Health Systems Should Prepare Now for Increasing Enforcement Around AI Use

Artificial intelligence is rapidly moving from experimental pilots to core components of hospital revenue cycles, coding engines, and clinical decision support tools. Yet regulators are not waiting for a dedicated AI agency; the Centers for Medicare & Medicaid Services (CMS), the HHS Office of Inspector General, and the Department of Justice are already applying longstanding fraud, abuse, and False Claims Act provisions to AI‑generated claims. This approach means that any algorithm that influences coverage determinations, medical necessity or payment calculations will be scrutinized under the same standards that govern human‑driven processes, raising immediate compliance pressure for health systems.

Board members, traditionally focused on fiduciary and quality oversight, now face a new mandate to understand how AI shapes clinical pathways and reimbursement outcomes. While they need not master the technical architecture, they must ensure that clear accountability lines exist between management, clinicians, and the board itself. The fragmented landscape of state AI statutes adds another layer of complexity, forcing multi‑state operators to reconcile divergent requirements and preemption risks. Effective governance therefore hinges on dedicated AI committees, documented risk assessments, and regular reporting on algorithmic performance.

Defending against investigations will rely less on the sophistication of the technology and more on demonstrable good‑faith compliance. Health systems should embed robust documentation, human‑in‑the‑loop reviews, and continuous monitoring into AI workflows, and negotiate vendor contracts that grant audit rights and indemnification. By aligning AI use with existing Medicare Conditions of Participation, HIPAA safeguards, and civil‑rights obligations, organizations can mitigate exposure to fraud, discrimination, and privacy claims. As regulatory guidance evolves, a nimble compliance framework that treats AI as an extension of existing processes will be the most resilient strategy.