AI tools are now being integrated into clinical scheduling, medication dispensing, patient communications, and diagnostic decision-making across the industry, according to a new report. analysis Composition Alab Shaha member of the company and co-chairman of Epstein Baker GreenArtificial Intelligence Cross-Practice Working Group.
Shah’s analysis, published in TechReg ProceedingsThe shift has direct implications beyond health care, he said. Financial institutions connected to the healthcare economy through payment pathways, insurance products, employer health benefits, lending to providers, and health-focused consumer financial instruments will feel the effects as Organizational Tightening the environment of responsibility.
Compliance framework that has not caught up
Shah said the pace of AI adoption in healthcare has outpaced the rules designed to govern him. Federal agencies operate within frameworks designed for a different era. the Food and Drug Administration It is expanding its oversight of AI tools that impact clinical decisions. the Department of Health and Human ServicesAt the same time, it is examining how AI platforms engage with patients Data Under current privacy law, f Federal Trade Commission Show interest in how AI vendors describe and market their products.
At the same time, countries are moving independently, Shah said. California, Colorado, Utah, and others have passed or proposed AI-specific regulations that apply to healthcare settings, each creating their own compliance obligations. Healthcare organizations operating in multiple states now face a patchwork of rules without a clear federal standard to anchor them.
For fintech companies that provide payment infrastructure or data for healthcare clients, Shah’s analysis shows why this is important. Vendor contracts are the point of enforcement. When an AI tool generates an error that results in a regulatory action or patient harm claim, the question of who bears that responsibility falls into the language of the contract.
Advertisement: Scroll to continue
Healthcare organizations are demanding strong indemnification protections, audit rights over AI systems, and notification requirements when a vendor makes significant changes to how its models work, Shah said. Fintech companies and payment companies that supply this sector will face the same pressures.
Data is the primary risk
AI in healthcare relies on patient data, and Shah identified data management as the main risk. This data is protected by federal privacy law, and the associated compliance obligations are not simple.
When a third-party vendor processes patient records through an AI system, existing privacy frameworks require formal data agreements that specify how that information can and cannot be used. Training the AI model on patient data requires additional scrutiny, Shah said. If this data is used to improve the vendor’s product outside the scope of the original agreement, organizations could be at risk.
Interoperability is a compounding factor, Shah said. AI is accelerating the ability of healthcare systems to share data across networks, and as this data moves more freely, the attack surface for cyber threats expands. Health systems are advised to treat AI-powered data sharing as a distinct category of cybersecurity risk, and financial services companies are already managing similar exposures. In short, the two sectors are converging on the same governance challenge.
What does good governance look like?
Organizations that are navigating this period most effectively are treating it as a corporate risk issue located at the board level, Shah said.
This means building internal structures that include legal and compliance input into every AI deployment decision, linking each AI tool to the regulatory frameworks to which it may apply, and updating those assessments when the tool changes. Contracts should include clear accountability for what the AI does, how it changes over time, and who takes responsibility when something goes wrong.
Organizations that can demonstrate to payers, regulators, and business partners that their AI programs are well managed and compliant are better positioned to scale. Those who treat compliance as an afterthought face exposure to enforcement, litigation, and reputational risks that will worsen as regulators become increasingly assertive.
Takeaways for financial executives
Shah’s broader argument translates directly to the financial sector. AI adoption in healthcare is progressing rapidly, and the governance infrastructure is still being built in real time.
The vendor contracts that organizations sign with health system customers, the data flows they facilitate, the payment products associated with healthcare spending, and any AI tools deployed in health-related services all carry an expanding regulatory space. Shah’s analysis shows that understanding a person’s position in the healthcare AI value chain is critical to running modern financial services businesses.
For all of our PYMNTS AI coverage, subscribe to our daily newsletter Amnesty International newsletter.
