Introduction: The Fragmented Regulatory Moment
In early 2026, a health system administrator evaluating an AI-powered sepsis prediction tool must navigate a governance environment that is anything but unified. At the federal level, the FDA has relaxed oversight of clinical decision support software. In state capitals, lawmakers have introduced over 240 AI-related bills in the first quarter alone. The White House is actively pressuring states to abandon their own regulatory efforts. And international frameworks from the WHO and the European Union add another layer of standards to consider.
This is the fragmented regulatory moment for AI in public health. The Health & AI Policy Index (HAPI), a snapshot frozen on January 1, 2026, catalogues 240 distinct health-AI policies across more than 100 issuing bodies. Of those, 60% are tagged for Transparency & Governance, while only 22 policies — 9% — are rated as high-impact. The volume of policy activity surged in 2024 and 2025, but the substance remains uneven: most instruments are advisory or procedural, not prescriptive.
For public health stakeholders — administrators, policy professionals, legal and compliance teams, and researchers — the practical consequence is a compliance burden that is both heavy and ambiguous. A single AI deployment may need to satisfy a federal deregulatory posture, a state insurer-use law, a transparency mandate, and a chatbot safety act, all while the federal government and state legislatures actively contest each other's authority. Understanding this patchwork is not an academic exercise; it is a prerequisite for responsible deployment.
The Federal Landscape: Deregulation and Strategic Shifts
The federal approach to AI in public health in 2026 is defined by a deliberate move away from premarket oversight and toward post-market monitoring, industry self-regulation, and internal operational efficiency. Several key actions in late 2025 and early 2026 mark this shift.
FDA Revises Clinical Decision Support Guidance
On January 6, 2026, FDA Commissioner Martin Makary announced a significant revision to the agency's Clinical Decision Support (CDS) guidance at the Consumer Electronics Show. Under the revised framework, software that delivers a single AI-generated recommendation — such as a risk score or a differential diagnosis — may no longer be automatically classified as a regulated medical device. The key condition: a clinician must be able to independently review the basis for the recommendation. This effectively carves out a broad category of AI tools from premarket review.
The FDA stated it is developing a new risk-based AI framework that emphasizes post-market monitoring over premarket approval. For public health agencies and health systems, this means that many AI tools — particularly those providing decision support rather than autonomous diagnosis — may enter the market without the same level of premarket scrutiny that would have been required in 2024.
HHS AI Strategy and CMS Initiatives
In December 2025, the Department of Health and Human Services released its first Department-wide AI Strategy, built on five pillars: governance and risk management, infrastructure and platforms, workforce development and burden reduction, health research and reproducibility, and care delivery and public health modernization. The strategy establishes a 'OneHHS' AI infrastructure spanning the CDC, CMS, FDA, and NIH, focused on improving internal operations and efficiency.
On the payment and coverage side, CMS launched the Digital Health Tech Ecosystem Library on February 23, 2026, and continues to develop the ACCESS Model and TEMPO Pilot — initiatives designed to test alternative payment models for AI-enabled tools. These programs signal that CMS is preparing for broader reimbursement of AI technologies, though the details remain in development.
The White House Deregulatory Framework and the DOJ AI Litigation Task Force
The most consequential federal action for state-level regulation came from the White House. In December 2025, an executive order established the DOJ AI Litigation Task Force with a mandate to challenge what it characterized as 'onerous' state AI laws. On March 20, 2026, the White House released a legislative framework that explicitly preempts state regulation of AI development while preserving state police powers for health and safety — a distinction that is likely to generate significant legal disputes.
The net effect of these federal actions is a regulatory posture that is simultaneously permissive toward AI developers and restrictive toward state-level innovation in governance. For public health stakeholders, this creates a paradoxical environment: more AI tools are likely to reach the market with less premarket review, while the legal ground rules for their use remain contested.
| Federal Action | Date | Key Impact on AI in Public Health |
|---|---|---|
| FDA CDS guidance revision | Jan 6, 2026 | Risk scores and differential diagnoses may escape device regulation if clinician can independently review basis |
| HHS AI Strategy | Dec 4, 2025 | Establishes 'OneHHS' AI infrastructure across CDC, CMS, FDA, NIH; focuses on internal efficiency |
| CMS Digital Health Tech Ecosystem Library | Feb 23, 2026 | Creates registry for AI-enabled tools; supports future reimbursement models |
| White House deregulatory EO & framework | Dec 2025 / Mar 20, 2026 | Preempts state regulation of AI development; establishes DOJ AI Litigation Task Force |
| HHS/ASTP/ONC RFI on accelerating AI in clinical care | Feb 20, 2026 | Seeks input on reducing barriers to AI adoption in clinical settings |
The State Landscape: Six Categories of 2026 Legislation
While the federal government has moved toward deregulation, state legislatures have been remarkably active. According to Holland & Knight's 2026 legislative tracker, 43 states introduced more than 240 AI-related bills in Q1 2026 alone. The Manatt Health policy tracker corroborates this surge, noting that AI chatbot safety bills appeared in 36 states. The state-level activity clusters into six distinct categories.
1. Insurer Use of AI in Prior Authorization
This is the most legislatively active category in 2026. At least six states have enacted laws specifically governing how insurers may use AI in prior authorization and utilization management decisions.
- Alabama SB 63 (enacted April 17): Codifies CMS guardrails for AI use in prior authorization.
- Indiana HB 1271 (enacted March 4): Prohibits insurers from using AI as the sole basis for downcoding or denying claims.
- Utah SB 319 (enacted March 19): Requires insurers to disclose when AI is used in coverage decisions.
- Washington SB 5395 (enacted March 26): Prohibits AI from being the sole basis for denying care.
- Maryland HB 1563 (enacted April 28): Mandates quarterly reporting on AI use in adverse benefit determinations.
- Georgia SB 544 (enacted May 5): Permits AI use in prior authorization but explicitly prohibits AI-only adverse determinations.
These laws share a common thread: they do not ban AI in insurance decision-making, but they require human oversight and transparency. For public health agencies that rely on Medicaid managed care organizations, these laws create new compliance obligations for how AI is used in coverage determinations.
2. Downcoding Prohibitions
A subset of the insurer-use laws specifically targets the practice of algorithmic downcoding — where AI tools automatically assign lower reimbursement codes to claims. Indiana's HB 1271 is the clearest example, explicitly prohibiting AI from serving as the sole basis for downcoding. This category reflects growing concern that AI-driven utilization management may systematically reduce provider reimbursement without clinical justification.
3. Clinical Oversight and Patient Consent
Several states have moved to require direct clinical oversight or patient consent for AI use in healthcare settings. Maine's HB 2082 (enacted April 8) restricts AI use in mental health services. In Arizona, Board regulations adopted in November 2025 require informed consent for AI use in behavioral health. These measures reflect a targeted approach: rather than regulating AI broadly, states are focusing on high-risk clinical contexts where the consequences of AI error are most severe.
4. AI Chatbot and Companion Safety Acts
The proliferation of AI-powered mental health companions and chatbots has triggered a wave of state safety legislation. Idaho and Nebraska have enacted Conversational AI Safety Acts requiring disclosure, crisis protocols, and prohibitions on representing AI as a licensed professional. Oregon's SB 1546 (enacted April 6) and Tennessee's SB 1580 (enacted April 6) similarly prohibit AI from representing itself as a licensed healthcare professional. Delaware's HB 191 goes further, prohibiting AI from being licensed as a healthcare professional entirely.
5. Transparency Mandates
Transparency requirements are the most common type of AI policy across all levels of government. Colorado is proposing a revision to its SB 205 that would broaden the HIPAA carve-out for AI transparency, while several other states are considering bills that require disclosure of AI use in clinical decision-making. The HAPI Index confirms this pattern: 60% of all tracked health-AI policies are tagged for Transparency & Governance, and 79% of equity-tagged policies also carry a transparency tag.
6. AI Regulatory Sandboxes
A smaller but notable category is the creation of AI regulatory sandboxes — controlled environments where AI tools can be tested with reduced regulatory burden. Utah's AI Policy Act sandbox has been extended, and Delaware and Texas are implementing similar programs. These sandboxes are particularly relevant for public health agencies that want to pilot AI tools for disease surveillance or outbreak response without immediately triggering full regulatory compliance.
| Category | Example Enacted Laws (2026) | Common Requirements |
|---|---|---|
| Insurer AI in prior auth | AL SB 63, IN HB 1271, UT SB 319, WA SB 5395, MD HB 1563, GA SB 544 | Human review of AI-driven adverse determinations; disclosure of AI use |
| Downcoding prohibitions | IN HB 1271 | AI cannot be sole basis for downcoding claims |
| Clinical oversight & consent | ME HB 2082, AZ Board regulations (Nov 2025) | Restrictions on AI in mental health; informed consent requirements |
| AI chatbot safety | ID & NE Conversational AI Safety Acts, OR SB 1546, TN SB 1580, DE HB 191 | Disclosure, crisis protocols, prohibition on representing AI as licensed professional |
| Transparency mandates | CO proposed SB 205 revision | Disclosure of AI use in clinical decision-making |
| AI regulatory sandboxes | UT AI Policy Act extension, DE & TX programs | Reduced regulatory burden for controlled AI pilots |
Federal-State Tension: The White House Pushback Campaign
Perhaps the most significant dynamic in the 2026 regulatory landscape is the direct confrontation between the federal government and state legislatures over who gets to set the rules for AI in healthcare.
According to Manatt Health's Q1 2026 AI Policy Tracker, the White House directly pressured lawmakers in Utah and Florida to abandon AI bills in early 2026. A Utah bill failed on March 6 after White House intervention, and Florida's proposed AI Bill of Rights stalled. The DOJ AI Litigation Task Force, established by the December 2025 executive order, serves as the enforcement mechanism for this pressure campaign — signaling that the federal government is prepared to litigate against state AI laws it considers preempted.
The response from state lawmakers was swift and organized. On March 3, 2026, more than 60 Republican state lawmakers from 24 states sent a protest letter to President Trump, arguing that state-level AI regulation is necessary to protect constituents and that federal preemption would leave critical gaps in consumer and patient protection.
For public health stakeholders, this federal-state tension creates significant uncertainty. A health system that deploys an AI tool in compliance with state law may find itself in conflict with federal policy, and vice versa. The absence of a clear preemption doctrine for AI in healthcare means that legal risk is distributed across multiple jurisdictions.
The International Dimension: WHO and EU Frameworks
While this article focuses on the US regulatory environment, international frameworks provide important context — both as models for US policy and as requirements for organizations operating globally.
WHO EIOS 2.0 and Public Health Intelligence
On October 13, 2025, the World Health Organization launched EIOS 2.0, a major upgrade to its Epidemic Intelligence from Open Sources system. Used by more than 110 member states and approximately 30 organizations, EIOS 2.0 integrates AI for automated analysis and signal detection, processes additional data sources including radio channels with automatic transcription and translation, and features a multilingual interface. The system is hosted at the WHO Hub for Pandemic and Epidemic Intelligence in Berlin and is provided free of charge to member states and eligible organizations.
For US public health agencies, EIOS 2.0 represents both a tool and a governance signal. The WHO's investment in AI-powered public health intelligence suggests that international norms are moving toward greater AI integration in disease surveillance — even as US federal policy remains permissive and fragmented.
The European Union's AI Act establishes a risk-based framework that classifies many healthcare AI applications as high-risk, requiring conformity assessments, fundamental rights impact assessments (FRIAs), and human oversight. The compliance deadlines — August 2026 for some high-risk systems and August 2027 for others — are approaching rapidly. While the EU AI Act does not directly apply to US-based public health agencies, it sets a standard that multinational health systems and AI developers must meet, and it influences the global conversation about what responsible AI governance looks like.
| Framework | Issuing Body | Key Provisions for AI in Public Health |
|---|---|---|
| EIOS 2.0 | WHO | AI-powered epidemic intelligence; free to member states; multilingual; processes radio and text sources |
| EU AI Act | European Union | Risk-based classification; FRIAs for high-risk systems; human oversight requirements; compliance deadlines in 2026-2027 |
| WHO LMM Guidance | WHO | Identifies risks: hallucinations, opacity, bias amplification, data confidentiality, deskilling in large multimodal models |
Implications for Public Health Stakeholders
The fragmented regulatory environment creates distinct challenges and obligations for different stakeholder groups.
For Health System Administrators
The primary burden falls on health systems that must operationalize AI tools across multiple regulatory regimes. A single AI deployment — say, an AI-powered triage chatbot for a public health hotline — may need to comply with a state chatbot safety act, a federal CDS guidance framework, a state transparency mandate, and CMS reimbursement rules. The ASTHO 2025 Profile survey of state and territorial health agencies (n=41 to 44) found that while 63% of agencies had an AI policy in place, only 14% reported using AI for disease surveillance, anomaly detection, or emergency response. A full 32% reported not using AI at all.
The top barriers cited by these agencies underscore the compliance challenge: 64% cited lack of established guidance, 55% cited lack of workforce skills and knowledge, 45% cited accuracy concerns, and 39% cited lack of resources. These are not technical problems — they are governance and capacity problems.
For Policy Professionals and Legal/Compliance Teams
The rapid pace of legislative activity — 43 states introducing 240+ bills in a single quarter — makes continuous monitoring essential. The HAPI Index, Holland & Knight tracker, and Manatt Health tracker are valuable resources, but they are snapshots of a moving target. Compliance teams should expect that the regulatory environment will look different in Q3 2026 than it did in Q1 2026.
- Track state-level legislation in every jurisdiction where your organization operates or deploys AI tools.
- Monitor federal preemption actions, including DOJ AI Litigation Task Force activity and White House executive orders.
- Develop compliance frameworks that can adapt to both permissive federal guidance and prescriptive state laws.
- Engage with state legislative processes — the protest letter from 60+ state lawmakers indicates that state-level advocacy is active and organized.
For Researchers
The gap between policy volume and real-world deployment is a critical research opportunity. The HAPI Index shows that only 22 of 240 policies (9%) are rated as high-impact, and the ASTHO data shows that only 14% of agencies use AI for disease surveillance. Researchers should investigate why policy adoption has not translated into deployment — whether the barriers are regulatory uncertainty, workforce capacity, or something else entirely.
Conclusion: Navigating the Patchwork
The US regulatory environment for AI in public health in 2026 is not a coherent system. It is a patchwork: 240+ policies from more than 100 issuing bodies, a federal government that is actively deregulating while simultaneously challenging state authority, state legislatures that are enacting targeted laws faster than they can be tracked, and international frameworks that add another layer of standards and expectations.
Several patterns are clear. Transparency-oriented instruments dominate the policy landscape, but they are largely advisory. Concrete obligations — human review of AI-driven adverse determinations, disclosure requirements, chatbot safety protocols — fall mainly on providers and developers, not on AI vendors. The federal-state tension is real and escalating, with the DOJ AI Litigation Task Force serving as a potential flashpoint for legal challenges that could reshape the entire governance architecture.
For public health stakeholders, the path forward is not to wait for regulatory clarity — it is to build the internal capacity to navigate ambiguity. That means investing in workforce training (the top barrier cited by 55% of state health agencies), establishing governance frameworks that can adapt to multiple regulatory regimes, and actively participating in the policy process at both the state and federal levels.
The patchwork is not going away. The question is whether public health organizations can develop the agility to operate within it.
Comments
Join the discussion with an anonymous comment.