|
The Compliance Signal
|
Issue #005
|
AI regulation in healthcare — what moved, what it means, what to do about it.
|
|
This Week
|
01
FDA’s post-market AI surveillance framework is taking shape
|
|
02
GuardDog telehealth signals HHS targeting internal access controls
|
|
03
EU code of practice drops with foundation model hooks
|
|
04
Microsoft Intune becomes HIPAA liability after Stryker hack
|
|
05
TEFCA benefits determination creates new compliance surface
|
|
|
01
FDA’s AI surveillance comment periods are closed. The framework is now being built.
Sources: FDA AI Post-Market Surveillance Research·AI-Enabled Device Software Draft Guidance (Jan 2025)·FDA AI/ML Program
Two related but distinct FDA actions are shaping post-market AI oversight. On September 30, 2025, FDA issued a Request for Public Comment on practical approaches to measuring real-world performance of AI-enabled medical devices. That comment period closed December 1, 2025 — the window for input has passed, and FDA is now building the framework based on submissions received.
Separately, in January 2025, FDA published draft guidance on AI-enabled device software functions covering lifecycle management and marketing submission requirements. That comment period closed April 7, 2025. Together, these two actions signal FDA’s intent to establish both pre-market lifecycle requirements and post-market performance monitoring for AI devices.
Current enforceable FDA guidance stops at pre-market approval. Post-market surveillance requirements for AI devices don’t exist yet, but the direction is clear: continuous performance monitoring, not just initial validation studies.
|
Our read
Both comment periods are closed, but the direction of travel is set. FDA is building toward mandatory post-market AI performance monitoring. The submissions received will shape what those requirements look like — prepare for the framework even though the final rules aren’t published yet.
|
|
What to do this week
The comment window is closed. Review the January 2025 draft guidance on AI-enabled device software functions and start building your post-market monitoring infrastructure now. Document what real-world performance metrics you can actually collect — you’ll need this when the final framework drops.
|
|
|
|
02
GuardDog telehealth admission signals HHS is targeting internal access control failures
Sources: HIPAA Journal: GuardDog Telehealth Admits Improper Access·HHS HIPAA Security Rule NPRM
GuardDog Telehealth admitted to improperly accessing patient medical records. Not a breach — improper access by authorized users. This distinction matters because HHS is targeting internal access controls, not just external threats.
Telehealth companies are in the crosshairs because remote access patterns make it obvious when someone's poking around where they shouldn't be. Your audit logs tell the whole story.
|
Our read
The admission likely reflects a settlement negotiation where GuardDog chose to acknowledge violations rather than fight them — HHS had the logs and the pattern evidence. The broader signal: HHS is prioritizing internal access control failures, not just external breaches.
|
|
What to do this week
Audit your access logs for the past 90 days. Look for users accessing records outside their normal patient population or clinical responsibilities. Document your findings and remediate before HHS finds them first.
|
|
|
|
03
EU AI Act code of practice creates compliance hooks for US healthtech
| EU AI Act |
|
Action Required |
Sources: EU GPAI Code of Practice·EU AI Act Framework·GPAI Provider Guidelines
The EU AI Act Code of Practice for General Purpose AI models is live. The obligations apply directly to GPAI model providers — but downstream deployers, including US healthtech companies serving EU patients or using EU-regulated models, face compliance considerations too.
The code creates obligations for providers of GPAI models. Models trained with more than 1025 FLOPs of training compute are classified as having systemic risk and face the strictest requirements. Most healthcare LLM implementations won’t hit this threshold directly, but your model providers (OpenAI, Anthropic, Google) likely do.
The guidelines clarify that downstream users have compliance obligations too. You can't just point to your model provider and claim ignorance when the EU comes knocking.
|
Our read
US healthtech companies serving EU patients or using EU-regulated foundation models likely face downstream compliance obligations. The exact scope for deployers vs. providers is still being clarified, but geographic arbitrage is unlikely to hold when your AI model crosses borders.
|
|
What to do this week
Map your foundation model usage to the 1025 FLOPs threshold. If your providers use qualifying models, start documenting your downstream compliance measures now — GPAI model provider obligations take effect August 2, 2026.
|
|
|
|
04
Stryker's Intune disaster makes Microsoft endpoint management a HIPAA liability
Sources: CISA: Endpoint Management System Hardening (Mar 2026)·HIPAA Journal: CISA Harden Intune
On March 18, CISA issued security guidance for Microsoft Intune following a March 11 data wiping attack on Stryker Corporation. The attack — claimed by Handala, an Iran-linked hacktivist group — leveraged legitimate Intune endpoint management capabilities to remotely wipe data across Stryker’s environment, resulting in surgery delays at hospitals using Stryker equipment.
For HIPAA-covered entities using Intune to manage devices with PHI access, this creates a new risk category. Your endpoint management system becomes a single point of failure for your entire PHI environment.
|
Our read
CISA guidance often becomes the baseline HHS references when investigating incidents. Expect this hardening guidance to define what “reasonable and appropriate” looks like for Intune-managed environments with PHI access.
|
|
What to do this week
Review your Intune configuration against CISA’s hardening guidance this week. Pay special attention to conditional access policies and privileged identity management for admin accounts.
|
|
|
|
05
TEFCA benefits determination expands your interoperability compliance surface
Sources: TEFCA Overview (HealthIT.gov)·TEFCA Benefits Determination Launch·Sequoia Project TEFCA RCE
On February 11, SSA announced it joined the TEFCA network via eHealth Exchange as its Qualified Health Information Network (QHIN). The connection supports two disability programs: Social Security Disability Insurance (Title II) and Supplemental Security Income (Title XVI of the Social Security Act). SSA expects the exchange to be fully live by early spring 2026.
The Government Benefits Determination Exchange Purpose — added under QTF Version 2.1 — routes SSA record requests to specific organizations known to hold relevant clinical data, rather than querying the entire TEFCA network. If your platform connects to a QHIN or supports clinical documentation used in disability determinations, you now have new data exchange obligations under this framework.
Health data now flows directly into federal benefits systems. SSA reports the electronic exchange can cut disability determination processing time by more than 50% compared to traditional methods.
|
Our read
Your data quality standards just became SSA’s concern, which makes them yours. If clinical documentation flowing through TEFCA affects disability determinations, expect scrutiny on accuracy and completeness that goes beyond typical HIPAA obligations.
|
|
What to do this week
Determine whether your organization connects to a QHIN (eHealth Exchange, Commonwell, others) that participates in TEFCA. If your clinical documentation supports disability determinations under Title II or Title XVI, review the QTF Version 2.1 requirements for the Government Benefits Determination Exchange Purpose. Ensure your data quality and completeness standards meet federal benefits determination expectations — SSA will be pulling records electronically, not requesting paper.
|
|
| |
Your three-item punch list this week
|
Prepare for FDA’s AI surveillance framework. Both comment periods are closed. Review the January 2025 draft guidance on AI-enabled device software functions and build your post-market monitoring infrastructure now.
|
|
Audit access logs for improper PHI access. HHS is targeting internal access violations like GuardDog's — find yours before they do.
|
|
Map foundation model usage to the 1025 FLOPs threshold. GPAI model provider obligations under the EU AI Act take effect August 2, 2026. Know whether your providers qualify.
|
|
|
What’s the one compliance question you wish someone would answer this week? Hit reply.
|
|
The Compliance Signal — compliancesignal.io
AI regulation in healthcare — tracked, analyzed, and translated into action.
Questions? Reply to this email or contact support@compliancesignal.io
You received this because you subscribed at compliancesignal.io. Unsubscribe.
|
|