This page covers U.S. law as of June 2026. This is not legal advice. For a plain-English compliance answer tailored to your situation, use the Compliance Checker at DiscloseAI.net.
Healthcare small businesses using AI face obligations from multiple directions: HIPAA governs AI use involving protected health information, FDA regulates AI as a medical device in clinical decision contexts, and Utah's AI Policy Act specifically triggers in healthcare as a regulated occupation. Patient disclosure is emerging as a regulatory expectation even where not yet explicitly required by statute.
HIPAA and AI
The Health Insurance Portability and Accountability Act (HIPAA, 45 C.F.R. Parts 160 and 164) applies to covered entities and business associates using AI that involves protected health information (PHI). Key AI-related HIPAA obligations:
- AI vendors processing PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA)
- Training AI systems on PHI without appropriate authorization may constitute an impermissible use or disclosure under the HIPAA Privacy Rule
- Using a general-purpose AI tool (e.g., a public AI chatbot) to process PHI without a BAA is a potential HIPAA violation
- HHS issued guidance in 2024 confirming that HIPAA applies to AI systems involving PHI
FDA Regulation of AI as a Medical Device
The FDA regulates software that meets the definition of a medical device under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 321). AI software intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease may be Software as a Medical Device (SaMD) requiring FDA clearance or approval. Healthcare small businesses using AI diagnostic tools or AI clinical decision support should verify whether the tool has appropriate FDA authorization before deployment.
Utah — Direct Healthcare AI Disclosure Requirement
Utah's Artificial Intelligence Policy Act (SB 149, effective May 1, 2024) explicitly applies to regulated occupations, which includes licensed healthcare providers. Utah-licensed healthcare small businesses — medical practices, dental offices, mental health providers — must disclose to patients when they are interacting with an AI system rather than a licensed professional. Utah Code Ann. § 13-2-15 et seq.
Colorado — AI in Healthcare Decisions
Colorado SB 24-205 lists healthcare as a domain in which AI decisions may be "consequential decisions" triggering the Colorado AI Act's disclosure and appeal requirements. A Colorado healthcare business that uses AI to make or substantially assist decisions about patient care coverage, care management, or treatment recommendations may be subject to the Act. Colo. Rev. Stat. § 6-1-1701 et seq.
Healthcare AI Compliance Checklist
- Confirm all AI vendors with access to PHI have executed a valid BAA
- Verify that AI diagnostic or clinical decision tools used in your practice have appropriate FDA authorization
- If operating in Utah, disclose AI interactions to patients per SB 149
- If operating in Colorado and using AI in care management or coverage decisions, assess Colorado AI Act obligations
- Do not train AI systems on patient PHI without appropriate authorization and HIPAA compliance review
- Review your state's medical practice act for any AI-specific provisions in 2025–2026 legislative sessions