All posts
HIPAAHealthcare AISection 1557ComplianceHealthcareAI RegulationAI Policy

85% of Epic Customers Are Running AI. How Many Are Section 1557 Compliant?

Healthcare AI deployment is years ahead of its compliance posture. Section 1557's nondiscrimination mandate is enforceable now. The HIPAA Security Rule rewrite adds AI tools to risk analysis requirements. Here's what the gap looks like — and what closing it actually requires.

May 18, 2026

AI moved into clinical workflows faster than any previous health IT adoption cycle. The majority of major health systems are already running generative AI features through their EHR platform — tools for nursing documentation, ambient charting, and patient billing queries. That's not a pilot. That's infrastructure.

A small minority of hospitals have a formal AI governance framework, per benchmarking against the NIST AI Risk Management Framework. The gap between deployment and governance isn't a gap in intention — it's a gap in urgency. Until recently, there was no hard deadline forcing the issue.

There are now two.

What Section 1557 Actually Requires

Section 1557 of the Affordable Care Act prohibits discrimination in health programs receiving federal financial assistance. HHS extended that mandate explicitly to AI-assisted clinical decision support in its Section 1557 final rule. Under that rule, the obligations are fully enforceable.

For any covered entity using AI in patient-facing care decisions, the requirements are specific:

  • Tool inventory — identify every AI system that influences clinical or administrative decisions affecting patients
  • Bias audit — evaluate tools for disparate impact across race, sex, disability, and age
  • Staff training — documented training that clinicians understand tool limitations and override pathways
  • Human override — patients must have access to a human decision-maker for any AI-influenced determination
  • Patient disclosure — covered entities must disclose when AI is used in significant care decisions

These are active compliance obligations, not aspirational guidelines. A covered entity running EHR-embedded AI features without a documented governance posture is already out of compliance.

HIPAA Security Rule: AI Enters the Risk Analysis Requirement

The first major Security Rule update in over a decade was filed in January 2025. The NPRM explicitly brings AI tools into scope for security risk analysis — the longstanding requirement that covered entities identify, assess, and document risks to electronic protected health information. OCR's January 2025 AI guidance further clarified what covered entities must document when deploying AI tools that interact with protected health information.

The practical implication: any AI tool that handles or influences access to ePHI requires formal risk documentation. That means vendor security assessments, Business Associate Agreement review for AI-specific use cases, and ongoing monitoring cadences — not as best practices, but as regulatory requirements. The final rule is expected in 2026.

Organizations that haven't built the governance infrastructure before that date will be building it under deadline pressure, with enforcement risk compounding.

The Enforcement Gap — and Why It's Temporary

There have been zero AI-specific HIPAA enforcement actions. Some compliance teams read this as runway. The OCR's recent enforcement pattern suggests a shorter timeline.

OCR launched a targeted risk analysis enforcement initiative in October 2024. Between October 2024 and April 2025: eight enforcement actions, $900,000 in settlements (Feldesman). Risk analysis failures were cited in 65% of all 2024–2025 enforcement actions — not just the eight in the initiative (Ogletree). OCR is systematically building enforcement precedent around documentation gaps, not breach incidents.

The legal framework for AI enforcement is fully constructed. The regulations are in place. The enforcement posture is established. The absence of AI-specific actions so far reflects the standard 12-to-18-month lag between regulatory effective dates and enforcement maturity — a pattern OCR has followed consistently across prior rule changes. The mechanisms are built. The cases haven't started yet.

What a Compliant AI Governance Posture Looks Like

Organizations getting ahead of this are doing five concrete things:

  1. Maintain a tool inventory. A living registry of every AI system in clinical or administrative use, including embedded features within existing platforms — EHR vendors, ambient documentation tools, patient billing systems. If it influences a decision that affects a patient, it belongs on the list.
  2. Review vendor BAAs. Confirm that AI vendors have executed Business Associate Agreements and that those agreements cover the specific AI use cases in deployment. Many BAAs predate AI features that have since been added to the platform.
  3. Document bias audit results. For high-stakes clinical decision support, either obtain vendor-supplied bias testing documentation or commission independent assessment. Section 1557 requires evidence, not intent.
  4. Establish a monitoring cadence. Scheduled reviews of AI tool performance — particularly for accuracy drift and disparate outcomes across patient populations. Ad hoc review after an incident isn't sufficient documentation.
  5. Write the policies. Staff training procedures, override pathways, patient disclosure language. OCR will ask for the paper trail before anything else. Organizations that haven't written it don't have it.

None of this requires custom technology. It requires governance infrastructure: defined processes, maintained documentation, and clear accountability. The organizations that deployed AI without building that infrastructure are carrying compliance exposure that isn't yet visible in enforcement data — but will be.

The deployment window closed last year. The compliance window is closing now.

Back to all posts