This week’s compliance landscape covers three developments every compliance officer should understand: a White House AI policy framework that is already reshaping how healthcare organizations govern their use of artificial intelligence, fresh OIG guidance that dismantles a widespread misconception about fraud and abuse law, and a long-overdue federal rule that will finally eliminate fax machines from claims processing. Here’s what matters, and what to do about it.

Table of Contents

The White House’s National AI Policy Framework Has Major Implications for Future Healthcare Compliance

On March 20, 2026, the Trump Administration released its National Policy Framework for Artificial Intelligence, a four-page document outlining legislative recommendations for Congress to establish a single, nationally uniform approach to AI regulation. The framework does not itself create binding law, but its direction has immediate practical consequences for healthcare compliance officers navigating an already fragmented regulatory environment.

Key Details

The framework builds on a December 2025 Executive Order and proposes that Congress adopt legislation broadly preempting state AI laws deemed to impose “undue burdens,” while establishing an AI Litigation Task Force to challenge state laws on constitutional grounds in the interim. For healthcare organizations, this creates a compliance planning dilemma: state AI laws in California, Colorado, Texas, and elsewhere remain fully in force today, and it is far from certain when or whether Congress will act.

Notably, the framework does not create any new federal AI regulator. Instead, it favors sector-specific regulation through existing agencies and industry-led standards, meaning healthcare AI would continue to be governed by CMS, FDA, DOJ, and OCR under their existing authorities. Separately, HHS has proposed the HTI-5 rule, which would remove the Biden-era requirement that clinical decision support developers produce “model cards” disclosing data sources, eliminating some of the only existing federal transparency guardrails for healthcare AI.

The practical compliance stakes are already real. AI utilization in healthcare has rapidly transformed from peripheral use cases to core clinical and operational infrastructure—it is increasingly embedded across clinical decision support, diagnostics, and administrative workflows—meaning organizations that have not yet built AI governance programs are already behind.

What this Means for You

The framework signals the direction of federal AI policy, but it does not resolve today’s compliance obligations. Healthcare and life sciences stakeholders must maintain compliance strategies nimble enough to accommodate diverging state and federal requirements, as the legal durability of executive actions remains uncertain and the framework’s recommendations are not yet binding law.

That means two tracks of work right now. First, audit your current AI use cases—clinical decision support tools, prior authorization algorithms, coding automation, patient-facing chatbots—and document your governance framework for each. Second, maintain your state law compliance obligations in full. Organizations that abandon state AI safeguards in anticipation of federal preemption are taking a legal risk that is not yet warranted. Review all vendor contracts for AI-enabled products to ensure they address data privacy, HIPAA compliance, and accountability when AI outputs affect patient care decisions.

Frequently Asked Questions

Does the Trump Administration’s National AI Policy Framework apply to healthcare organizations now? Not directly. The framework released on March 20, 2026 is a set of legislative recommendations to Congress, not a binding law. Healthcare organizations remain subject to existing federal and state AI-related obligations—including HIPAA, FDA guidance on clinical decision support, and applicable state AI laws—until and unless Congress acts.

What is the practical compliance risk for healthcare organizations using AI today? The primary risk is operating without a documented AI governance framework while regulators, both state and federal, are actively developing enforcement expectations. OCR, CMS, and the DOJ all retain existing authority to investigate AI-related HIPAA violations, discriminatory algorithmic outcomes, and fraudulent billing practices that involve AI tools, regardless of the broader federal framework debate.

OIG Issues New FAQ Guidance Clarifying a Critical & Common Fraud and Abuse Law Misconception

On April 23, 2026, the HHS Office of Inspector General (OIG) updated its General Questions Regarding Certain Fraud Waste and Abuse Authorities publication with two significant new FAQ entries. Although the principles articulated are not new, the timing and clarity of these FAQs reflect OIG’s continued effort to correct common (and risky) misunderstandings in the healthcare industry regarding the federal Anti-Kickback Statute (AKS), the Physician Self-Referral Law (Stark Law), and the role of fair market value analyses.

Key Details

The first new FAQ tackles a persistent compliance misconception head-on: a common misunderstanding in the healthcare industry is that because Stark Law exceptions and AKS safe harbors often share similar — and sometimes identical — elements, Stark Law compliance equates to AKS compliance. OIG’s updated FAQ makes clear that this inference is wrong.

A party that knowingly and willfully offers and pays any remuneration to induce or solicit referrals for federal health care programs could be liable under the AKS even if the financial arrangement satisfies the requirements of a Stark Law exception. OIG illustrates the point with a concrete example: under the Stark Law’s Nonmonetary Compensation exception, tickets to sporting events or other entertainment provided to physicians are protected under Stark as long as they fall under the annual per-physician cap, which for calendar year 2026 is $535 per physician per year. However, the AKS has no equivalent safe harbor, and providing such items with the requisite intent could violate the AKS even if the Stark exception is satisfied.

The second new FAQ addresses fair market value (FMV): OIG expressly rejects the industry argument that FMV compensation eliminates unlawful remuneration under the AKS, calling that position inconsistent with the statutory text, the regulatory safe harbors, and decades of OIG guidance.

The stakes of getting this wrong are severe. Under the AKS, criminal penalties include fines and up to five years’ imprisonment. Civil monetary penalties can reach $50,000 per violation plus three times the amount of the remuneration. A violation of both Stark and the AKS can also trigger False Claims Act liability, multiplying exposure dramatically, and even leading to criminal liability and larger fines.

What this Means for You

These FAQs serve as a reminder that technical compliance with Stark or reliance on a fair market benchmark do not, standing alone, insulate an arrangement from AKS scrutiny. Each arrangement must be evaluated on a case-by-case basis, with attention paid to the letter, spirit, and purpose of the AKS.

Healthcare organizations—particularly those that structure compensation arrangements, provide anything of value to physicians, or manage referral relationships—should treat Stark and AKS analyses as entirely separate compliance exercises. Train legal, compliance, and operational staff to understand that a green light under one law is not a green light under the other. Document the intent and business rationale behind every arrangement that touches a referral source. When in doubt, seek an advisory opinion from OIG.

Frequently Asked Questions

What is the difference between the Stark Law and the Anti-Kickback Statute? The Stark Law is a strict liability civil statute that prohibits physicians from referring Medicare or Medicaid patients for designated health services to entities where the physician has a financial interest, unless a specific exception applies. Intent is not required. The AKS is a criminal statute that prohibits knowingly and willfully offering, paying, soliciting, or receiving anything of value to induce or reward referrals for federal health care program items or services. Intent is the central element. Because the laws operate differently, an arrangement can satisfy one but still violate the other.

Can a financial arrangement that complies with the Stark Law still violate the Anti-Kickback Statute? Yes. OIG’s April 2026 FAQ confirms this explicitly. Satisfying a Stark exception does not insulate an arrangement from AKS liability. If the remuneration was offered or paid with the intent to induce or reward referrals, an AKS violation may exist regardless of Stark compliance.

CMS Finally Standardizes Electronic Claims Attachments — 30 Years After HIPAA Required It

CMS has established the first-ever HIPAA-adopted standards for health care claims attachments, enabling the secure electronic exchange of health care claims-related supporting clinical documentation such as medical records, X-rays and imaging, clinical notes, telemedicine visit documentation, and laboratory results. The final rule was published March 24, 2026, takes effect May 26, 2026, and requires compliance by May 26, 2028. Notably, this closes a regulatory gap that has existed since HIPAA was enacted in 1996: Congress required HHS to adopt claims attachment standards nearly three decades ago.

Key Details

The compliance gap this rule addresses has been glaring. Despite the healthcare industry’s widespread use of electronic health records and broad implementation of HIPAA transaction standards, the exchange of claims attachments has remained largely manual, frequently relying on fax, mail, or portal uploads. The result has been systemic: delays in claims adjudication, administrative burden, inconsistent documentation formats across plans, and higher costs across the entire system.

The new rule replaces that patchwork with standardized transaction formats. The rule adopts specific ASC X12 Version 6020 standards for claims attachment-related transactions, including X12N 275 (Additional Information to Support a Health Care Claim or Encounter) and X12N 277 (Health Care Claim Request for Additional Information), along with HL7 implementation guides as HIPAA standards for the clinical content exchanged.

The financial case for compliance is straightforward: the rule is projected to save the healthcare industry $781.98 million annually. Implementation costs, however, are real. Estimated costs to prepare for the 2028 deadline among hospitals fall within a range of $1.4 billion to $2.84 billion, with CMS projecting that approximately 60% of those costs would be borne by health IT vendors.

The current state of electronic adoption in this area underscores why the runway matters: between 2023 and 2025, adoption by medical plans of fully electronic administrative transactions improved or remained stable in most transaction categories—including 98% for claims submission—but fell from 29% to 24% for attachments specifically. That regression makes early preparation even more critical.

What this Means for You

The two-year compliance window is not as generous as it sounds given the IT infrastructure and vendor coordination involved. CMS intentionally provided a two-year compliance period to allow organizations time to update systems, vendor arrangements, and operational workflows. When the deadline arrives, providers will be prohibited from sending paper-based submissions to payers for attachments such as medical records, clinical notes, imaging, lab results, and telehealth visit documentation.

Start now. Conduct a workflow audit to identify every point in your claims process where documentation is currently transmitted by fax, mail, or portal upload. Then engage your EHR vendor and clearinghouse directly — ask them for a written implementation roadmap and timeline for the new X12 and HL7 standards. Organizations that defer this work until 2027 or 2028 risk being blocked from submitting supporting documentation for claims, which would create immediate revenue cycle disruption.

Also note the HIPAA Security Rule intersection: any electronic transmission of claims attachment documentation must be secured in accordance with HIPAA Security Rule requirements, including appropriate encryption in transit and at rest.

Frequently Asked Questions

What are health care claims attachments? Claims attachments are the supporting clinical and administrative documentation that health plans request from providers to process and adjudicate claims. This includes medical records, lab results, imaging, clinical notes, and telemedicine documentation. Prior to this rule, there was no standardized electronic format for transmitting this documentation, so it was typically sent by fax, mail, or manual portal upload.

When must covered entities comply with the new electronic claims attachment standards? The final rule is effective May 26, 2026. Full compliance is required by May 26, 2028. All HIPAA-covered entities—health plans, healthcare providers, and clearinghouses—are subject to the new standards.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?