Top 5 common mistakes ai in healthcare applicants make

Mistake 1: Assuming "No AI Law" Means No Compliance Obligations

What people do wrong: A vendor or provider checks whether their state has a dedicated AI healthcare statute, finds nothing, and concludes they can deploy freely. Alabama, Alaska, Arizona, and Arkansas all have zero standalone AI healthcare laws as of mid-2025. Applicants in those states routinely skip structured compliance reviews as a result.

Why it costs you: Every one of those states has existing medical practice acts, data breach notification statutes, and professional licensing rules that apply to AI tools by extension — even though the word "AI" never appears in the text. In Alabama, the Medical Practice Act (Ala. Code Title 34) and the Alabama Board of Medical Examiners scope-of-practice rules govern whether an AI recommendation constitutes the unlicensed practice of medicine. In Arkansas, the Medical Records Act (Ark. Code Ann. § 20-9-301 et seq.) means AI-generated chart entries carry the same accuracy and retention obligations as human-authored ones. Discovering this after deployment means retrofitting documentation, renegotiating vendor contracts, and potentially suspending the tool — a process that typically runs 3–6 months and $50,000–$250,000 in remediation costs for a mid-size provider.

The fix:

1. Map your AI tool against the three-layer framework that applies in every state without a dedicated law: (a) state medical practice and telehealth acts, (b) federal FDA SaMD rules and HIPAA, (c) federal civil rights rules under ACA Section 1557.
2. Pull the relevant state board's scope-of-practice guidance before go-live, not after.
3. Document that mapping. If a regulator asks, you need to show the analysis existed before deployment.

Mistake 2: Skipping or Mis-Scoping the Business Associate Agreement

What people do wrong: Applicants either skip the Business Associate Agreement (BAA) entirely or execute a template BAA that doesn't specifically address how the AI tool processes, stores, or transmits protected health information (PHI). This is endemic across all five states reviewed — HIPAA (45 CFR Parts 160 and 164) applies uniformly regardless of whether the state has its own AI rule.

Why it costs you: An AI diagnostic or administrative tool that touches PHI without a compliant BAA is a per-violation HIPAA breach waiting to happen. HHS Office for Civil Rights penalties range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category. Beyond fines, a corrective action plan typically requires 1–3 years of monitored compliance — during which your AI deployment may be frozen. In California, you face a second layer: the Confidentiality of Medical Information Act (CMIA, California Civil Code §§ 56–56.37) applies to any AI system that processes or infers health data, with its own civil penalty exposure on top of federal sanctions.

The fix:

1. Treat every AI vendor that touches PHI as a business associate — no exceptions for "de-identified" data unless you have a formal de-identification analysis under 45 CFR § 164.514.
2. Require the BAA to specifically enumerate the AI tool's data flows: what PHI it ingests, where model outputs are stored, and who has access.
3. In California, run a parallel CMIA review. The exemptions are narrow; assume the statute applies until your counsel confirms otherwise.

Mistake 3: Ignoring FDA Software as a Medical Device Classification

What people do wrong: Health tech vendors and hospital IT teams assume FDA oversight is only for hardware. They deploy AI clinical decision-support tools — imaging analysis, sepsis prediction, diagnostic triage — without checking whether the tool meets the FDA's Software as a Medical Device (SaMD) definition, which would require premarket clearance or approval.

Why it costs you: The FDA's SaMD framework and its 2021 AI/ML-Based Software as a Medical Device action plan apply in every state, including Alabama, Alaska, Arizona, Arkansas, and California. Deploying an uncleared device exposes the vendor to FDA warning letters, mandatory recalls, and injunctions. For a hospital, using an uncleared device in patient care creates liability exposure and potential exclusion from Medicare/Medicaid programs. The clearance process itself — a 510(k) submission — typically takes 6–12 months and costs $30,000–$200,000 in preparation and filing fees, depending on tool complexity. Starting that process after a warning letter adds enforcement response costs of $100,000+ on top.

The fix:

1. Use the FDA's published decision framework to classify your tool before development is complete, not at launch.
2. If your AI tool "informs" clinical decisions without driving them autonomously, it may qualify as Clinical Decision Support exempt from device regulation under the 21st Century Cures Act — but that determination requires a documented analysis, not an assumption.
3. Build FDA classification review into your product roadmap at the design stage. Retrofitting regulatory strategy is always more expensive than building it in.

Mistake 4: Missing State-Specific Utilization Management and Disclosure Rules

What people do wrong: Applicants focus entirely on data privacy and device regulation, overlooking state-level rules that govern how AI can be used in specific clinical workflows — particularly utilization management (prior authorization) and patient-facing communications.

Why it costs you: California is the clearest example. Recent California legislation addresses both areas simultaneously: health plans may be prohibited from using AI as the sole basis for utilization management denials, and patient-facing AI communications may require disclosure plus a human-contact pathway. The Department of Managed Health Care (DMHC) has enforcement authority over health plans, and violations can trigger plan-level sanctions. A health plan that automates prior authorization denials through AI without licensed clinician review is exposed to DMHC enforcement action and potential class litigation — costs that can reach seven figures before settlement. Arkansas's withdrawn HB 1816 (pulled April 2025) would have imposed similar human-oversight requirements; its sponsors can reintroduce it, and the legislative intent is already on record.

The fix:

1. For California health plans: contact the DMHC directly for current utilization management AI guidance before deploying any automated denial workflow.
2. For patient-facing AI tools in California: build disclosure language and a human escalation pathway into the product architecture now — retrofitting UI is cheaper than an enforcement response.
3. For Arkansas, Alaska, and other states with pending or withdrawn bills: monitor the next legislative session actively. Withdrawn bills (like Arkansas HB 1816 and HB 1297) frequently return in revised form. Subscribe to OpenStates alerts for your target states.

Mistake 5: Treating Compliance as a One-Time Filing Instead of a Monitoring Program

What people do wrong: Applicants complete their initial compliance review, execute their BAA, confirm FDA classification, and then move on. They treat regulatory compliance as a project with an end date rather than an ongoing operational function.

Why it costs you: The AI healthcare regulatory environment is changing faster than almost any other sector. Alaska's HCR 3 (34th Legislature) proposes a Joint Legislative Task Force on Artificial Intelligence whose findings could produce binding legislation in the 2026–2027 session. Arizona's regulatory landscape is described as likely to change within 12–24 months. Arkansas's 2026 legislative session could revive the withdrawn 2025 bills. California's CPRA automated decision-making rules are still being refined. An organization that locked in its compliance posture in early 2025 and hasn't reviewed it since will be out of compliance before the year is out — with no documented evidence that it tried to keep pace. Enforcement agencies treat documented good-faith monitoring as a mitigating factor; silence is treated as indifference.

The fix:

Assign a named owner to each item. A compliance calendar with no owner is not a compliance program — it's a document that will be ignored until something goes wrong.