
Are AI tools putting you at risk for lawsuits?
Key Takeaways
- State laws and medical boards increasingly assign clinicians final accountability for accepting or rejecting AI recommendations, making “human-in-the-loop” verification central to the evolving standard of care.
- Vendor risk is amplified by heavy startup penetration, necessitating due diligence on HIPAA controls, security risk assessments, validation history, and operational maturity before contracting.
AI tools are becoming quite common in health care settings, but what happens when something goes wrong?
Medical Economics spoke with Dan Silverboard, a health care attorney with Holland & Knight, about how
(Editor’s note: This transcript has been edited for clarity and brevity.)
Medical Economics: From a legal standpoint, how is AI in health care currently being treated — as decision support, a medical device or something else?
Dan Silverboard: It's a good question. I think you can look at that through the lens of the regulating entities — those people out there who are passing laws and regulations that affect the use of artificial intelligence in health care. States are regulating AI primarily as a unique technology that supports clinical decision-making and medical records documentation by licensed health care professionals, not necessarily as a medical device. The FDA does not independently regulate AI. They regulate medical devices and indirectly regulate AI based on whether or not it's incorporated into the medical device.
Medical Economics: What are the biggest liability risks physicians and health care organizations face when using AI-assisted clinical decision tools?
Silverboard: Generally speaking, artificial intelligence in health care is still an evolving technology. We still have headlines about hallucinations taking place and things of that nature. I would say there are really two risks. The first risk is that 85% of all investment in health care AI is going to startups. There are not many vendors with proven historic track records of providing AI tools that pass the litmus test of HIPAA compliance, have years of validation testing or are 100% accurate. So, health care providers need to conduct due diligence on the vendor they contract with to make sure those compliance protections are in place. The second key risk is that health care providers may simply sign off on whatever recommendation the AI program makes or approve ambient documentation without verifying that it accurately reflects the encounter. Those are the two key risks.
Medical Economics: If an AI-generated recommendation contributes to patient harm, who is responsible?
Silverboard: First you have to look at the standard of care around the use of AI in health care. Several states, through medical boards or statute, have established that a medical professional is ultimately responsible for approving or denying AI recommendations. I do not think you would have a situation where an AI program itself would be solely responsible for an adverse event because, legally speaking, the provider must sign off on the recommendation. Whether a technology vendor could be liable comes back to the vendor contract. Many contracts require that a physician sign off and include broad liability disclaimers. Having said that, vendors could potentially be liable if the AI program is wholly deficient — for example, if it was trained on biased or false data.
Medical Economics: Should physicians document their use of AI in the medical record to reduce legal risk?
Silverboard: Yes. Some states have passed legislation and medical boards have issued guidance on this, such as North Carolina. Physicians should document if AI was used, whether they followed the recommendation and why. If they deviate from or reject an AI recommendation, they should note that in the medical record.
Medical Economics: What about administrative AI tools used for coding, prior authorizations and documentation — are there compliance or billing risks?
Silverboard: At the end of the day, responsibility from a legal standpoint falls on the provider. The provider is attesting to the accuracy of information submitted to the health insurer as part of the claim. Providers and organizations need periodic auditing and monitoring of billing documentation, whether AI-generated or not, to ensure accuracy. There is no “get out of jail free card” if an AI recommendation results in a higher code than what was actually performed.
Medical Economics: How should organizations approach vendor contracts for AI tools to ensure legal protections?
Silverboard: Health care providers will want robust representations and warranties that the vendor is HIPAA compliant, including privacy and security policies and security risk assessments. They will also want assurances that the vendor conducts ongoing validation and bias testing and reports problems. Contracts should include representations that the vendor has a data governance plan and that the technology is free of claims that the program or its training data is biased or untrustworthy.
Medical Economics: What privacy issues arise when AI systems continuously learn from patient data?
Silverboard: A key issue is whose benefit the AI training serves. Under one interpretation of HIPAA, a vendor can train data only if it benefits the provider it is contracted with, not for general product improvement using protected health information. If the data is de-identified, there is more flexibility. Another issue is the risk that de-identified data could be re-identified using AI. Contracts or business associate agreements should prohibit vendors and downstream contractors from attempting to re-identify data.
Medical Economics: What are the legal concerns if clinicians rely too heavily on ambient AI documentation?
Silverboard: It comes back to the standard of care and ensuring providers check that the medical record is accurate. Texas, for example, has a statute requiring providers who use AI to record encounters to verify accuracy. That remains the number one concern.
Medical Economics: What questions should practices ask before deploying AI tools?
Silverboard: It is still early days and there are many AI companies. First, providers need to determine who they will partner with and conduct diligence to ensure the vendor has a proven track record of compliance, including HIPAA compliance. Second, patient comfort with AI is still about 50-50, so physicians should understand their patient base when deciding how to implement AI, whether back-office or patient-facing. Third, providers should consider how they will disclose AI use to patients — whether disclosure is legally required, done voluntarily or included in a Notice of Privacy Practices.
Medical Economics: Do you expect AI-related malpractice or compliance litigation to increase over the next five years?
Silverboard: If the Department of Health and Human Services is correct that AI will decrease adverse patient events, litigation risk could decline. However, litigation related to insurers using AI and algorithms to deny, downcode or reject prior authorization requests is already occurring and will likely continue.
Medical Economics: Anything else medical practices should know about AI?
Silverboard: Artificial intelligence holds great promise for the future of health care, but it is still early days. Health care providers need to be vigilant about the vendors they contract with and conduct periodic auditing and monitoring, especially for programs that generate billing codes and clinical recommendations and include those compliance checks in their compliance programs.





