On October 27, 2025, the American Hospital Association (AHA) submitted a formal letter to Michael Kratsios, Director of the Office of Science and Technology Policy (OSTP), in response to the federal government’s Request for Information (RFI) OSTP-TECH-2025-0067 on regulatory reform for artificial intelligence (AI) in health care.
The letter, signed by Ashley Thompson, AHA’s Senior Vice President of Public Policy Analysis and Development, represented the interests of nearly 5,000 member hospitals, health systems, and health care organizations, along with over 270,000 affiliated physicians and 2 million nurses.
The AHA commended the administration for recognizing that overly restrictive regulations can stifle innovation, raise costs, and reduce patient access to care, noting that administrative burdens currently account for more than $1 trillion annually, with nearly 40% of hospitals operating at negative margins. In its submission, the AHA outlined four key recommendations to the OSTP. The organization also criticized certain elements of the 2024 HIPAA cybersecurity proposed rule, calling for voluntary rather than mandatory requirements.
The first pillar, synchronizing and leveraging existing policy frameworks, calls for aligning new AI regulations with established systems like HIPAA, the NIST Cybersecurity Framework, FDA SaMD requirements, OCR anti-bias regulations, and CMS rules on AI use in Medicare Advantage to avoid redundancy and conflicting oversight.
The second pillar, removing regulatory barriers, advocates for reforming overly burdensome rules that slow AI innovation, specifically urging Congress to strengthen HIPAA’s preemption clause to eliminate the confusing patchwork of state privacy laws, align 42 CFR Part 2 substance use disorder regulations with HIPAA for better data integration, and make the 2024 HIPAA cybersecurity rule voluntary rather than mandatory due to unrealistic restoration timelines.
The third pillar, ensuring the safe and effective use of AI, discusses the need to keep trained clinicians in the loop when AI tools are used for coverage or care decisions, establish uniform privacy and security standards for third-party AI vendors, and develop post-deployment testing standards to maintain model validity and detect potential bias or errors over time.
The fourth pillar, addressing organizational and infrastructural factors, focuses on increasing digital access and financial support for hospitals by aligning reimbursement incentives, expanding broadband and digital literacy programs, and fostering interagency collaboration among HHS, FCC, Commerce, Agriculture, and Education to build an equitable foundation for AI adoption in both urban and rural healthcare settings.
According to the letter, “Given AI’s potential to drive efficiencies and enhance the quality of care, our members have urged that policy frameworks strike the appropriate balance of flexibility to enable innovation while ensuring patient safety. The AHA offers four categories of recommendations to maximize the potential for AI to improve care, accelerate innovation and support the health care workforce.”
Healthcare organizations are at risk of AI-powered phishing, deepfake scams, and data scraping campaigns becoming standard tools of digital extortion. Yet while 89% of IT leaders acknowledge that AI and machine learning are necessary to detecting such threats, less than half have implemented AI-powered defense systems, leaving a dangerous adoption gap.
The AHA’s four pillars directly address this tension. By advocating for synchronized regulation, stronger privacy frameworks, and clinician oversight in AI decisions, the association recognizes that innovation and security must evolve together. Its call for unified governance also speaks to the growing Shadow AI problem, where staff adopt unsanctioned tools like ChatGPT or Copilot without security clearance, putting protected health information (PHI) at risk.
The AHA’s push for vendor accountability and consistent privacy standards mirrors the urgent need for business associate agreements (BAAs) with AI vendors, data loss prevention (DLP) tools, and clear organizational policies on AI use. The AHA’s guidance serves as both a policy anchor and a security roadmap.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
The AHA is a national organization representing hospitals and healthcare systems in the U.S. It advocates for policies that strengthen healthcare delivery, improve patient outcomes, and support hospital sustainability.
The AHA’s guidance helps shape how the federal government balances innovation with safety in the use of AI technologies across the healthcare sector.
AI is used in diagnostic imaging, clinical documentation, patient scheduling, billing, and predictive analytics.