Everyone Cites HIPAA for Healthcare AI. The Rule That Actually Binds You Is Section 1557
81% of physicians now use AI, up from 38% in 2023. Meanwhile the compliance conversation is stuck on HIPAA, where no AI guidance exists, and ignoring Section 1557, where a binding obligation has been in force since May 2025.
Usman Akram · · 6 min read

Physician AI adoption went from 38% in 2023 to 81% in 2026, according to the AMA's survey of 1,692 physicians fielded in January and February of this year.
The tools arrived. The governance did not, and the conversation about governance is aimed at the wrong regulation.
The guidance everyone cites does not exist
Let me be direct, because I checked this carefully and expected to find the opposite.
There is no OCR guidance on AI and HIPAA. Not a rule, not a bulletin, not a framework. The Office for Civil Rights has not issued AI-specific HIPAA guidance.
This is odd, because a great deal of vendor content refers to it, sometimes in detail. That content is describing a document that has not been written. The HIPAA Security Rule does have a proposed cybersecurity overhaul, published in January 2025, but it remains a proposal, it is not final, and it touches AI only through a request for comment. Citing it as current law is wrong.
HIPAA still applies to protected health information, obviously. Its minimum-necessary standard, which requires reasonable efforts to limit PHI to the minimum necessary for the purpose, remains an excellent design principle for scoping what an AI agent can reach. Just note that the standard carves out disclosures for treatment, so a clinical AI agent operating in a treatment context sits inside the exception. It is a design argument, not an AI mandate.
So if HIPAA is not the AI rule, what is?
Section 1557 is the rule, and it has been in force for over a year
The binding instrument is Section 1557 of the Affordable Care Act, at 45 CFR §92.210, covering patient care decision support tools. It was finalised in May 2024. The general prohibition took effect on 5 July 2024. The part that should concentrate the mind, an affirmative duty to identify and mitigate the risk of discrimination arising from these tools, took effect on 1 May 2025.
Read "affirmative duty" carefully. It does not mean you respond when someone complains. It means you are expected to have gone looking. And the scope is deliberately broad: any automated or non-automated tool used to support clinical decision-making.
If you have deployed a risk score, a triage assistant, a readmission predictor, or anything that shapes a clinical decision, you are in scope, and you have been for more than a year.
The practical consequence is unglamorous and immediate. You need an inventory of the decision support tools you actually use, evidence that you evaluated each for discrimination risk, and a record of what you did about what you found. Most organisations racing to adopt AI have none of those three things, and they are not hard to produce, they are simply nobody's job.
There is also the ONC HTI-1 rule, which requires certified health IT to expose source attributes for predictive decision support, a genuine algorithm transparency regime. One caveat worth knowing: a deregulatory proposal published in December 2025 would remove certification criteria, so do not build a strategy that assumes HTI-1's transparency requirements are permanent furniture. And the FDA regulates AI-enabled device software, where its Predetermined Change Control Plan guidance is final while its broader lifecycle guidance is still a draft.
The savings number you have been quoted is not what you think
While I am puncturing things, let me do the ROI figure, because it appears in nearly every healthcare AI deck.
$210 billion in annual savings from automating manual, inefficient workflows. It is usually attributed to McKinsey and presented as what AI agents can unlock.
The number is real. It comes from a 2021 JAMA paper by Sahni, Carrus, and Cutler on administrative simplification. Three details get lost every time it is repeated:
It predates generative AI by two years. It is not an AI estimate. It is an estimate of what fixing manual workflows, poor data standardisation, and disconnected systems could save, by any means.
It is a subset, not the headline. The paper's actual top-line figure is $265 billion.
And most importantly, the paper says the majority of those savings sit in industry-agnostic corporate functions such as finance and human resources. Not clinical work. Not even healthcare-specific work. Back office.
So when someone tells you healthcare AI agents can save $210 billion, they are quoting a pre-LLM paper about administrative simplification, most of which is about HR and finance departments. The underlying point, that healthcare drowns in administrative cost, is completely true: the same paper finds administrative spending was $950 billion of $3.8 trillion, about a quarter of US health expenditure. That is the real argument. It does not need the laundered version.
Which is, awkwardly, an argument for starting in the back office
The mangled statistic accidentally points at the right strategy.
The administrative burden is genuinely enormous, genuinely automatable, and genuinely where the near-term wins are. Revenue cycle, medical coding, prior authorisation, documentation. These carry lower clinical risk, face a much shorter approval path, and do not immediately place you inside Section 1557's decision support scope.
Clinical decision support is where the ambition is, and it is also where the compliance surface, the explainability requirement, and the liability all spike at once. Clinicians will not act on a recommendation they cannot trace, and no amount of model accuracy substitutes for that. Explainability, not accuracy, is the adoption barrier.
Build the operational wins. Build the governance muscle while the stakes are lower. Then move toward the clinic with an inventory, an evaluation process, and a track record, rather than arriving there with a model and a hope.
What about PHI leaking into model weights?
You will hear that fine-tuning on clinical notes embeds PHI in model weights, creating a novel exposure surface. Here is the honest state of the evidence, because both the alarmists and the dismissers are overclaiming.
Memorization is real. Research shows training data can be extracted from language models, and that memorization grows with model size and with how often content repeats. Clinical notes are notoriously repetitive, thanks to copy-forward and note bloat, which is precisely the condition that maximises memorization risk. That is a genuine reason for caution.
But the one study that directly tested this, training on real clinical notes and then trying to extract sensitive data, failed to extract it with simple probing methods, while explicitly cautioning that more sophisticated attacks might succeed.
And no regulator has said anything about it. There is no HHS, OCR, or NIST position that model weights trained on PHI constitute a disclosure.
So: design against it, because it is a plausible risk and the cost of caution is low. Do not present it to your board as an established compliance violation, because that is not what the evidence says.
The summary
Healthcare AI adoption doubled in three years. The compliance conversation is fixated on a HIPAA AI rule that does not exist, while a real, binding, affirmative obligation under Section 1557 has been live since May 2025 and is barely discussed. And the economic case is being made with a statistic that describes something else entirely.
The good news is that the actual requirements are tractable. Know what tools you run. Evaluate them for discrimination risk and write down what you found. Scope PHI access tightly. Start where the clinical risk is low and the administrative pain is high.
If you are building AI into a healthcare product and want the compliance surface mapped to what the regulations actually say rather than what the vendor deck claims, that is work our Security and Compliance and AI Native practices do together. Tell us what you are building and book a discovery call.
This post is engineering and product guidance, not legal advice; for a binding view on your obligations, consult healthcare counsel. Regulatory positions, the AMA adoption figures, and the JAMA administrative-cost figures were verified against primary sources on 12 July 2026.
Frequently asked
Is there official HHS or OCR guidance on AI and HIPAA?
No. As of July 2026 the Office for Civil Rights has issued no AI-specific HIPAA guidance. This surprises people because so much vendor content refers to it, but that content is describing something that does not exist. HIPAA still applies to protected health information handled by AI systems, of course, and its minimum-necessary standard is a sound design principle. But there is no AI-specific HIPAA rule to comply with, and anyone citing one is fabricating a citation.
What regulation actually governs AI in healthcare in the US?
The most binding instrument is Section 1557 of the Affordable Care Act, specifically 45 CFR 92.210 on patient care decision support tools, finalised in May 2024. Its general prohibition on discrimination took effect on 5 July 2024, and the affirmative duty to identify and mitigate discrimination risk from these tools took effect on 1 May 2025. It covers any automated or non-automated tool used to support clinical decision-making, which is broad. Separately, the ONC HTI-1 rule imposes algorithm transparency requirements on certified health IT, and the FDA regulates AI-enabled medical devices.
What does Section 1557 require for clinical AI?
In practice, that you know which decision support tools you use, that you have made a reasonable effort to identify whether they carry a risk of discrimination against protected groups, and that you have taken steps to mitigate any risk you find. It is an affirmative duty, meaning you cannot simply wait for a complaint. The important engineering consequence is that you need an inventory of your AI tools and some documented evidence of having evaluated them, which most organisations adopting AI quickly do not have.
Can protected health information end up inside a fine-tuned model?
The risk is real but frequently overstated. Memorization research shows that training data can be extracted from language models, and that memorization increases with model size and with how often content is repeated, which is notable because clinical notes are famously repetitive. However, the one study that directly tested extracting sensitive data from a model trained on real clinical notes found that simple probing methods could not meaningfully extract it, while cautioning that more sophisticated attacks might. Treat it as a genuine risk to design against, not as an established fact that fine-tuning leaks PHI.
Where should a healthcare organisation start with AI agents?
Start in the back office, not the clinic. Revenue cycle, coding, prior authorisation, and documentation carry less clinical risk, face a shorter approval path, and target exactly the administrative burden that dominates healthcare's inefficiency. Clinical decision support brings you inside Section 1557's scope and raises the explainability bar sharply, because clinicians will not act on a recommendation they cannot trace. Prove the operational case first, build the governance muscle, then move toward the clinical work.
CTO, IrenicTech
Usman is the CTO of IrenicTech. He builds AI agents, RAG systems, and automations into web and mobile products, and gets them shipped in weeks instead of quarters. He's focused on AI that learns from the people using it, and that's secure enough to trust with real data.
Connect on LinkedIn



