Digital Health Blog

The Department of Health and Human Services announced it would reverse changes made during the Biden Administration and realign its health technology leadership to strengthen data sharing, affordability, and responsible use of artificial intelligence across the health care system. The change reverts the name of the technology agency back to the Office of the National Coordinator for Health IT (ONC) and moves some of its leadership back to previous departments within HHS, namely, the Office of the Chief Information Officer (OCIO). The move seeks to restore a unified, department wide technology model by returning enterprise IT, data, and AI leadership to the OCIO, while refocusing the ONC on interoperability, standards, and data liquidity. HHS officials say the changes will improve coordination between policy and operations, support secure and scalable technology platforms, and help accelerate innovation that lowers costs and improves care for patients.

On April 3, The Trump Administration released its Fiscal Year (FY) 2027 budget request. HHS also released its Budget in Brief document, which included Office of the National Coordinator for Health Information Technology (ONC) proposals. The budget includes an ONC FY 2027 budget request of $50 million (-$19 million below FY 2026) and ONC collaboration efforts, such as ONC working with CMS to draft rules updating payment policy/programs and working with HHS’s Office of Civil Rights (OCR) to ensure secure patient access to electronic health information. As a reminder, the President’s budget request is a framework and not binding.

The California Attorney General filed an amicus brief in a pending California Court of Appeal case, Art Center Holdings, Inc., et al. v. WCE CA Art, et al., reaffirming the state’s long-standing ban on the corporate practice of medicine. The brief supports a trial court ruling that contractual provisions allowing a private equity–backed management services organization (MSO) to replace a physician-owner or otherwise exert excessive control over an affiliated medical practice violate California law, underscoring that MSOs are limited to administrative support. In announcing the filing, the AG emphasized the state’s commitment to protecting independent medical judgment—particularly as private equity investment in healthcare expands. The brief marks the latest signal of heightened state scrutiny of PC–MSO arrangements, alongside recent legislative activity, including California’s passage of SB 351 and Oregon’s passage of SB 951.

On March 20, 2026, the Centers for Medicare & Medicaid Services (CMS) finalized the “Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures Final Rule”, establishing the first HIPAA-adopted standards for sending documentation attachments requested by insurers to support health care claims, enabling the secure electronic exchange of supporting clinical documentation such as medical records, X-rays and imaging, clinical notes, telemedicine visit documentation, and laboratory results. The rule aims to create uniform national standards for the electronic exchange of clinical data for health care claims documentation, while attempting to eliminate manual exchange processes, such as fax machines and paper mailings. It also adopts electronic signature standards to ensure exchanges are secure and authenticated. Notably, after significant stakeholder pushback, CMS did not finalize electronic transfer standards for prior authorizations that were included in the proposed 2022 rule. The final rule takes effect May 26, 2026, with payors and providers having until May 2028 to comply with the new standards.

On March 20, the White House released its National Framework for Artificial Intelligence, an update of its previous Executive Orders on AI urging Congress to establish a single, “minimally burdensome” national standard for AI regulation that would override most state AI laws the administration views as barriers to innovation. Although not focused on health care specifically, the plan blends the Trump administration’s priorities—such as addressing perceived political bias in AI models and reducing regulatory hurdles—with targeted protections for children, including age-gating requirements, parental controls, and preserving state laws that ban AI-generated abusive material. It also calls for expanded AI workforce training, data collection on AI-related job disruption, and codification of Trump’s pledge requiring major tech companies to supply or pay for the electricity used by their data centers.

Although intended to promote a national and uniform approach that avoids regulatory fragmentation, the framework also affirms that federal policy should not displace areas of traditional state authority. This includes state laws aimed at protecting children, preventing fraud, and safeguarding consumers. Regulation of the practice of medicine and other related aspects of health care have long been treated as a core area of consumer protection reserved to the states. Finding a balance between federal and state authority will be central to future law and policy addressing the growing use of AI in health care.

Elements of the Administration’s framework are already reflected in draft legislation from Senator Marsha Blackburn (R-TN), the TRUMP AMERICA AI Act, which would implement a light-touch federal AI regime, broadly preempt state AI laws governing model development and downstream use, and avoid creating new federal AI regulators, while maintaining a focus on child safety and U.S. competitiveness in artificial intelligence. In addition, House Republicans have acknowledged their commitment to implementing the framework in Congress.

Although this bill is unlikely to gain bipartisan support as is, there has historically been interest from Congress in identifying bipartisan solutions to AI regulation, most recently, the focus on protections for children and mental health.

A proposed bill in the New York Senate would prohibit artificial intelligence (AI) chatbots from providing medical or legal advice to consumers and require including clear and conspicuous notices that users are interacting with an AI platform. If enacted, the legislation would prohibit chatbots from providing information or advice that run afoul of professional licensing laws. The bill also includes a private right of action, which would enable users to sue chatbot owners for damages and attorneys’ fees – a key mechanism for strengthening enforcement.

Senators on the Senate Health, Education, Labor and Pensions Committee questioned HHS’s senior health IT official regarding the expanding use of artificial intelligence within electronic health record systems, signaling growing congressional interest in oversight of AI enabled health technology. Lawmakers raised concerns about patient privacy, potential bias in AI driven clinical tools, and limited transparency into how AI models rely on and are trained using sensitive health data.

HHS Assistant Secretary for Technology Policy, Thomas Keane, acknowledged the concerns but did not point to specific new regulatory requirements, instead referencing existing federal health IT standards and a December 2025 HHS AI Request for Information (RFI) on the safe and effective use of AI in health care. While no immediate policy changes were announced, the hearing reflects increasing bipartisan focus on whether additional guardrails may be needed as AI becomes more deeply embedded in clinical software and care delivery.

The Centers for Medicare & Medicaid Services (CMS) recently announced the development of the Medicare App Library as part of its Health Technology Ecosystem initiative. The library will provide a centralized directory through which Medicare beneficiaries can access patient facing digital health tools that integrate with CMS Aligned Networks.

CMS stated that participating apps will be grouped into three categories: applications designed to eliminate manual check in processes, conversational artificial intelligence assistants, and diabetes and obesity management tools. To be included, apps must sign CMS’s interoperability pledge and meet specified participation requirements, including implementing identity verification through ID.me or CLEAR, enabling connectivity to CMS Aligned Networks, and completing an evaluation by the Digital Medicine Society or the CARIN Alliance prior to CMS review. CMS also indicated that participants in the Advancing Chronic Care with Effective, Scalable Solutions (ACCESS) Model that join the Health Technology Ecosystem will be identified in the library with a special designation. The announcement reflects CMS’s continued emphasis on voluntary participation, interoperability, and consumer facing digital tools within Medicare.

The House Energy and Commerce Committee advanced a broad package of children’s online safety bills, including the Kids Internet and Digital Safety (KIDS) Act (H.R. 7757) and Children and Teens’ Online Privacy Protection Act (COPPA 2.0- H.R. 6291), which now heads to the House floor. While the debate largely centered on privacy and platform accountability, several provisions touch directly on artificial intelligence—including mandatory disclosure when AI chatbots interact with minors and new studies on how social media algorithms impact mental health.

The House package, driven by Republicans, drew criticism from Democrats who argued it weakens key protections found in bipartisan Senate counterparts of these bills. Notably, the House bill omits “duty of care” language that would require tech and AI-enabled platforms to design products with children’s safety in mind.

Meanwhile, the Senate unanimously passed its COPPA 2.0 (S. 836), which expands data protections to teens under 17 and restricts how companies—including those deploying AI-driven personalization and advertising tools—can use minors’ data.

Overall, both chambers are moving toward tighter regulation of platforms and AI technologies that interact with young users, though the House and Senate currently diverge on how strong those protections should be.

On February 26, the Senate Health, Education, Labor and Pensions (HELP) Committee passed the Health Care Cybersecurity and Resiliency Act (S. 3315) by a vote of 22-1. This legislation would establish new minimum cybersecurity standards for HIPAA‑regulated entities—including multifactor authentication, data encryption, penetration testing, and regular security audits—while strengthening federal coordination through HHS and CISA and requiring a comprehensive cybersecurity incident response plan. It also updates breach reporting rules, mandates publication of corrective actions after incidents, and designates the Administration for Strategic Preparedness and Response (ASPR) as the Sector Risk Management Agency for healthcare. This bipartisan bill has been of interest since recent cybersecurity threats have crippled parts of the health care industry.