Healthcare Compliance

State of play.

• A state AG has filed the first major enforcement action targeting deceptive AI in clinical settings, suing an AI company whose chatbot impersonated a physician and misled patients—regulators are treating this as consumer fraud, not merely a patient safety issue (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026).
• HHS under Kennedy is actively destabilizing settled drug regulatory frameworks. HHS officials have explored SSRI restrictions under the MAHA Action Plan, the FDA has moved to permanently close large-scale GLP-1 compounding pathways, and the agency is reassessing dietary supplement ingredient definitions .
• DOJ has centralized healthcare fraud enforcement in the National Fraud Enforcement Division, consolidating the Health Care Fraud Unit with other enforcement arms, assigning mandatory prosecutors in every U.S. Attorney's Office, and launching a National Fraud Detection Center .
• The DOJ bulk sensitive data transfer rule enters full enforcement October 6, 2026, covering health records and genomic data shared with countries of concern—a deadline now months away that applies to de-identified data HIPAA does not reach .
• For counsel advising healthcare providers, plans, or life sciences clients, the practical baseline is simultaneous pressure from four directions: a first-of-kind AI enforcement action signaling consumer fraud liability for deceptive clinical AI, a restructured federal fraud apparatus, an HHS agenda actively destabilizing drug and food regulatory frameworks, and an AI governance gap where deployment has outpaced compliance infrastructure.

Where things stand.

• AI governance in healthcare lacks a settled regulatory framework. The White House National AI Policy Framework directs existing regulators—FDA, CMS, DOJ—to handle sector-specific AI oversight and recommends federal preemption of conflicting state laws, but no federal legislation has passed; Colorado, California, and Texas AI laws are activating in 2026 . Legacy statutes including the Stark Law and Anti-Kickback Statute do not account for AI-driven decision-making, leaving organizations in a governance gray zone . AI misdiagnosis, physician-impersonation chatbots, shadow AI in clinical workflows, and AI-generated documentation of patient visits are generating concrete enforcement exposure (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026).
• GLP-1 compounding enforcement is tightening on multiple fronts. The FDA has issued warning letters to 30-plus telehealth companies, proposed excluding semaglutide, tirzepatide, and liraglutide from the 503B Bulks List, and restated the "essentially a copy" standard for 503A pharmacies—while oral semaglutide approval and new competitor entries reshape the commercial market .
• Medicare Advantage faces simultaneous rate finalization and reform pressure. CMS has finalized a 2.48% payment increase for 2027, while prior authorization reform proposals continue to compress decision timelines and impose new transparency obligations on payers .
• CMS is expanding electronic prior authorization to prescription drugs. Proposed rule CMS-0062-P would require Medicare Advantage, Medicaid, CHIP, and exchange plans to process drug prior authorizations via standardized APIs by October 1, 2027, with specific denial reasons required and reporting metrics beginning in 2028; comment period closes June 15, 2026 .
• The DOJ bulk data transfer rule is a live compliance deadline for healthcare. Codified at 28 C.F.R. Part 202 under Executive Order 14117, the rule prohibits transfer of or access to bulk health records and genomic data by countries of concern; full enforcement begins October 6, 2026, and applies to de-identified genomic data at thresholds as low as 100 samples .
• HHS is exploring restrictions on widely prescribed psychiatric medications. HHS officials discussed potential SSRI restrictions under the MAHA Action Plan; any FDA action requires notice-and-comment rulemaking and new evidence that risks outweigh benefits—a standard regulators say could take years to satisfy .
• Provider-based department compliance has new statutory teeth. The Consolidated Appropriations Act of 2026 requires separate NPIs and mandatory attestations for off-campus PBDs by January 1, 2028, with OPPS reimbursement forfeiture and FCA exposure for non-compliance .
• 340B program restructuring remains contested. HRSA withdrew its prior rebate model pilot after a court vacated it on APA grounds, issued a new RFI, and is evaluating a revised approach potentially limited to IRA-negotiated drugs—while manufacturers continue restricting 340B pricing .
• Telehealth expansion is proceeding through state legislation. Multiple states have enacted laws extending telehealth to veterinary medicine, genetic counseling, and naturopathic medicine, while DEA extensions through 2026 and Medicare coverage determinations through 2027 leave the federal framework unsettled .

Latest developments.

• A state AG filed the first major enforcement action against an AI company for chatbot impersonation of a physician in a clinical setting; regulators are framing deceptive AI conduct as consumer fraud; early studies cited in the same reporting suggest AI misdiagnosis occurs in roughly 80 percent of initial cases, with performance improving under human oversight (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026)
• Primary care physicians recording patient visits with AI documentation tools are creating new privacy exposure; consent mechanisms must be audited against state wiretapping laws (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026)
• The Kaiser Family Foundation has documented AI systems exacerbating existing healthcare disparities, and reporting from Times Higher Education identifies a healthcare workforce AI literacy gap as a concurrent compliance risk (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026)

Active questions and open splits.

• Whether deceptive AI in clinical settings triggers consumer fraud liability independent of healthcare-specific statutes. The state AG chatbot-impersonation suit is the first enforcement action testing this theory; if it succeeds, it creates a parallel enforcement vector for any AI system that could mislead patients about its nature or capabilities—distinct from HIPAA, FCA, or Stark exposure (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026).
• Whether HHS will initiate formal FDA rulemaking to restrict SSRIs. Any restriction requires notice-and-comment and new evidence that risks outweigh benefits—a standard regulators say could take years—but the MAHA Action Plan signals intent; pharmaceutical manufacturers and medical associations are positioned to litigate .
• Federal AI preemption vs. state patchwork for healthcare AI. The White House Framework recommends preempting state AI laws, but no legislation has passed; Colorado, California, and Texas laws are activating in 2026; the outcome determines whether healthcare AI compliance operates under a single federal floor or fifty divergent regimes .
• AI governance under legacy healthcare statutes. Neither the Stark Law nor the Anti-Kickback Statute accounts for AI-driven referral, credentialing, or fair market value determinations; no definitive regulatory guidance has issued; organizations deploying AI in compliance workflows face unresolved enforcement risk .
• GLP-1 compounding pathway closure and litigation exposure. The proposed 503B Bulks List exclusion, if finalized, eliminates large-scale compounding even in future shortage scenarios; telehealth platforms that marketed compounded GLP-1s face warning letter and consumer litigation exposure from documented adverse events and equivalency claims .
• AI documentation and recording practices as a HIPAA and wiretapping exposure. Physician use of AI tools to record and transcribe patient visits is expanding without settled consent frameworks; state wiretapping laws impose varying requirements, and no federal guidance has addressed the intersection with HIPAA's minimum necessary standard (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026).
• NFED scope expansion to civil enforcement. The 120-day review underway may integrate civil enforcement mechanisms into the NFED's mandate; if it does, False Claims Act exposure for healthcare providers receiving federal funds will be channeled through a more centralized and data-driven prosecution apparatus .

What to watch.

• Whether additional state AGs file AI enforcement actions following the chatbot-impersonation suit—and whether federal regulators characterize similar conduct under FTC or HHS authority (→ Tom Fox's Podcast Highlights 5 Key AI Healthcare Stories for Week Ending May 8, 2026).
• Whether HHS initiates formal FDA rulemaking on SSRI restrictions—the trigger is a notice-and-comment proceeding or formal agency action under the MAHA Action Plan .
• The June 15, 2026 close of the comment period on CMS-0062-P drug prior authorization proposed rule, and whether payers push back on the October 2027 API compliance deadline .
• FDA's final determination on the 503B Bulks List exclusion for GLP-1s and any litigation response from compounders or telehealth platforms .
• October 6, 2026 full enforcement launch of the DOJ bulk sensitive data transfer rule—organizations with offshore vendor agreements, cloud arrangements, or research data-sharing with countries of concern need audit and contract remediation completed before this date .
• Commerce Department release of its AI regulation evaluation and any congressional movement on federal AI preemption legislation, which will determine whether the state patchwork or a federal floor governs healthcare AI compliance .