The regulatory picture for artificial intelligence and health in the United States has grown considerably more structured since 2021, but it remains a patchwork. FDA's Center for Devices and Radiological Health (CDRH) holds primary jurisdiction over AI that functions as a medical device. ONC, CMS, and HHS each govern adjacent territory — clinical decision support software, payer-facing automation, and health data infrastructure — and the boundaries between these domains are not always clean.
This entry traces the major instruments that define how AI/ML systems are authorized, updated, and monitored in U.S. healthcare settings, with attention to what each document actually requires versus what it only recommends.
FDA's Core Framework for AI/ML as a Medical Device
FDA's foundational position on AI/ML-based Software as a Medical Device (SaMD) was laid out in its 2021 action plan, which acknowledged that the traditional premarket review model — submit once, get cleared, deploy — does not fit adaptive algorithms that may change behavior after authorization. That tension has driven most of the subsequent guidance activity.
Predetermined Change Control Plans (PCCPs)
The Predetermined Change Control Plan framework, finalized in 2024, is the primary mechanism FDA uses to allow manufacturers to update AI/ML device functions post-clearance without submitting a new 510(k) for each modification. A PCCP must describe: the specific types of modifications anticipated, the methodology for implementing those changes, and the performance standards the modified device must meet before deployment.
The practical constraint is that PCCPs require manufacturers to define modification boundaries at the time of original submission. Changes outside those boundaries still require a new premarket submission. This creates an incentive to write broad PCCPs, which FDA reviewers have pushed back on when the proposed modification scope is vague.
Transparency and Labeling Requirements
FDA's draft guidance on transparency for AI/ML-enabled devices, issued in 2023 and updated in 2025, specifies what manufacturers must disclose to users and patients. Required disclosures include: the intended use and indications for use, the training data characteristics including known demographic composition, performance metrics with confidence intervals, and the conditions under which the device was validated.
The 2025 update added a requirement that labeling explicitly state whether the device was validated on data from the intended deployment setting or on data collected elsewhere. This is a direct response to documented performance gaps when imaging AI trained on academic medical center data was deployed in community hospital environments.
The 2024 AI/ML Action Plan Update
CDRH released a revised AI/ML action plan in late 2024 that formalized several commitments: expanding the use of real-world performance monitoring as a post-market condition for certain cleared devices, developing specialty-specific performance benchmarks in coordination with clinical professional societies, and creating a public-facing database of authorized AI devices with their performance characteristics.
The public database commitment has moved slowly. As of Q2 2026, the FDA's existing 510(k) and De Novo databases remain the primary public record, and the AI-specific searchable layer that was proposed has not been fully implemented.
How the Major Regulatory Instruments Compare
The following table maps the primary regulatory instruments affecting AI in health settings to their issuing body, what they govern, and their current status.
| Instrument | Issuing Body | Scope | Status (Q2 2026) |
|---|---|---|---|
| PCCP Final Guidance | FDA CDRH | Post-market algorithm modifications for cleared AI/ML devices | Final — effective 2024 |
| AI/ML Transparency Guidance | FDA CDRH | Labeling and disclosure requirements for AI/ML SaMD | Updated draft — 2025 comment period closed |
| Clinical Decision Support (CDS) Final Guidance | FDA CDRH | Defines which CDS software is/is not a medical device | Final — effective 2022; under review for AI-specific updates |
| 21st Century Cures Act — CDS Provisions | ONC / HHS | Non-device CDS software; interoperability and information blocking | Implemented; ONC rulemaking ongoing for AI-specific provisions |
| CMS Prior Authorization AI Rules | CMS | Use of AI in payer prior authorization workflows | Final rule effective 2024; enforcement active |
| HTI-1 / HTI-2 Rules | ONC | Health data interoperability including AI-generated content in EHRs | HTI-1 final; HTI-2 in proposed rulemaking as of Q1 2026 |
ONC and the Non-Device AI Boundary
Not all AI in healthcare is a medical device. The 21st Century Cures Act created a category of clinical decision support software that is explicitly excluded from FDA device regulation — but the line between excluded CDS and regulated SaMD is not always obvious in practice.
Under the 2022 CDS final guidance, software falls outside FDA's device definition if it: displays, analyzes, or prints medical information that a clinician can independently review; does not acquire, process, or analyze a medical image or signal; and does not make treatment recommendations for individual patients without clinician review. An AI tool that summarizes patient history for a physician to review is likely excluded. One that generates a differential diagnosis and prioritizes it for clinical action is likely regulated.
ONC's Health Data, Technology, and Interoperability (HTI) rulemaking has introduced requirements for certified health IT that include AI and algorithmic transparency provisions. HTI-1, finalized in 2024, requires that certain certified EHR technology disclose when AI-generated content appears in clinical workflows and provide information about the source and basis of that content. HTI-2 is expected to extend these requirements further, though the proposed rule text was still under public comment as of early 2026.
CMS and Payer-Facing AI Regulation
CMS finalized rules in 2024 requiring Medicare Advantage plans and Medicaid managed care organizations to disclose when AI is used in prior authorization decisions. The rules also prohibit AI systems from denying coverage based on criteria that would not be permitted if applied by a human reviewer.
Enforcement of these provisions has produced the first documented enforcement actions specifically targeting AI-assisted prior authorization denials. At least two major payers received CMS compliance notices in late 2025 related to algorithmic denial rates that exceeded what human reviewers would have produced under the same clinical criteria.
What the Current Framework Does Not Cover
Several significant gaps remain in the current regulatory structure, and they matter for anyone evaluating an AI tool for clinical or operational deployment.
- Post-market performance monitoring: FDA has authority to require post-market surveillance as a condition of clearance, but systematic real-world performance monitoring is not yet a routine requirement for most cleared AI devices. The PCCP framework addresses update control, not ongoing performance tracking.
- Algorithmic bias auditing: No current federal rule mandates independent third-party audits of AI systems for demographic performance disparities before or after deployment. FDA guidance recommends disaggregated performance reporting, but the standard is not uniformly enforced.
- Generative AI in clinical documentation: AI scribe tools that generate clinical notes are currently treated as non-device CDS in most configurations. There is no specific FDA guidance on hallucination risk disclosure for ambient documentation AI, though ONC's HTI framework addresses disclosure obligations for AI-generated EHR content.
- Foundation models as regulated components: When a cleared medical AI device is built on top of a general-purpose foundation model (e.g., a large language model), it is unclear how FDA would treat updates to the underlying model that are not reflected in the device's PCCP. This question has not been resolved in published guidance.
Regulatory Tracing: How to Verify a Device's Authorization Status
For professionals who need to verify whether a specific AI tool is actually cleared — and for what indication — the authoritative source is the FDA's 510(k) database, De Novo database, or PMA database, depending on the clearance pathway. Vendor marketing materials, press releases, and third-party review sites are not authoritative.
The submission number (formatted as K-number for 510(k), DEN-number for De Novo, or P-number for PMA) is the primary lookup key. Each authorized device record includes the intended use statement, the predicate device cited (for 510(k) submissions), and the decision summary. The decision summary is often the most useful document for understanding what evidence FDA reviewed and what limitations were noted.
Open Regulatory Questions as of Q2 2026
Several questions remain genuinely open at the federal level, with active rulemaking or inter-agency deliberation underway.
- How will FDA treat AI devices that incorporate continuously learning components that update between cleared PCCP checkpoints? The current framework assumes discrete, documented updates — not continuous online learning.
- Will ONC's HTI-2 rule require disclosure of the specific AI model or vendor when AI-generated content appears in certified EHR systems, or only that AI was used? The distinction matters for clinical accountability.
- How will CMS treat AI-assisted utilization management tools that operate below the prior authorization threshold — such as AI that flags cases for human review rather than issuing automated denials? The 2024 rules addressed denial automation; the adjacent territory is less defined.
- What, if any, federal standard will govern algorithmic bias testing for AI used in clinical settings? HHS has published equity-focused guidance, but no binding bias audit requirement has been finalized.
Discussion
Commentary from compliance officers, policy professionals, and legal counsel is welcome. For formal corrections or regulatory updates, use the contact page.
Comments
Join the discussion with an anonymous comment.