"AI in medicine" covers an enormous range of products — from ambient documentation tools that transcribe clinical notes to algorithms that flag intracranial hemorrhage on CT scans. These are not regulated the same way, and understanding which regulatory bucket a given tool falls into is the first thing any evaluator needs to establish.
The U.S. framework is built around one central question: does the software meet the definition of a medical device under the Federal Food, Drug, and Cosmetic Act? If yes, it falls under FDA oversight. If no — and many AI tools in healthcare do not — it may still face requirements from ONC, CMS, or state-level rules, but it is not subject to FDA premarket review.
The Device / Non-Device Line
The 21st Century Cures Act (2016) carved out several software categories from the medical device definition. Administrative tools, general wellness apps, and software that only helps clinicians retrieve or display information are explicitly excluded. What remains inside the device boundary is software that is intended to diagnose, treat, mitigate, cure, or prevent a disease or condition — or that analyzes patient-specific data to inform a clinical decision.
In practice, the line is not always obvious. An AI tool that flags sepsis risk in an ICU workflow is almost certainly a Software as a Medical Device (SaMD). A large language model that drafts discharge summaries is almost certainly not — unless it is making clinical recommendations rather than generating text for physician review. The FDA's 2019 discussion paper on AI/ML-based SaMD and subsequent guidance documents have tried to clarify this, but edge cases remain contested.
FDA Clearance Pathways for AI Medical Devices
Three pathways exist for AI-enabled devices to reach the U.S. market under FDA oversight. Which pathway applies depends on the device's risk classification and whether a predicate device exists.
| Pathway | Risk Class | Predicate Required | Typical Review Time | Common AI Applications |
|---|---|---|---|---|
| 510(k) | Class II | Yes | 3–12 months | Radiology triage, ECG analysis, retinal screening |
| De Novo | Class II (novel) | No | 12–24 months | First-of-type AI diagnostics, novel SaMD categories |
| PMA | Class III | No | 1–3 years | High-risk autonomous diagnostic AI, implant-adjacent software |
The overwhelming majority of AI devices cleared to date have gone through 510(k). As of early 2026, the FDA's publicly maintained list of AI/ML-enabled devices includes over 950 authorized products, with radiology accounting for the largest share by specialty. De Novo has been used for genuinely novel AI categories — including some of the early autonomous diabetic retinopathy screening tools — and creates a new regulatory classification that later 510(k) submissions can use as a predicate.
The Predetermined Change Control Plan
One of the most practically significant regulatory developments for AI in medicine is the Predetermined Change Control Plan (PCCP). Traditional medical device regulation assumes a fixed product — you clear a device, and any modification that could affect safety or effectiveness requires a new submission. That model does not fit adaptive AI systems that retrain on new data or update their algorithms over time.
The FDA finalized guidance on PCCPs in December 2024. A PCCP allows a manufacturer to describe, at the time of initial submission, the types of modifications they anticipate making and the performance testing protocol they will follow before implementing each change. If the PCCP is approved as part of the original authorization, the manufacturer can make those pre-specified modifications without filing a new 510(k) — as long as they follow the approved protocol.
ONC and the Information Blocking Rule
The Office of the National Coordinator for Health Information Technology (ONC) does not regulate AI devices directly, but its rules shape the data infrastructure that AI systems depend on. The Information Blocking Rule, which became enforceable in April 2021, prohibits practices that interfere with the access, exchange, or use of electronic health information — with exceptions for privacy, security, and certain operational constraints.
For AI deployment, this matters in two ways. First, health systems cannot contractually restrict a patient or provider from accessing data that an AI system used to generate a recommendation — at least not without a recognized exception. Second, EHR vendors who restrict API access in ways that disadvantage competing AI tools may face information blocking scrutiny.
ONC's 2024 HTI-1 final rule added requirements for decision support interventions — specifically, a subset called Predictive Decision Support Interventions (PDSIs). Health IT developers must now provide source attributes for PDSIs: the intervention's purpose, the funding source of any studies supporting it, and whether the intervention has been externally validated. This is a transparency requirement, not a performance standard, but it creates a disclosure obligation that previously did not exist.
CMS Coverage and Payment
FDA clearance does not automatically result in Medicare or Medicaid reimbursement. The Centers for Medicare & Medicaid Services (CMS) makes separate coverage and payment determinations, and for AI tools, the pathway from clearance to billable service has historically been slow and inconsistent.
CMS established CPT codes for several AI-based services — including some autonomous retinal imaging analysis and certain cardiac AI applications — but coverage varies by payer and geography. The broader question of how to value AI-assisted clinical work (does the AI replace a service, augment it, or create a new billable activity?) remains unresolved in most specialties.
The Transitional Coverage for Emerging Technologies (TCET) pathway, which CMS finalized in 2024, is relevant here. TCET allows certain breakthrough-designated devices — including some AI/ML-enabled devices — to receive Medicare coverage during a period of evidence development. The evidence generation requirement is explicit: coverage is conditional on the manufacturer conducting studies that will inform a future National Coverage Determination.
Algorithmic Bias and Transparency Requirements
No single federal rule currently mandates algorithmic bias audits for AI medical devices, but the regulatory environment has been moving toward transparency requirements from multiple directions.
- The FDA's AI/ML action plan (2021) identified transparency and real-world performance monitoring as priorities, and subsequent draft guidances have included recommendations for demographic subgroup performance reporting in premarket submissions.
- ONC's HTI-1 PDSI source attribute requirements include disclosing whether an AI tool has been tested on populations representative of the intended use setting — a soft transparency requirement rather than a performance mandate.
- HHS Office for Civil Rights has signaled interest in applying Section 1557 non-discrimination provisions to AI-assisted clinical decision support, though formal rulemaking on this specific application remained pending as of Q2 2026.
- Several states — including California, Colorado, and New York — have passed or proposed legislation requiring bias audits for automated employment and credit decisions, with healthcare-adjacent provisions that may extend to clinical AI in those jurisdictions.
What the Current Framework Does Not Cover
Several categories of AI in medicine sit outside or at the edges of the current regulatory framework, and understanding these gaps matters for anyone evaluating a tool's actual oversight status.
| AI Application Type | FDA Device? | Primary Oversight Mechanism | Known Gap |
|---|---|---|---|
| Autonomous diagnostic SaMD (e.g., retinal AI) | Yes | 510(k) / De Novo / PMA | Post-market performance monitoring not systematically required |
| Clinical decision support (non-autonomous) | Generally no | ONC HTI-1 PDSI transparency | No performance standard; disclosure only |
| Ambient AI documentation / scribes | No | None at federal level | No regulatory oversight of clinical accuracy |
| Generative AI for clinical summarization | No (typically) | None at federal level | Hallucination risk unaddressed by any current rule |
| Prior authorization AI (payer-side) | No | CMS proposed rules on improper denials | Rulemaking incomplete; enforcement limited |
| Drug discovery AI (pre-clinical) | No | Standard drug development pathway applies to resulting drug | AI model itself not reviewed |
The ambient AI documentation category is worth flagging specifically. AI scribes — tools that listen to clinical encounters and generate structured notes — have seen rapid adoption across health systems. None of these tools are classified as medical devices, none require FDA clearance, and no federal rule currently mandates accuracy testing, bias auditing, or incident reporting for them. The clinical risk is real: an inaccurate note can propagate errors through a patient's record. The regulatory gap is equally real.
How These Pieces Fit Together for Evaluators
Evaluating an AI tool in a clinical setting requires moving across all of these frameworks simultaneously. A tool may be FDA-cleared (check the authorization record), covered by CMS (check the applicable CPT codes and LCDs), subject to ONC transparency requirements (check whether it qualifies as a PDSI under HTI-1), and still carry algorithmic bias risk that none of these frameworks directly address.
The verification task is not just "is this cleared?" It is: cleared for what intended use, on what patient population, validated externally or internally only, with what post-market evidence, and subject to what ongoing reporting obligations. Each of those questions has a different answer source — FDA submission database, published literature, ONC certification records, CMS coverage determinations — and none of them are consolidated in a single place.
Discussion
Commentary from compliance officers, policy professionals, and legal counsel is welcome. For formal corrections or regulatory updates, use the contact page.
Comments
Join the discussion with an anonymous comment.