AI Compliance Tools for Healthcare: HIPAA, FDA PCCP, ONC HTI-1, and the MDR Overlap

Healthcare AI sits at the intersection of four distinct regulatory regimes: HIPAA on the patient-data side, FDA on the medical-device side, ONC HTI-1 on the EHR-transparency side, and the EU MDR / IVDR plus AI Act on the cross-border product side. AI compliance tools for healthcare have to cover all four at once, and the rules are moving fast through 2025 and 2026.

This guide is the practitioner walkthrough. What HIPAA's Security Rule modernization means once it is finalised. What FDA's December 2024 Predetermined Change Control Plan final guidance actually requires. What the ONC HTI-1 Decision Support Intervention criterion means for EHR-embedded AI. And how the EU MDCG 2025-6 guidance changed the calculus for any AI medical device sold into Europe.

HIPAA Security Rule modernization (still pending)

On December 27, 2024, the U.S. Department of Health and Human Services, through the Office for Civil Rights, issued a Notice of Proposed Rulemaking to modify the HIPAA Security Rule. It is the most sweeping update since 2013 (HHS).

The NPRM was published in the Federal Register on January 6, 2025. The 60-day comment period closed March 7, 2025. HHS received over 4,000 comments (MetricStream).

Current status as of May 17, 2026. The final rule has not been published. OCR placed expected finalisation on its regulatory agenda for May 2026. Industry experts as of April 2026 estimate finalisation in late 2026 or early 2027 because of the complexity of public comments and possible changes under the Trump administration (Alston & Bird / VC3).

What the NPRM would change

Key proposed changes (HHS Fact Sheet):

• Eliminate the "required vs. addressable" distinction. All specifications become required.
• Mandatory MFA across all systems.
• Mandatory encryption of ePHI at rest and in transit.
• Technology asset inventory and network map, updated annually.
• Vulnerability scanning every six months.
• Annual penetration testing.
• Incident recovery within 72 hours.
• Annual compliance audits.

If the rule is finalised in its current form, the compliance window is 240 days from final-rule publication (RubinBrown). That is much tighter than the typical 18-month HIPAA transition window. Plan accordingly.

For AI vendors that process protected health information, the change-pattern that matters most is mandatory encryption combined with mandatory MFA and the move from "addressable" to "required" for all specifications. AI-vendor risk assessments and BAAs will need re-baselining the moment the rule lands.

FDA Predetermined Change Control Plans (final, December 2024)

On December 4, 2024, the FDA released its final guidance on Predetermined Change Control Plans for AI-Enabled Device Software Functions (Ropes & Gray). A separate non-AI-specific PCCP guidance for medical devices generally was finalised in August 2025 (FDA).

The key expansion in the December 2024 final guidance: the scope expanded from ML-enabled devices to all AI-enabled devices (Ropes & Gray).

What a PCCP is and what it does

A PCCP describes three things:

1. Planned modifications to the device.
2. The methodology to develop, validate, and implement those modifications.
3. An assessment of the impact of those modifications.

With an authorised PCCP, the FDA does not need to review each individual update to the AI model. The manufacturer can iterate within the PCCP's bounds without a new 510(k) or PMA submission for each model refresh.

The finalised PCCP guidance requires labelling that discloses the device incorporates AI/ML and has an authorised PCCP. Labelling must be updated as modifications are implemented (Ropes & Gray).

The FDA's Guiding Principles for Predetermined Change Control Plans for Machine Learning-Enabled Medical Devices, published jointly with Health Canada and the UK MHRA, provides the international harmonisation backbone.

For manufacturers, the PCCP is the practical lever for keeping AI medical devices current without serial regulatory bottlenecks. For compliance teams, the lever has to be built carefully: the PCCP's bounds determine what model updates are pre-cleared and which trigger a new submission.

ONC HTI-1: the Decision Support Intervention criterion

The Health Data, Technology, and Interoperability Final Rule, known as HTI-1, was published in the Federal Register on January 8, 2024 and became effective February 8, 2024 (Mintz). HTI-1 is what governs AI embedded in certified electronic health records.

HTI-1 replaced the Clinical Decision Support certification criterion with a new Decision Support Intervention (DSI) criterion at 45 CFR § 170.315(b)(11), effective January 1, 2025 (Mintz).

What "Predictive DSI" means

The rule defines a Predictive DSI as "technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis" (ONC).

Certified health IT with Predictive DSIs must support 31 source attributes for predictive interventions and 13 source attributes for evidence-based DSIs. The attributes cover (ONC HTI-1 DSI Fact Sheet):

• Details and output of the intervention.
• Purpose of the intervention.
• Out-of-scope use warnings.
• Development details.
• Fairness approach.
• External validation.
• Performance metrics.
• Ongoing maintenance.
• Update schedules.

EHR developers must also employ Intervention Risk Management (IRM) practices for all Predictive DSIs: risk analysis, risk mitigation, and governance. Summaries must be publicly available (Mintz).

The framework for evaluating Predictive DSIs is called FAVES: Fair, Appropriate, Valid, Effective, Safe (AHIMA).

For any AI vendor that pushes its model into an EHR, the practical impact is significant. You either become the source for those 31 attributes, or you sell into a market that quietly cannot certify your AI without them. Build the documentation pipeline once and reuse it across customers.

Risk-of-bias controls for clinical AI

Three overlapping bias-control requirements:

• The FDA's PCCP final guidance requires manufacturers to consider intended use populations including race, ethnicity, disease severity, gender, and age so that devices continue to reflect those populations as the AI is modified (Ropes & Gray).
• ONC's HTI-1 DSI criterion requires a description of the approach to ensure fairness in development, descriptions of approaches to manage, reduce, or eliminate bias, and use of race, ethnicity, and social determinants of health as explicit source attributes (ONC HTI-1 DSI Fact Sheet).
• HHS ACA Section 1557 regulations, effective May 6, 2024, prohibit discrimination in patient care decision-support tools, including AI/ML, based on race, color, national origin, sex, age, and disability, with required ongoing identification and mitigation of discrimination risk (California CDI SB 1120 Guidance PDF).

The three regimes are not identical. Building a single bias-testing framework that satisfies FDA, ONC, and Section 1557 is the most cost-efficient path. It requires demographic data collection, validated bias metrics (disparate-impact ratio, equal-opportunity difference, calibration-by-group), ongoing monitoring, and documented mitigation.

The EU MDR / IVDR overlap (MDCG 2025-6)

On June 19, 2025, the Medical Device Coordination Group published MDCG 2025-6, guidance on the interplay between the MDR/IVDR and the EU AI Act for manufacturers of AI systems used for medical purposes (MDAI) (Hogan Lovells).

Which MDAIs qualify as high-risk AI under Article 6(1)

An AI medical device qualifies as a high-risk AI system under Article 6(1) of the AI Act if:

1. The MDAI is a safety component of a product, or is itself a medical device; AND
2. The MDAI is subject to third-party conformity assessment by a notified body under MDR/IVDR.

In practice, this means MDR Class IIa, IIb, III and IVDR Class B, C, D devices all require notified-body involvement and thus qualify as high-risk under Article 6(1) if they contain AI (Hogan Lovells). MDR Class I (non-sterile, non-measuring) and IVDR Class A (non-sterile) do not, because no notified body is involved.

MDCG recommends a single set of technical documentation covering both MDR/IVDR and AI Act requirements (Hogan Lovells). That is the right operating model. Maintaining two parallel files invites contradictions and re-work.

The AI Act compliance deadline for AI medical devices that qualify as Article 6(1) high-risk systems is August 2, 2028 under the AI Omnibus extension (Latham & Watkins). See our EU AI Act deadline extension explainer for the broader timeline.

What an AI compliance stack for healthcare looks like

If you operate AI in healthcare in the US plus the EU, the practical stack:

1. A HIPAA Security Rule modernization readiness plan, with mandatory MFA, encryption, and asset inventory in place before the final rule lands. Aim to be ready in advance, not behind.
2. An FDA PCCP for any AI medical device whose model you update post-launch. Build the PCCP's modification scope generously but specifically.
3. An ONC HTI-1 DSI documentation pack for any AI that embeds into a certified EHR, covering all 31 predictive source attributes.
4. A Section 1557 plus FDA plus ONC unified bias-testing programme with documented demographic coverage and ongoing monitoring.
5. For cross-border products, an MDR/IVDR plus EU AI Act unified technical documentation file aligned to MDCG 2025-6. Map AI Act Article 14 human-oversight requirements to MDR clinical evaluation evidence.
6. A combined DPIA plus FRIA when the AI processes EU personal health data and qualifies as high-risk under the EU AI Act. See our GDPR Article 22 vs EU AI Act guide.

For vendor evaluations, our healthcare AI vendor directory and best AI compliance software roundup are the starting points.

One last note on the velocity question. HIPAA, FDA, ONC, and the EU AI Act are not the only moving pieces. State AI laws, including Colorado's AI Act, Utah's AI Policy Act, and California's various AI bills, all overlap with healthcare in places. The cost of building a healthcare AI compliance programme is dominated by the integration cost across regimes, not the per-regime cost. Build for integration first.

References

1. HHS. HIPAA Security Rule NPRM. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
2. HHS. HIPAA Security Rule NPRM Fact Sheet. December 27, 2024. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
3. Ropes & Gray. FDA Finalizes Guidance on Predetermined Change Control Plans for AI-Enabled Device. December 11, 2024. https://www.ropesgray.com/en/insights/alerts/2024/12/fda-finalizes-guidance-on-predetermined-change-control-plans-for-ai-enabled-device
4. FDA. Marketing Submission Recommendations for PCCP for AI-Enabled Device Software. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/marketing-submission-recommendations-predetermined-change-control-plan-artificial-intelligence
5. FDA. Guiding Principles for PCCPs for ML-Enabled Medical Devices. https://www.fda.gov/medical-devices/software-medical-device-samd/predetermined-change-control-plans-machine-learning-enabled-medical-devices-guiding-principles
6. ONC. HTI-1 Final Rule. https://healthit.gov/regulations/hti-rules/hti-1-final-rule/
7. Mintz. HTI-1 Transparency Requirements. January 8, 2024. https://www.mintz.com/insights-center/viewpoints/2146/2024-01-08-hhs-onc-hti-1-final-rule-introduces-new-transparency
8. ONC. HTI-1 DSI Fact Sheet. https://healthit.gov/wp-content/uploads/2023/12/HTI-1_DSI_fact-sheet_508.pdf
9. Hogan Lovells. MDCG 2025-6 — MDR/IVDR vs AI Act Interplay. June 20, 2025. https://www.hoganlovells.com/en/publications/mdcg-published-new-guidance-on-the-interplay-between-the-mdr-ivdr-and-the-ai-act
10. Alston & Bird. HIPAA Security Rule Overhaul. November 2025. https://www.alston.com/en/insights/publications/2025/11/hipaa-security-rule-overhaul
11. VC3. Navigating 2026 HIPAA Security Rule Changes. April 28, 2026. https://www.vc3.com/blog/navigating-2026-hipaa-security-rule-changes
12. AHIMA. ONC Decision Support Interventions Certification Criteria. https://www.ahima.org/education-events/artificial-intelligence/artificial-intelligence-regulatory-resource-guide/onc-decision-support-interventions-certification-criteria/
13. California CDI. SB 1120 Guidance on AI in Utilization Management. https://www.insurance.ca.gov/0250-insurers/0500-legal-info/0200-regulations/HealthGuidance/upload/SB-1120-1-Guidance-Use-of-Artificial-Intelligence-Algorithms-and-Other-Software-Tools-in-Utilization-Management.pdf