Virginia AI Healthcare Rules (2026): Compliance & Privacy

Virginia lacks a dedicated AI healthcare statute. AI in clinical settings is governed by a patchwork of federal FDA oversight for AI as a medical device, the Virginia Consumer Data Protection Act for health data outside HIPAA's reach, and the Virginia Medical Practice Act for physician accountability.

Quick Answer: Current State of AI Healthcare Regulation in Virginia

Virginia lacks a comprehensive, standalone law regulating artificial intelligence in healthcare. Regulation occurs through a layered framework of existing statutes.

At the federal level, the FDA treats AI and machine learning tools that meet the definition of a medical device as Software as a Medical Device (SaMD). These tools are subject to premarket review, post-market surveillance, and quality system requirements. A 2026 analysis by Litt H et al. in the Journal of Cancer Policy documented the clinical evidence landscape for FDA-authorized oncology AI/ML devices. A 2025 study by Bracken A et al. in Clinical Orthopaedics and Related Research found that few FDA-approved AI/ML orthopaedic devices have EU MDR equivalents or peer-reviewed validation.

At the state level, Virginia's existing statutes fill specific gaps:

• The Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.) covers health-related personal data that falls outside HIPAA's scope.
• The Virginia Medical Practice Act (Va. Code § 54.1-2900 et seq.) holds licensed practitioners accountable for clinical decisions, regardless of whether an algorithm informed them.
• General consumer protection law under the Virginia Consumer Protection Act (Va. Code § 59.1-196 et seq.) can address deceptive or unfair AI product claims.

Virginia providers and AI developers must satisfy federal device law, state privacy law, and professional licensing standards simultaneously. No single Virginia agency coordinates all three.

Federal vs. State Oversight: Delineating Regulatory Authority for AI in Healthcare

FDA Authority Over AI as a Medical Device

The FDA's jurisdiction applies when an AI tool meets the statutory definition of a device under 21 U.S.C. § 321(h) or qualifies as SaMD. This is based on the agency's 2019 discussion paper and subsequent action plan on AI/ML-based SaMD. The FDA's 2021 "Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device Action Plan" and its 2023 draft guidance on marketing submission recommendations for AI/ML-enabled devices outline the agency's current expectations. These include premarket submissions, predetermined change control plans, and transparency obligations.

Litt H et al. (Journal of Cancer Policy, 2026) analyzed FDA-authorized oncology AI/ML devices. They found significant variability in the clinical evidence supporting authorization. Bracken A et al. (Clinical Orthopaedics and Related Research, 2025) documented that many FDA-cleared orthopaedic AI/ML devices lack EU MDR equivalents or independent peer-reviewed validation.

For Virginia-based developers or hospitals deploying AI tools that meet the device definition, FDA clearance or approval is a prerequisite. Consult the FDA's Digital Health Center of Excellence for current guidance on whether a specific tool requires a marketing submission.

Virginia's Jurisdictional Lane

Virginia regulates what happens after a device reaches the clinic. The Commonwealth's authority covers:

• Medical licensure and practice standards. The Virginia Board of Medicine (established under Va. Code § 54.1-2900 et seq.) licenses physicians, nurse practitioners, and other practitioners. It sets the standard of care and can discipline practitioners whose use of AI tools falls below that standard.
• Facility oversight. The Virginia Department of Health (VDH) licenses hospitals and other healthcare facilities under Va. Code § 32.1-102.1 et seq. It can incorporate AI governance expectations into facility standards. Consult VDH directly for current regulatory positions.
• Data privacy. The VCDPA governs personal data processing by covered entities operating in Virginia. This includes health data that HIPAA does not cover.
• Consumer protection. The Virginia Attorney General enforces the Virginia Consumer Protection Act against deceptive practices. This can include misleading claims about AI diagnostic accuracy.

Where Federal and State Rules Overlap

A hospital deploying an FDA-cleared AI radiology tool must simultaneously satisfy FDA post-market requirements, HIPAA security and privacy rules, VCDPA obligations for any data outside HIPAA's scope, and the Board of Medicine's standard-of-care expectations for the radiologist who acts on the AI's output. These frameworks generally do not conflict but require separate compliance tracks.

Key Virginia Statutes Impacting AI in Healthcare Operations

Virginia Consumer Data Protection Act (Va