OSTP and FDA Request Public Input on AI Use. The White House’s Office of Science and Technology Policy (OSTP) published a Request for Information (RFI) titled “Regulatory Reform on Artificial Intelligence” seeking input on identifying federal legislation, regulations, guidance, or other requirements that impede the development, deployment, and adoption of artificial intelligence (AI) technologies. The RFI focuses on priorities for regulatory reform or other agency action necessary to promote AI innovation and adoption. The deadline to submit comments is October 27, 2025.

Separately, the Food & Drug Administration (FDA) released a request for public comment titled “Measuring and Evaluating Artificial Intelligence-enabled Medical Device Performance in the Real-World” seeking input on best practices, methodologies, and approaches for measuring and evaluating real-world performance of AI-enabled medical devices. The request is looking for feedback on approaches to detect, assess, and mitigate performance changes over time to address the safety and effectiveness of these medical devices throughout their life cycle. Comments are due by December 1, 2025.

California Enacts First AI Safety Law. California signed into law the Transparency in Frontier Artificial Intelligence Act, which is the first law that addresses AI safety. The intent of the new law is to ensure the safety of a foundation AI model by requiring the developer to describe their approach to incorporating national standards, international standards, and industry-consensus best practices into its AI framework. The developer must provide a summary of any catastrophic risk to the Office of Emergency Services, and it will develop a process for public reporting any critical safety incidents related to the AI model. The law also establishes a public cloud computing cluster to advance the development and deployment of AI that is safe, ethical, equitable, and sustainable by fostering research and innovation that benefits the public. The law goes into effect on January 1, 2026.

California and Alaska Enact Prior Authorization Laws. California and Alaska passed state laws aimed at reducing burdens related to prior authorizations. In California, Senate Bill 306 allows the Department of Managed Health Care to waive health plans’ requirements for prior authorizations when approvals for the services or prescriptions subject to authorization reach a 90% threshold. Health plans must report statistics by December 31, 2026, regarding covered health care services subject to prior authorization and the percentage rate at which they are approved or modified. In Alaska, Senate Bill 133 goes into effect on January 1, 2026, and requires health plans to make prior authorization determinations within 72 hours for routine and 24 hours for expedited requests. The law sets time limits on providers to submit any additional information needed by the health plan to process the request. Health plans must respond within required times or the request is approved by default. 

EHR Certification ID Changed September 1. The Centers for Medicare & Medicaid Services (CMS) EHR Certification ID generated as part of the Certified Health IT Product List (CHPL) changed to a new annual syntax on September 1. A year-based prefix now identifies the CMS program reporting year for the certified electronic health record (EHR). This change supports an edition-less certification framework and aligns with CMS reporting criteria as they evolve. As of September 1, CMS EHR Certification IDs begin with “2025C”, replacing the current “15C” prefix. The process of generating an identifier (ID) through the CHPL remains the same. More information is available in the CHPL Public User Guide. 

Final Rule for Federal Defense Contractor Cybersecurity Requirements. The Department of Defense (DoD) finalized regulations amending the Defense Federal Acquisition Regulation Supplement, which may impact health care organizations that provide health care coverage, services, or data processing for active military families and dependents. The final rule mandates Cybersecurity Maturity Model Certification Program compliance as an enforceable element of DoD contracts. This final rule also partially implements a directive for the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base. 

FDA’s Digital Health Advisory Committee Set to Meet November 6. The FDA will be holding a virtual meeting of the Digital Health Advisory Committee on November 6, 2025, from 9 a.m. to 6 p.m. ET. The topic of the meeting is “Generative Artificial Intelligence-Enabled Digital Mental Health Medical Devices.” The Committee plans to discuss and make recommendations on the novel risks and evolving complexity of mental health devices, and potential regulatory approaches to address their safety and effectiveness while promoting innovation to meet the demand for mental health services and treatment. The Committee is a public advisory committee whose purpose is to provide advice and recommendations to FDA. The meeting will be open to the public. Docket number FDA-2025-N-2338 has been created for public comment and will close on December 8, 2025. Comments received on or before October 17, 2025, will be provided to the Committee. Comments received after that date will be taken into consideration by the FDA. As a reminder, the government shutdown could impact this meeting.

States Act on AI Use in Health Care. This year, many states passed or are considering new legislation addressing the use of AI in health care, as monitored by Manatt Health’s Health AI Policy Tracker. The bills to date have focused on three areas of health care, including use of AI in administrative operations, clinical care, and chatbots. Arizona (HB 2175), Maryland (HB 820), Nebraska (LB 77), and Texas (SB 815) banned the use of AI as the sole decision-maker for denying medical necessity or prior authorization requests, requiring oversight by a physician. New laws in Texas (HB 149 and SB 1188), New Mexico (HB 178 ), Nevada (AB 406), and Oregon (HB 2748) address a range of requirements in clinical care related to disclosure of AI systems’ roles in diagnostic and treatment services and being presented as licensed providers. Utah (HB 452), New York (SB 3008), Nevada (AB 406), Illinois (HB 1806), and Maine (HP 1154) enacted requirements involving various uses of AI in chatbots and AI companions, most related to mental and behavioral services.

Prior Authorization Survey Finds Need to Improve Electronic Processes to Decrease Burden. Results from a Cohere Health survey on prior authorization show ongoing concerns with overall processing of requests and potential for burden relief through increased electronic processes and use of AI. The results come from a survey of 200 hospital and health system clinicians and administrators. When asked what prevents the use of online portals or electronic systems for prior authorization requests, 29% of clinicians and 47% of administrators reported health plans do not consistently accept electronic requests. Separately, just 24% of clinicians and 16% of administrators reported using electronic processes for more than 40% of their prior authorization requests. The regulatory requirement that prior authorization requests be processed within seven days for routine care and 72 hours for urgent care takes effect January 1, 2026. The survey found that only 12% of clinicians and 7% of administrators see these times being met today. The survey provides potential improvements that could increase the efficiency of the prior authorization process, including 67% of clinicians and 65% of administrators supporting fully electronic processes and 99% of clinicians and 96% of clinicians trusting the use of AI in the processing of requests.