so certain post‑market modifications can proceed without new submissions—provided safety and effectiveness are maintained. For providers, this means vendor AI tools may legitimately evolve in production, and you should monitor labeling and field performance updates surfaced under the PCCP. ([fda.gov](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial-intelligence))

Earlier, on January 6, 2025, FDA released draft comprehensive guidance for AI‑enabled devices covering transparency, bias mitigation, and documentation across the total product lifecycle—useful context when assessing vendors’ design controls and real‑world monitoring programs. ([fda.gov](https://www.fda.gov/news-events/press-announcements/fda-issues-comprehensive-draft-guidance-developers-artificial-intelligence-enabled-medical-devices?utm_source=openai))

ONC: Health Data Technology Interoperability Rule updates and DSI transparency

ONC’s HTI‑1 Final Rule modernized the Health IT Certification Program and introduced the Decision Support Interventions (DSI) criterion at 45 CFR 170.315(b)(11). Effective March 11, 2024, the rule phased out legacy CDS and, by January 1, 2025, made DSI part of the Base EHR definition, elevating algorithm transparency in certified EHRs. An October 2025 key‑dates fact sheet clarifies timelines and related updates to USCDI and C‑CDA. ([healthit.gov](https://healthit.gov/wp-content/uploads/2025/03/Overview-and-Key-Dates-2024_508.pdf))

The DSI Resource Guide details what certified health IT must enable: access to structured “source attributes” (13 for evidence‑based DSIs; 31 for Predictive DSIs), plus summarized intervention risk management (IRM) practices covering risk analysis, mitigation, and governance. Developers that supply Predictive DSIs must make IRM summaries public—empowering provider due diligence. ([healthit.gov](https://healthit.gov/wp-content/uploads/2024/05/DSI-Criterion-Resource-Guide_508.pdf))

ONC later exercised enforcement discretion on certain HTI‑1 timelines during a 2025 appropriations lapse, allowing certified developers until March 1, 2026 to update modules and deliver technology to customers—useful if your EHR rollout spans 2025–2026. ([healthit.gov](https://healthit.gov/certification-health-it/onc-health-it-certification-program-test-method?utm_source=openai))

ONC’s separate HTI‑2 Final Rule (late 2024; webpages updated 2025–2026) focused on TEFCA and information‑blocking amendments that affect how AI‑enabled systems exchange EHI via QHINs—relevant when integrating AI with national networks. ([healthit.gov](https://healthit.gov/news/astp-finalizes-hti-2/?utm_source=openai))

State-Specific AI Laws

State activity accelerated in 2025. Colorado’s Anti‑Discrimination in AI Law (SB 24‑205) establishes duties for developers and deployers of “high‑risk” AI to use reasonable care to prevent algorithmic discrimination; it applies across consequential domains (including insurance) and takes effect June 30, 2026—so 2025 is your planning window. ([coag.gov](https://coag.gov/ai/))

Utah’s Artificial Intelligence Policy Act (2024) requires disclosure when consumers interact with AI and mandates that licensed professionals clearly disclose when AI is used in delivering regulated services—implications for patient communications, scheduling bots, and virtual triage. ([le.utah.gov](https://le.utah.gov/~2024/bills/sbillint/SB0149.htm))

Texas enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) in June 2025 (effective January 1, 2026). It underscores governance, prohibits certain practices, and recognizes defenses tied to adversarial testing and alignment with recognized AI risk frameworks—useful benchmarks for enterprise programs. ([dlapiper.com](https://www.dlapiper.com/insights/publications/2025/06/texas-adopts-the-responsible-ai-governance-act?utm_source=openai))

California’s Attorney General issued healthcare‑specific legal advisories (January 13, 2025) reminding providers, payers, and vendors that existing consumer protection, civil rights, privacy, and professional licensing laws apply to AI—and urging transparency about how patient data train AI and how AI influences care. ([oag.ca.gov](https://oag.ca.gov/news/press-releases/attorney-general-bonta-issues-legal-advisories-application-california-law-ai))

Regulators beyond provider oversight also moved: New York’s DFS issued AI guidance for insurers, shaping risk controls in underwriting and pricing—important for payer‑provider collaborations and value‑based care arrangements. ([dfs.ny.gov](https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07?utm_source=openai))

Industry Guidelines and Frameworks

Adopt a Responsible Use of AI Framework anchored in consensus standards. NIST’s AI Risk Management Framework (AI RMF 1.0) provides GOVERN/MAP/MEASURE/MANAGE functions and a Generative AI Profile (2024) you can operationalize across the AI lifecycle. ([nist.gov](https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10?utm_source=openai))

ISO/IEC 42001:2023 defines requirements for an AI management system (AIMS) and is increasingly referenced by risk, compliance, and audit teams to evidence program maturity. ([iso.org](https://www.iso.org/standard/42001?utm_source=openai))

The Coalition for Health AI (CHAI) blueprint and draft assurance guidance aim to standardize trustworthy AI evaluation and assurance in healthcare—useful for building model registries, assurance testing, and outcome monitoring. ([chai.org](https://chai.org/wp-content/uploads/2024/05/blueprint-for-trustworthy-ai_V1.0-2.pdf?utm_source=openai))

WHO’s 2024 guidance on large multimodal models in health highlights clinical safety, bias, and governance expectations—helpful for clinician‑facing GenAI deployments. ([who.int](https://www.who.int/tokelau/news/detail-global/18-01-2024-who-releases-ai-ethics-and-governance-guidance-for-large-multi-modal-models?utm_source=openai))

AI Governance for Healthcare Providers

Build the operating model

Stand up AI Ethical Oversight that reports to clinical and enterprise risk leaders. Define charters for model inventory, risk tiering, human oversight, and incident response. Map program controls to NIST AI RMF and (optionally) ISO/IEC 42001 to demonstrate a defensible system of governance. ([nist.gov](https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10?utm_source=openai))

Operationalize transparency and safety

Require vendors to deliver HTI‑1 DSI “source attributes,” IRM summaries, evaluation reports (including subgroup performance), and change notices—then surface this information in clinical workflows. For FDA‑regulated tools, track PCCP‑driven updates via labeling and post‑market signals. ([healthit.gov](https://healthit.gov/wp-content/uploads/2024/05/DSI-Criterion-Resource-Guide_508.pdf))

Integrate with care quality and procurement

Embed pre‑deployment clinical validation, bias testing on local data, and fit‑for‑purpose monitoring into existing quality and safety committees. Update RFP and contracting language to require transparency artifacts, security attestations, and interoperability commitments supporting the Health IT Certification Program. ([healthit.gov](https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-certification-program?utm_source=openai))

Data Security and Privacy Requirements

Reinforce HIPAA Privacy/Security Rule compliance while adopting HHS healthcare‑sector Cybersecurity Performance Goals (CPGs) and 405(d) practices—treat “cyber safety as patient safety” in your AI stack, from data pipelines to model endpoints. ([asprtracie.hhs.gov](https://asprtracie.hhs.gov/technical-resources/resource/12863/healthcare-and-public-health-sector-specific-cybersecurity-performance-goals?utm_source=openai))

Address “patient data poisoning” and adversarial ML threats with dataset provenance checks, robust training pipelines, red‑team exercises, and continuous monitoring for drift and anomalies—aligned to NIST’s adversarial ML taxonomy. ([nist.gov](https://www.nist.gov/news-events/news/2024/01/nist-identifies-types-cyberattacks-manipulate-behavior-ai-systems?utm_source=openai))

Revisit web and mobile analytics: OCR’s tracking‑technologies bulletin (updated to reflect June 20, 2024 court action) reiterates limits on impermissible disclosures to third‑party trackers—ensure BAAs and technical controls reflect current guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html?_cldee=lPZ1lOU9AuHulJ0xqModDJuyExHQY6_wqJ4C6DsPCabicfXRKDOJUzmsIhOE52Rw&esid=7c836209-e52f-ef11-840a-000d3a36cb89&recipientid=contact-e224ab3ac7cfe81180d102bfc0a80172-1fd998d7b4884ba8a419b2663c1759da&utm_source=openai))

Transparency and Disclosure Obligations

By January 1, 2025, certified EHRs transitioning from CDS to DSI must support accessible source attributes and IRM transparency for Predictive DSIs supplied by developers—giving clinicians essential context on data, performance, and risks. Ensure governance processes consume and act on these disclosures. ([healthit.gov](https://healthit.gov/wp-content/uploads/2025/03/Overview-and-Key-Dates-2024_508.pdf))

State rules add patient‑facing duties: Utah requires clear disclosure when licensed professionals use AI to deliver regulated services; California’s AG urges providers to be transparent about whether and how AI influences patient care and data use. Align your scripts, consents, and notices accordingly. ([le.utah.gov](https://le.utah.gov/~2024/bills/sbillint/SB0149.htm))

Continuous Education and Training Programs

Equip clinicians, data scientists, and operations staff with role‑based training that covers: HTI‑1 DSI transparency, FDA PCCPs, bias and subgroup performance, documentation standards, safety event escalation, and cybersecurity hygiene for AI systems. Use NIST AI RMF as the backbone for curricula and drills. ([nist.gov](https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10?utm_source=openai))

Conclusion

In 2025, federal rules solidified AI transparency and change‑control expectations while states layered on consumer protections and disclosures. If you implement a Responsible Use of AI Framework, demand DSI/IRM artifacts from vendors, harden privacy and cybersecurity, and train your teams, you’ll meet core requirements and build patient trust as AI scales across care.

FAQs

What are the key federal regulations for healthcare AI in 2025?

FDA’s August 18, 2025 PCCP final guidance enables planned, validated post‑market model updates for AI‑enabled devices. ONC’s HTI‑1 Final Rule made the DSI criterion part of the Base EHR as of January 1, 2025 and requires structured “source attributes” and IRM transparency for Predictive DSIs supplied by developers. TEFCA‑related HTI‑2 updates continue to shape trusted EHI exchange. ([fda.gov](https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial-intelligence))

How do state laws impact AI use in healthcare?

Colorado’s ADAI (effective June 30, 2026) compels reasonable care to prevent algorithmic discrimination in high‑risk AI, affecting insurers and adjacent healthcare decisions. Utah requires clear disclosure when licensed professionals use AI during services. Texas’s TRAIGA (effective January 1, 2026) emphasizes governance and recognizes defenses tied to adversarial testing and reputable AI risk frameworks. California’s AG advises healthcare entities to ensure transparency and compliance under existing state laws. ([coag.gov](https://coag.gov/ai/))

What governance structures should providers implement for AI compliance?

Establish AI Ethical Oversight; maintain a model inventory and risk‑tiering; require DSI source attributes and IRM summaries; integrate pre‑deployment validation and ongoing monitoring into quality committees; map controls to NIST AI RMF and, where useful, ISO/IEC 42001; and track FDA PCCP‑driven device updates. ([healthit.gov](https://healthit.gov/wp-content/uploads/2024/05/DSI-Criterion-Resource-Guide_508.pdf))

How can providers ensure transparency when using AI in patient care?

Leverage certified EHR capabilities to present DSI source attributes at the point of care; publish or link to developer IRM summaries; incorporate state‑required notices (e.g., Utah’s disclosure for licensed professionals); and follow California AG guidance to communicate how AI informs decisions and how patient data may train AI systems. ([healthit.gov](https://healthit.gov/wp-content/uploads/2024/05/DSI-Criterion-Resource-Guide_508.pdf))