A US healthcare AI policy guide for lawmakers and leaders

The four pillars

• Put physicians at the center of AI design, validation, and clinical use.
• Build a coordinated, transparent, whole-of-government oversight model.
• Secure data, reduce bias, and protect privacy with strong governance.
• Upskill clinicians and redesign workflows to support safe adoption.

Keep physicians in the driver’s seat of the AI lifecycle

Design with clinical reality in mind

• Start with a real clinical pain point, not a tech demo.
• Co-design with physicians, nurses, and patients. Define the target use, user, and setting.
• Use representative data for the intended population and care setting.
• Label data with clinical oversight. Document assumptions and limits.
• Pre-specify success metrics: safety, accuracy, equity, and impact on workflow.

Validate and deploy with human oversight

• Run prospective pilots with real patients and clear guardrails.
• Use human-in-the-loop decision-making for anything that could affect diagnosis or treatment.
• Display uncertainty and rationale so clinicians can weigh outputs.
• Log decisions, overrides, and outcomes for audit and learning.
• Turn off or roll back tools if safety thresholds are not met.

Clarify accountability and guard against harm

• Define roles for developers, health systems, and clinicians in governance and liability.
• Set incident reporting channels and safe harbors for good-faith disclosures.
• Require plain-language labeling about what the tool does, for whom, and what data trained it.
• Mandate post-deployment monitoring and performance drift checks.

Make oversight simple and strong across the federal family

Align agency roles and reduce confusion

• FDA: Risk-based evaluation, premarket reviews where needed, and post-market surveillance for safety and effectiveness.
• ONC: Interoperability, transparency, and EHR certification that supports safe AI integration.
• OCR/HHS: Privacy and HIPAA guidance that reflects modern data flows and AI uses.
• FTC: Truthful marketing, claims oversight, and protection from deceptive practices.
• CMS: Coverage and payment policies that reward safe, effective, workload-reducing AI.
• NIST: Technical standards for risk, bias, and security, shared across agencies.

Create a coordinated playbook

• Publish a common taxonomy for AI use cases by clinical risk.
• Define evidence expectations for each risk tier (preclinical, clinical, real-world performance).
• Stand up interagency sandboxes for high-value pilots (e.g., imaging triage, sepsis alerts, ambient documentation), with shared guardrails.
• Standardize transparency labels for clinical AI: intended use, training data overview, validation results, known limits, and update cadence.
• Require routine public reporting of safety incidents and performance drift, anonymized to protect patients.

Support states and avoid duplication

• Provide model policies states can adopt for privacy, bias audits, and incident reporting.
• Offer grants to help state Medicaid programs and rural systems evaluate AI safely.
• Encourage reciprocity so an approved tool does not face 50 different rule sets.

Make data secure, private, and fair

Protect privacy beyond HIPAA

• Require plain-language consent for secondary data use, with easy opt-out.
• Set strong deidentification standards and recognize reidentification risks.
• Limit data sharing to what is needed; ban data resale without explicit consent.
• Mandate transparent data maps so patients and doctors know where data flows.

Reduce bias at every stage

• Ensure training sets include the populations the tool will serve by age, sex, race, ethnicity, language, disability, and geography.
• Test performance across subgroups and publish the results.
• Use bias mitigation methods and document them.
• Monitor for dataset and population drift; retrain or adjust when performance drops.
• Engage communities to review harms and help set success metrics that matter.

Harden security against new threats

• Adopt zero-trust security, multifactor authentication, and least-privilege access for AI systems.
• Encrypt data at rest and in transit; protect model weights and prompts.
• Detect adversarial inputs and data poisoning; validate training pipelines.
• Keep tamper-proof audit trails for data access, model changes, and outputs.
• Run red-team exercises and share threat intel across the sector.

Upskill the workforce and fix workflows

Build AI literacy from school to practice

• Teach basic AI concepts in medical and nursing school: what AI can and cannot do, how to read validation studies, and when to say no.
• Offer CME on safe use, bias, privacy, and human factors.
• Use case-based learning in specialties: radiology, primary care, oncology, emergency medicine, mental health.
• Train on how to communicate AI-supported decisions with patients in plain language.

Redesign workflows to reduce burden

• Integrate AI into the EHR so outputs show up in the right place, at the right time.
• Start with low-risk tools that save time, like ambient documentation or inbox triage.
• Address alert fatigue. Set smart thresholds and allow clinician tuning.
• Track time saved, burnout scores, and patient satisfaction alongside accuracy.

Manage change with clarity

• Pick clinical champions to lead pilots and collect feedback.
• Start small, iterate, and share wins and lessons openly.
• Provide quick-reference guides and in-workflow tips.
• Create a clear path to pause or stop a tool if issues arise.

From pilot to scale: a practical checklist

• Define the clinical problem and who benefits. Set measurable goals.
• Assess risk. Match controls to risk level (e.g., human-in-the-loop, second review).
• Check data rights, privacy, and fairness. Document provenance and consent.
• Run a time-limited pilot with pre-agreed safety stops and success metrics.
• Measure outcomes: safety, quality, equity, patient and clinician experience, and cost.
• Publish a one-page model card for clinicians: what it does, how well it works, limits, and contact for issues.
• Set post-launch monitoring: dashboards for drift, bias, incidents, and uptime.
• Review quarterly. Retrain, recalibrate, or retire as needed.

Measure what matters: simple, shared metrics

• Safety: adverse events, overrides, near-miss reports.
• Quality: accuracy against gold standards, guideline adherence, time-to-diagnosis.
• Equity: subgroup performance gaps and their trends over time.
• Experience: patient understanding and trust; clinician workload and burnout.
• Cost and efficiency: time saved per user, reduced no-shows, fewer unnecessary tests.

How the AMA Center for Digital Health and AI can help

• Policy and regulatory leadership: Work with federal and state leaders to set clear, practical rules.
• Clinical workflow integration: Shape tools with physicians so they fit real care.
• Education and training: Provide AI literacy, governance guides, and CME.
• Collaboration: Bring tech, research, government, and health systems together to solve shared problems.

What developers, health systems, and lawmakers should do now

For developers

• Co-create with clinicians and patients from the start.
• Be transparent about data, validation, and limits. Publish simple model cards.
• Design for interoperability and EHR integration. Reduce clicks, not add them.
• Build monitoring and bias checks into the product, not as an optional extra.

For health systems

• Set up an AI governance committee with clinical, legal, security, and patient voices.
• Use a risk-based intake process and a standard scorecard for evaluation.
• Pilot with small, high-value use cases, then scale with clear metrics.
• Invest in staff training and change management to sustain gains.

For lawmakers and regulators

• Issue a coordinated federal framework that aligns evidence needs and transparency.
• Close privacy gaps for non-HIPAA data and strengthen consent.
• Fund rural and safety-net adoption and workforce training.
• Require post-market surveillance and public reporting for higher-risk tools.

FAQ