Important: Read first
This healthcare AI policy resource is a planning and governance framework for Mississippi hospitals, health systems, clinics, behavioral health and long-term care providers, public health programs, and other healthcare organizations. It is not a final policy, not legal advice, and not a mandatory model. Healthcare is among the most heavily regulated sectors, and AI use intersects with patient safety, privacy, nondiscrimination, professional licensure, and reimbursement. Adapt this to your organization’s services, patient population, and risk posture, and review it with your compliance, privacy, information security, legal, clinical, and medical staff leadership before adoption.
2. What this template covers
3. Introduction: purpose of this healthcare AI framework
4. What this template is, and what it is not
5. Foundational principles healthcare organizations may adopt
6. Governance, roles, and accountability
7. Acceptable use and prohibited use
8. HIPAA, patient privacy, and data security
9. Clinical use, decision support, and patient safety
10. Nondiscrimination and health equity
11. FDA-regulated AI and software as a medical device
12. Coverage, prior authorization, and payer use of AI
13. Transparency, documentation, and patient communication
14. Procurement and vendor management
15. Administrative and operational uses
16. Human resources and employment uses
17. Workforce training and AI literacy
18. Risk management, incident response, and safety reporting
19. Governance review and continuous improvement
20. Key authoritative resources to monitor
21. Implementation checklist
22. Closing statement healthcare organizations may adapt
Start here: the law that already applies to healthcare AI
For healthcare organizations, AI does not begin on a blank slate. Existing federal law already governs much of how AI may be used with patients and patient data, regardless of newer rules still in progress. The most important baselines are HIPAA for the privacy and security of protected health information, Section 1557 of the Affordable Care Act for nondiscrimination, including through patient care decision support tools, FDA authority over AI that functions as a medical device, and CMS rules on how AI may be used in coverage and prior authorization decisions. State-operated healthcare entities in Mississippi, such as university health systems, the State Department of Health, and the Division of Medicaid, should also align with the Mississippi ITS AI Acceptable Use Policy.
Sample guidance language
“The organization uses AI only in ways consistent with HIPAA, Section 1557, FDA requirements for medical devices, CMS coverage rules, professional licensure and scope-of-practice standards, and applicable state law. Where AI is the tool used to carry out a regulated activity, the underlying legal obligation still applies.”
Two points of context matter for planning. States retain authority to regulate AI, since the proposed federal moratorium on state AI laws was removed before enactment in 2025. And Mississippi’s AI Regulation Task Force is studying acceptable use of AI in healthcare, so state-level expectations may develop over time.
What this template covers
Each topic follows the same pattern: purpose, key questions, sample policy language, implementation considerations, common pitfalls, and stakeholders to involve. Sections cover foundational principles, governance, acceptable and prohibited use, HIPAA and security, clinical use and patient safety, nondiscrimination and health equity, FDA-regulated AI, coverage and payer use, transparency and documentation, procurement, operations, human resources, training, risk management, and ongoing review.
Introduction: purpose of this healthcare AI framework
This document helps a healthcare organization develop, review, and maintain its own approach to artificial intelligence and generative AI. A sound approach does three things at once. It enables useful efficiency and clinical support. It protects patients, the workforce, and protected health information. And it preserves human judgment wherever clinical, legal, financial, or safety stakes are high. Most organizations are best served by a short framework plus targeted procedures by function, rather than one document that tries to cover every scenario.
What this template is, and what it is not
Policy sets mandatory rules, authorities, and consequences. Guidance explains how to apply policy in practice. Procedures define operational steps, approvals, and controls. Best practices are recommended approaches that change faster than policy. Assign each topic to the right level so durable rules stay stable while tool-specific direction can evolve. Where a rule is already set by law, accreditation, or medical staff bylaws, your policy should point to it rather than restate or contradict it. This is a planning resource, not legal advice, and not a substitute for your compliance, privacy, and clinical governance functions.
Foundational principles healthcare organizations may adopt
Key questions
What values anchor AI use, and how will they become real controls?
Sample guidance language
“The organization grounds its use of AI in patient safety, human oversight and clinician accountability, privacy and security of health information, nondiscrimination and health equity, transparency appropriate to context, clinical validity and evidence, and proportionality, so that controls match the level of risk.”
Implementation considerations
Tie each principle to a control. For example, patient safety and human oversight should map to a documented requirement that a qualified person reviews AI output before it informs a diagnosis, treatment, or coverage decision.
Common pitfalls
Principles with no owner or measurable control.
Stakeholders to involve
Chief medical officer, chief nursing officer, compliance officer, privacy officer, chief information security officer, CIO, legal, quality and patient safety, and a health equity lead.
Governance, roles, and accountability
Purpose
Define who decides, who reviews, and who is accountable for AI across clinical and business functions.
Sample guidance language
“The organization designates an accountable owner for AI governance and establishes a cross-functional committee including clinical leadership, compliance, privacy, information security, IT, quality and patient safety, legal, and revenue cycle. Enterprise decisions, approved tools, clinical deployments, and exceptions require designated approval.”
Implementation considerations
Maintain a central inventory of AI tools in use, including AI features embedded in the electronic health record and other software, with their data flows, intended use, validation status, and owners. Require periodic reporting to leadership and the board on adoption, incidents, and compliance.
Common pitfalls
Shadow AI use, ungoverned EHR AI features, fragmented adoption, and unclear accountability between clinical and IT.
Stakeholders to involve
CMO, CNO, compliance, privacy officer, CISO, CIO, quality and patient safety, legal, and medical staff leadership.
Acceptable use and prohibited use
Sample guidance language
“Workforce members may use organization-approved AI tools for authorized purposes consistent with HIPAA, professional standards, and this policy. No one may enter protected health information or other confidential data into AI systems that are not approved and, where required, covered by a business associate agreement. Human review by a qualified person is required before AI output is used in any clinical decision, patient communication, medical record entry, or coverage determination.”
Common pitfalls
Treating all AI as banned or all AI as acceptable, pasting protected health information into public chatbots, and quietly automating decisions that affect patients.
Stakeholders to involve
Compliance, privacy officer, CISO, clinical leadership, and HR.
HIPAA, patient privacy, and data security
Purpose
Protect protected health information and other sensitive data in AI use.
Key questions
Which tools may touch protected health information? Which require a business associate agreement? What is prohibited in consumer or unapproved tools?
Sample guidance language
“No workforce member may input protected health information or other restricted data into an AI system unless that system is approved for the data category, governed by a business associate agreement where the vendor handles protected health information on the organization’s behalf, and configured with appropriate access, logging, retention, and training controls. The organization reviews vendor model-training and data-use terms before approval and disables training on its data where required.”
Implementation considerations
Map AI use to your HIPAA Security Rule risk analysis and data-classification scheme. Treat any AI vendor that creates, receives, maintains, or transmits protected health information as a business associate. Apply de-identification standards correctly, and remember that re-identification risk and free-text protected health information in prompts are common failure points. Monitor the proposed HIPAA Security Rule update, which was published for comment in 2025 and is not yet final, and adjust controls as it is finalized.
Common pitfalls
Assuming a vendor default setting is safe, relying on weak de-identification, and missing protected health information hidden in prompts, images, or uploaded documents.
Stakeholders to involve
Privacy officer, CISO, CIO, compliance, legal, and health information management.
Clinical use, decision support, and patient safety
Purpose
Govern AI that supports diagnosis, treatment, triage, documentation, and other clinical work.
Key questions
Which clinical uses are permitted, which require validation and oversight, and which are prohibited? How is human responsibility preserved?
Sample guidance language
“AI may support, but not replace, the professional judgment of licensed clinicians acting within their scope of practice. A qualified clinician remains responsible for clinical decisions and for reviewing AI-generated output, including ambient documentation, before it is relied upon or entered into the record. Clinical AI tools are validated for the organization’s patient population and intended use before deployment and are monitored for performance, drift, and safety over time.”
Implementation considerations
Distinguish FDA-regulated clinical AI from non-device administrative tools. Require local validation, clinician training, and a clear intended-use statement. Establish monitoring for model drift and a process to suspend a tool that underperforms. For ambient scribes and generative documentation, require clinician review and attestation before signing.
Common pitfalls
Automation bias and overreliance, using a tool outside its validated population or intended use, unreviewed AI-generated notes, and clinician deskilling.
Stakeholders to involve
CMO, CNO, medical staff, quality and patient safety, pharmacy where relevant, clinical informatics, and compliance.
Nondiscrimination and health equity
Purpose
Prevent discrimination and inequitable impact in AI-supported care.
Key questions
Could a tool produce biased or discriminatory results across race, color, national origin, sex, age, or disability? How will the organization identify and mitigate that risk?
Sample guidance language
“Consistent with Section 1557 of the Affordable Care Act, the organization does not discriminate through its use of patient care decision support tools, including clinical algorithms and AI. The organization makes reasonable efforts to identify tools that use input variables related to protected characteristics and to mitigate the risk of discrimination from their use.”
Implementation considerations
Section 1557’s nondiscrimination requirements for patient care decision support tools have applied since May 1, 2025. The 2025 vacatur of certain Section 1557 provisions addressed gender-identity provisions and did not remove the patient care decision support tool requirements, which remain in effect. Inventory decision support tools, review vendor documentation and fairness evaluations, and document mitigation steps.
Common pitfalls
Assuming vendor tools are unbiased, ignoring known examples of biased clinical algorithms, and failing to document identification and mitigation efforts.
Stakeholders to involve
Compliance, Section 1557 coordinator, clinical leadership, health equity lead, legal, and quality.
FDA-regulated AI and software as a medical device
Purpose
Use AI medical devices within their authorized scope and manage change responsibly.
Key questions
Is the tool a regulated medical device? Is it FDA-authorized for the intended use? How are updates and model changes managed?
Sample guidance language
“AI that meets the definition of a medical device is used only consistent with its FDA clearance, authorization, or approval and its intended use. The organization tracks which AI tools are regulated devices, uses authorized versions, and manages model changes consistent with the manufacturer’s predetermined change control plan where one exists.”
Implementation considerations
Maintain a list of AI tools that are regulated devices versus non-device clinical decision support. The FDA has authorized a large and growing number of AI-enabled devices, and its expectations continue to develop, including finalized guidance on predetermined change control plans and additional draft guidance on lifecycle management. Confirm intended use and avoid using a device outside its cleared indications without appropriate review.
Common pitfalls
Using a device outside its cleared indications or validated population, missing that an update changed device behavior, and confusing marketing claims with FDA authorization.
Stakeholders to involve
Clinical or biomedical engineering, CMO, clinical informatics, compliance, procurement, and legal.
Coverage, prior authorization, and payer use of AI
Sample guidance language
“AI or algorithms may assist in utilization review and coverage workflows, but may not serve as the sole basis to deny, delay, or modify medically necessary care. Coverage and medical-necessity determinations are based on the individual patient’s circumstances and are made or confirmed by a qualified human reviewer.”
Implementation considerations
This reflects CMS rules for Medicare Advantage, which require that medical-necessity determinations be based on the individual’s circumstances and clarify that an algorithm cannot be the sole basis for denial. Apply the same discipline to internal utilization management and to any payer-facing AI. Keep documentation that a human reviewer applied individual clinical judgment.
Common pitfalls
Letting an algorithm effectively decide denials, and failing to document individualized review.
Stakeholders to involve
Utilization management, case management, CMO, compliance, legal, and revenue cycle.
Transparency, documentation, and patient communication
Sample guidance language
“Where AI materially shapes information or services provided to patients, such as a chatbot, symptom checker, or automated message, the organization provides appropriate disclosure and ensures a patient can reach a qualified person. AI-generated content entered into the medical record is reviewed and attributable to a responsible human author.”
Implementation considerations
Decide where disclosure is appropriate and how to document AI assistance in the record. Do not present unverified AI output as clinical advice. Consider informed-consent implications where AI plays a meaningful role in care.
Common pitfalls
Undisclosed AI patient interactions, unreviewed AI content in the record, and chatbots giving unsafe or inaccurate health guidance.
Stakeholders to involve
Clinical leadership, compliance, privacy, patient experience, communications, and legal.
Procurement and vendor management
Purpose
Ensure AI tools are contractually, clinically, and technically suitable before acquisition or deployment.
Sample guidance language
“AI-enabled products and services undergo review for privacy, security, business associate obligations, clinical validation, bias evaluation, data ownership, retention, and model-training rights before acquisition or deployment.”
Implementation considerations
Add AI-specific questions to procurement. Is our data used to train vendor models, and can that be disabled by contract and in practice? Is there a business associate agreement? What validation, intended-use, and bias documentation does the vendor provide? What logs and audit trails exist, and where is data stored? Request standardized model documentation, such as the Coalition for Health AI model card, where available. Watch for AI features quietly added to existing clinical and business software.
Common pitfalls
Accepting broad vendor rights to retain and reuse protected health information, and buying embedded AI without review.
Stakeholders to involve
Procurement, privacy officer, CISO, compliance, the clinical sponsor, and legal.
Administrative and operational uses
Sample guidance language
“AI may support scheduling, documentation, coding and revenue cycle, communications, and other operations, subject to data-classification, privacy, and human-review requirements. AI does not make final decisions in high-stakes contexts without authorized human review, documented controls, and a manual fallback.”
Implementation considerations
Pilot first, measure accuracy and equity of impact, and keep a manual fallback. Apply special caution to coding and billing, where errors create compliance and False Claims Act exposure.
Common pitfalls
Automation drift, inaccurate AI-generated coding or billing, and inaccessible patient-facing services.
Stakeholders to involve
Operations leaders, revenue cycle, CIO, compliance, privacy, and communications.
Human resources and employment uses
Sample guidance language
“The organization exercises heightened caution where AI may influence hiring, screening, evaluation, scheduling, discipline, or workforce monitoring. Such uses require human review, legal review, and bias evaluation before deployment.”
Common pitfalls
Using AI in hiring or evaluation without validation, notice, or review for bias and accessibility.
Stakeholders to involve
HR, legal, compliance, and CISO.
Workforce training and AI literacy
Provide role-based training so clinicians, staff, and leaders can use approved AI tools responsibly, recognize risks such as hallucination and bias, and know what is prohibited. The Mississippi Artificial Intelligence Network (MAIN) offers free AI training that healthcare organizations can use to build foundational literacy and responsible-use skills across clinical and administrative teams.
Risk management, incident response, and safety reporting
Sample guidance language
“The organization manages AI risk using a documented, risk-based approach proportionate to impact, data sensitivity, and system autonomy. AI-related incidents, including patient-safety events and privacy breaches, are reported and handled through existing incident-response, patient-safety, and breach-notification processes.”
Implementation considerations
Use a recognized framework such as the NIST AI Risk Management Framework and its Generative AI Profile. Connect AI incidents to your patient-safety reporting, your HIPAA breach-notification process, and, for device malfunctions or patient harm, to FDA reporting where applicable. Mississippi’s data breach notification law applies to breaches of personal information.
Common pitfalls
Treating AI risk as optional, and failing to route AI harms into existing safety and breach processes.
Stakeholders to involve
Quality and patient safety, compliance, privacy officer, CISO, risk management, and legal.
Governance review and continuous improvement
Review this framework and related AI policies and procedures at least annually, and sooner after significant legal, regulatory, technological, or operational changes, or after an incident. Keep policy stable, and update procedures and guidance more often. Watch for finalization of the proposed HIPAA Security Rule update and FDA lifecycle guidance, for developments in CMS and Section 1557 enforcement, and for the recommendations of Mississippi’s AI Regulation Task Force.
Key authoritative resources to monitor
- HHS HIPAA for Professionals and the proposed HIPAA Security Rule update
- HHS Office for Civil Rights Section 1557 nondiscrimination rule, including patient care decision support tools
- FDA AI-enabled medical devices, predetermined change control plan guidance, and lifecycle management draft guidance
- CMS Medicare Advantage rule on the use of AI in coverage decisions
- ONC/ASTP HTI-1 rule on decision support interventions and algorithm transparency in certified health IT
- NIST AI Risk Management Framework and the Generative AI Profile
- Coalition for Health AI (CHAI) assurance standards and model cards
- AMA principles for augmented intelligence
- The Joint Commission and CHAI guidance on responsible use of AI in healthcare
- WHO guidance on AI and large multi-modal models in health
- Mississippi ITS AI Acceptable Use Policy (for state-operated healthcare entities) and the Mississippi AI Regulation Task Force (PEER) report
Implementation checklist
- ✓Have we inventoried all AI in use, including AI features embedded in the EHR and other software?
- ✓Have we named an accountable owner and a cross-functional AI governance committee?
- ✓Have we defined approved, restricted, and prohibited uses, and kept protected health information out of unapproved tools?
- ✓Have we confirmed business associate agreements for vendors that handle protected health information?
- ✓Have we required validation, intended-use review, and human oversight for clinical AI?
- ✓Have we addressed Section 1557 nondiscrimination for patient care decision support tools?
- ✓Have we tracked which AI tools are FDA-regulated devices and used them within authorized scope?
- ✓Have we ensured AI is not the sole basis for coverage or medical-necessity decisions?
- ✓Have we addressed transparency, documentation integrity, and patient communication?
- ✓Have we built AI questions into procurement and vendor management?
- ✓Have we connected AI incidents to patient-safety, breach, and FDA reporting?
- ✓Have we provided role-based training and set a review cycle?
Closing statement healthcare organizations may adapt
“This framework supports responsible, effective, and human-centered use of AI in healthcare. Because AI, law, and clinical practice continue to evolve, the organization treats it as a living resource and adapts it in consultation with its compliance, privacy, security, clinical, and legal leaders, and with appropriate medical staff governance.”
Sources and references
This template is MAIN’s own synthesis, informed by the following authoritative sources. It is a planning resource, not legal advice.
- HHS, HIPAA for Professionals, and the 2025 HIPAA Security Rule proposed update (proposed, not yet final)
- HHS OCR, Section 1557 final rule (2024), 45 CFR 92.210 on patient care decision support tools, and the 2026 Notice of Vacatur affecting only certain gender-identity provisions
- FDA, AI-enabled medical devices, predetermined change control plan final guidance, and lifecycle management draft guidance (2025)
- CMS, Contract Year 2024 Medicare Advantage and Part D final rule (CMS-4201-F)
- ONC/ASTP, HTI-1 final rule on algorithm transparency and decision support interventions
- NIST AI Risk Management Framework (AI 100-1) and Generative AI Profile (AI 600-1)
- Coalition for Health AI (CHAI)
- AMA principles for augmented intelligence
- The Joint Commission and CHAI, Guidance on Responsible Use of AI in Healthcare (2025)
- WHO, Ethics and governance of AI for health: large multi-modal models (2024)
- Mississippi ITS AI Acceptable Use Policy, Executive Order 1584, and the Mississippi AI Regulation Task Force (PEER) report (2026)
- Mississippi data breach notification law, Miss. Code Ann. § 75-24-29