PriMera Scientific Medicine and Public Health (ISSN: 2833-5627)

Review Article

Volume 8 Issue 2

Aligning Privacy and Device Oversight for Healthcare AI: A Governance Cross-Walk and Reform Options

Valentina Palama*

January 29, 2026

View PDF

Abstract

Background: The rapid use of software-based clinical tools in U.S. care settings has outpaced governance designed for static devices and siloed data. In practice, privacy obligations under HIPAA/HITECH and safety/effectiveness oversight by the FDA proceed in parallel rather than in sync, creating lifecycle gaps once tools are deployed and updated.

Methods: We conducted a structured, desk-based review of publicly available federal materials FDA device decisions, ONC certification resources, CMS coverage determinations and state statutes on medical devices and health data, supplemented by a targeted scoping review of peer-reviewed policy literature (2019-2025). No human-subjects data were collected.

Results: A cross-walk of these sources shows overlapping mandates with material gaps in post-deployment monitoring, data provenance, and change control. State privacy laws diverge on de-identification and secondary use, and payer policies vary in recognizing real-world performance evidence. These disconnects concentrate compliance burden on providers and vendors while offering limited clarity on ongoing risk management. We provide a governance cross-walk that maps HIPAA/HITECH requirements to FDA lifecycle stages and specifies practical artifacts (e.g., risk analysis, de-identification memorandum, audit-log procedures) to streamline reviews.

Conclusion: Fragmented privacy and device oversight creates operational, legal, and economic friction for health systems. Harmonized, risk-based oversight that pairs privacy and safety at each lifecycle stage supported by standardized impact assessments and minimum post-deployment monitoring can reduce duplication and support more equitable adoption without weakening patient protections.

Keywords: Health information privacy; medical device oversight; HIPAA; FDA; policy analysis; implementation barriers

References

  1. Aboy M, Minssen T and Vayena E. “Navigating the EU AI Act: implications for regulated digital medical products”. NPJ Digit Med 7.1 (2024): 237.
  2. Adler-Milstein J and Jha AK. “HITECH Act Drove Large Gains in Hospital Electronic Health Record Adoption”. Health Aff (Millwood) 36.8 (2017): 1416-1422.
  3. Benjamens S, Dhunnoo P and Meskó B. “The state of artificial intelligence-based FDA-approved medical devices and algorithms: An online database”. NPJ Digital Medicine 3.1 (2020): 118.
  4. Braun V and Clarke V. “Using Thematic Analysis in Psychology”. Qualitative Research in Psychology 3 (2006): 77-101.
  5. Cohen IG., et al. “The legal and ethical concerns that arise from using complex predictive analytics in health care”. Health Affairs (Millwood) 33.7 (2014): 1139-1147.
  6. Cohen IG., et al. “The legal and ethical concerns that arise from using complex predictive analytics in health care”. Health Affairs 33.7 (2021): 1139-1147.
  7. Creswell. J.W. and Creswell JD. “Research Design: Qualitative, Quantitative, and Mixed Methods Approaches”. 4th Edition, Sage, Newbury Park (2017).
  8. Gerke, S., Minssen, T., and Cohen IG. “Ethical and legal challenges of artificial intelligence-driven healthcare”. Cambridge Quarterly of Healthcare Ethics 29.2 (2020): 264-273.
  9. Goktas P and Grzybowski A. “Shaping the Future of Healthcare: Ethical Clinical Challenges and Pathways to Trustworthy AI”. J Clin Med 14.5 (2025): 1605.
  10. Jiang F., et al. “Artificial intelligence in healthcare: Past, present and future”. Stroke and Vascular Neurology 2.4 (2017): 230-243.
  11. Jiang F., et al. “Artificial intelligence in healthcare: Past, present and future”. Stroke and Vascular Neurology 2.4 (2017): 230-243.
  12. McHugh ML. “Interrater reliability: the kappa statistic”. Biochem Med (Zagreb) 22.3 (2012): 276-82.
  13. Moore W and Frye S. “Review of HIPAA, Part 1: History, Protected Health Information, and Privacy and Security Rules”. J Nucl Med Technol 47.4 (2019): 269-272.
  14. Price WN 2nd and Cohen IG. “Privacy in the age of medical big data”. Nat Med 25.1 (2019): 37-43.
  15. Rocher L, Hendrickx JM and de Montjoye YA. “Estimating the success of re-identifications in incomplete datasets using generative models”. Nat Commun 10 (2019): 3069.
  16. Stevens I., et al. “Bring a ‘Patient’s Medical AI Journey’ to the Hill”. The American Journal of Bioethics 25.3 (2025): 132-135.
  17. Guest G, Bunce A and Johnson L. “How Many Interviews Are Enough? An Experiment with Data Saturation and Variability”. Field Methods 18.1 (2006): 59-82.
  18. HIMSS. “2023 Healthcare AI Adoption Survey”. Healthcare Information and Management Systems Society (2023).
  19. Malterud K, Siersma VD and Guassora AD. “Sample size in qualitative interview studies: Guided by information power”. Qualitative Health Research 26.13 (2016): 1753-1760.
  20. McHugh ML. “Interrater reliability: the kappa statistic”. Biochem Med (Zagreb) 22.3 (2012): 276-82.
  21. Markus Hinterleitner, Christoph Knill and Yves Steinebach. “The growth of policies, rules, and regulations: A review of the literature and research agenda” (2023).
  22. Rebecca Boden and Julie Froud. “Obeying the rules: Accounting for regulatory compliance costs in the United Kingdom”. Accounting, Organizations and Society 21.6 (1996): 529-547.
  23. Scott JT., et al. “Bridging the research-policy divide: Pathways to engagement and skill development”. Am J Orthopsychiatry 89.4 (2019): 434-441.
  24. Say RE and Thomson R. “The importance of patient preferences in treatment decisions--challenges for doctors”. BMJ 327.7414 (2003): 542-5.
  25. Pham T. “Ethical and legal considerations in healthcare AI: innovation and policy for safe and fair use”. R Soc Open Sci 12.5 (2025): 241873.
  26. Filkins BL., et al. “Privacy and security in the era of digital health: what should translational researchers know and do about it?”. Am J Transl Res 8.3 (2016): 1560-80.
  27. Hadi Ghayoomi., et al. “Assessing resilience of hospitals to cyberattack”. Digital Health (2021).
  28. Genevieve P Kanter, Jack Kufahl and I Glenn Cohen. “Beyond Security Patches-Fundamental Incentive Problems in Health Care Cybersecurity”. JAMA Health Forum 2.10 (2021): e212969.
  29. “An Insight into the Current Security Posture of Healthcare IT: A National Security Concern”. The Institute for Critical Infrastructure Technology (2019).