Best path to compliance for AI in healthcare

The Core Compliance Checklist (Do These in Order)

1. Classify your tool under FDA's SaMD framework. Determine whether your AI product meets the definition of Software as a Medical Device. If it does, identify its risk class (Class I, II, or III). This single decision shapes everything downstream — timeline, cost, and which clinical evidence you need. A 510(k) clearance typically takes 6–12 months and costs $15,000–$100,000+ in preparation fees depending on complexity. If your tool is exempt or falls under clinical decision support exclusions, document that conclusion in writing before proceeding.

2. Execute a HIPAA risk analysis and Business Associate Agreements. Any AI tool that touches protected health information (PHI) requires a formal security risk analysis under 45 CFR Parts 160 and 164. Every vendor in the data chain needs a signed BAA. Budget 2–6 weeks for a thorough risk analysis; a qualified consultant runs $3,000–$15,000. DIY is possible for small deployments but creates audit exposure if documentation is thin.

3. Map your state-law obligations. Identify every state where you deploy or where patients are located. Each state adds requirements on top of federal law. California requires CMIA compliance and may require disclosure when patient-facing communications are AI-generated; it also restricts AI-only utilization management denials. Arkansas, Alabama, Alaska, and Arizona currently have no dedicated AI healthcare statutes, but their medical practice acts, data breach notification laws, and professional licensing rules still apply. Document which state frameworks govern your deployment.

4. Check scope-of-practice and licensing constraints. If your AI tool produces clinical recommendations, confirm with the relevant state medical board whether that output crosses into the practice of medicine. Alabama's Board of Medical Examiners, for example, sets scope-of-practice rules that apply to AI-assisted clinical tools. This step is non-negotiable for diagnostic, prescribing, or treatment-recommendation tools.

5. Address Section 1557 / algorithmic bias obligations. HHS Office for Civil Rights guidance under Section 1557 of the ACA explicitly covers algorithmic discrimination. If your tool is used in clinical decision-making, document how it was validated across demographic subgroups. This is not theoretical — OCR has signaled enforcement interest.

6. Build your documentation package. Assemble: FDA classification memo (or clearance), BAAs, security risk analysis, state-law compliance matrix, scope-of-practice review, bias validation records, and any required patient disclosures. California's CPRA and CMIA require specific handling of health data; document your data flows accordingly.

7. Set a monitoring cadence. Alaska's HCR 3 task force could produce binding legislation in the 2026–2027 session. Arkansas's withdrawn 2025 bills (HB 1816, HB 1297) are likely to return. Arizona and Alabama are both watching federal rulemaking. Schedule a quarterly review of state legislative activity in every jurisdiction where you operate.

How to Pick Your Jurisdiction Lane

Your compliance burden scales directly with where you deploy and what your tool does.

California is the hardest single-state lane. The CMIA, CPRA, DMHC guardrails on utilization management, and patient-communication disclosure requirements stack on top of federal law. If you're building for California first, budget for it explicitly — both in legal fees ($10,000–$50,000+ for a full compliance build) and in engineering time to implement disclosure and opt-out workflows.

States like Alabama, Alaska, Arizona, and Arkansas are currently lighter on AI-specific requirements, but that does not mean low-risk. Their existing medical practice and data breach laws still apply, and legislative change in Alaska and Arkansas is likely within 12–24 months.

When to Bring in a Pro vs. DIY

DIY is defensible when:

• Your tool is clearly excluded from FDA device classification and you can document why
• You're a single-state provider with no PHI and no clinical output
• You're updating an existing HIPAA compliance program to add a new vendor BAA

Bring in a regulatory attorney or consultant when:

• You're pursuing 510(k) clearance or De Novo classification — the submission alone warrants specialized help
• You're deploying in California and need to navigate CMIA, CPRA, and DMHC rules simultaneously
• Your tool makes or influences utilization management decisions (insurance coverage, prior auth)
• You're a vendor selling to health systems in multiple states — your customers' compliance officers will ask for documentation you need to have ready

Regulatory consultants for FDA SaMD submissions typically charge $15,000–$75,000 depending on device class and clinical evidence requirements. Healthcare privacy counsel for a multi-state HIPAA and state-law review runs $5,000–$25,000. These are not optional line items for clinical AI — they're cheaper than a single OCR investigation.

Realistic Timelines

The 9–18 month range for full multi-state clinical AI compliance is not a worst case — it's the median for teams that start organized. Teams that start with the wrong assumption ("we're just software, not a device") routinely add 6–12 months when they have to restart after a classification reclassification.

Where Most Teams Stall

1. Misclassifying the tool as non-device. The FDA's SaMD framework has specific exclusions for clinical decision support, but they're narrower than most developers assume. If your tool analyzes patient-specific data to support a clinical decision, get the classification question answered in writing before you build your compliance plan around an exemption.

2. Treating HIPAA as a checkbox. A signed BAA is not a risk analysis. OCR expects documented evidence that you identified risks, implemented safeguards, and reviewed them. Thin documentation is the most common finding in HIPAA audits.

3. Ignoring state medical board scope-of-practice rules. Alabama, Alaska, Arizona, and Arkansas all have medical practice acts that apply to AI-assisted clinical tools. Deploying a diagnostic AI without confirming it doesn't constitute unlicensed practice of medicine in the deployment state is a real exposure — not a theoretical one.

4. Waiting for a comprehensive AI law. No state in this group has enacted a standalone AI healthcare statute. Arkansas's 2025 bills were withdrawn; Alaska's task force hasn't reported. Waiting for clarity that isn't coming means operating under existing law without having documented compliance with it. Existing law applies now.

5. Skipping the bias documentation step. Section 1557 algorithmic discrimination guidance is active federal policy. If you can't produce demographic validation data for a clinical AI tool, you're exposed in any OCR inquiry — regardless of which state you're in.