Healthcare organizations of all shapes and sizes are rapidly expanding their use of artificial intelligence solutions, from high-risk applications such as clinical decision support interventions, ambient listening, and charting to lower-risk administrative activities such as automated patient communication and scheduling. While adoption is widespread and growing in depth and breadth across the industry, not all healthcare organizations, including those considering divesting assets or equity, have established governance around AI or oversight processes for exploring and deploying new tools. For buyers of today’s healthcare mergers and acquisitions, AI diligence must be a focus given the potential compliance and class action risks associated with high-risk AI solutions, particularly those that interact with protected health information (“PHI”) regulated under the Health Insurance Portability and Accountability Act, as amended and implementing regulations (collectively, “HIPAA”).
Understanding AI risks in healthcare transactions
As mentioned above, not all sellers in healthcare transactions are fully aware of the scope of their AI use and deployment and may not have a comprehensive AI governance and monitoring strategy. For buyers, understanding how sellers are using AI and assessing the potential level of risk posed by existing applications is the best way to identify and mitigate potential issues and plan for a successful post-closing integration process. Once a buyer identifies what AI applications are being used at a target, the buyer and its advisors may consider potential HIPAA and intellectual privacy risks, in addition to evaluating the seller’s relevant vendor arrangements, especially regarding data ownership and use, security/data privacy, indemnification and reporting obligations, etc. Having a good understanding of where an AI arrangement may involve a high degree of compliance or contractual risk will enable buyers to negotiate effectively. This is to avoid taking on potential debt that exceeds your risk tolerance and to highlight areas for mitigation and improvement post-closing.
State laws and evolving AI regulations in healthcare
In addition to purely operational and contractual risks, buyers should understand whether applicable state laws impact the seller’s use of AI applications (as AI is not currently subject to federal regulation). The highest risk areas relate to issues such as mandatory disclosure of AI use in decision-making for activities such as prior authorization, patient consent and authorization (as per HIPAA), including for purposes such as ambient hearing and consumer privacy protection. Buyers may consider related resources to monitor regulatory developments related to AI in the states in which they operate or target potential acquisitions.
For example, in California, the governor signed Assembly Bill 489 on October 11, 2025. The bill prohibits AI systems and chatbots that communicate directly with patients from suggesting that their advice comes from a qualified medical professional. (1) This prohibition applies not only to direct statements made by the AI, but also to any implication that medical advice is from a qualified person. Similarly, in Illinois, the Mental Resources Wellness and Oversight Act prohibits the use of AI in the mental health and treatment decision-making process, even by licensed providers. This includes recommendations that AI makes to diagnose, treat, or improve someone’s mental or behavioral health (with a cut-out of government support). (2) States will continue to expand regulation in this area, and enforcement activity is expected to increase depending on the industry used. The introduction of AI may pose undue risks to the public, especially healthcare.
What buyers can investigate during AI due diligence
Staying ahead of the many challenges associated with the use of AI in healthcare means conducting due diligence on targeted AI uses with the aim of identifying areas of highest risk and planning potential mitigation strategies. Buyers can build AI diligence to cover the following areas of AI risk management:
Understand the oversight of AI at the target (e.g., AI governance board, chief information officer, or chief AI officer). Assess the extent to which your audience is developing and implementing AI oversight activities (e.g., through formal AI governance research and strategy, or other informal assessments). If the target has adopted an AI governance program, assess its implementation and AI-specific policies and procedures (i.e., pilot programs, use of approved technologies, bias controls, data validation, audits, etc.). Review the target’s approved use of AI technology and potential level of risk (e.g., clinical decision support interventions, patient monitoring, diagnostic support, ambient listening technology) and vendor relationships. Investigate a list and description of all AI tools and AI models used, developed, or trained by your target company. This includes detailed information about each AI tool/model’s use case, scope of use, and how to access it. If the covered company relies on third-party AI developers or vendors to support AI implementation, review all third-party AI vendor/developer model cards and agreements, including agreements regarding the use of AI for clinical research purposes. Review the target company’s standard terms with its AI vendors, including data ownership, audits, reporting, service level agreements, and indemnification terms, as well as any material outstanding claims.
Collaboration between legal, IT, and clinical teams
The buyer’s legal advisors, who may have special expertise in healthcare as well as healthcare data privacy, security, and AI, will assess risks related to the target’s operations, structure, and potential high-risk areas and make actionable recommendations regarding future operational and integration risks. Additionally, buyers may also engage legal counsel to coordinate the diligence review process.
Due to their responsibilities, the buyer’s IT, operations, and clinical employees provide valuable insight into how the seller’s use of AI will impact the buyer’s future operations, including integration with the buyer’s AI strategy. Advisors may work together to focus on potential quality of care and privacy concerns and provide a comprehensive assessment of potential concerns and quality recommendations to the purchaser’s management.
Build a post-deal AI governance and compliance strategy
In conjunction with a due diligence review, a buyer may consider developing a strategy for how it and its target will manage AI risks post-closing (e.g., determining whether and to what extent the target’s existing vendor agreements can be assigned or amended in connection with the closing, ensuring appropriate integration plans for AI tools, IT capabilities, plans for future AI governance, oversight and monitoring, patient care and safety, etc.). Unless buyers have their own existing governance plans, they may conduct an AI usage study and consider adopting a formal AI governance strategy that enables data protection and access controls, long-term compliance protections, streamlined evaluation and deployment of potential AI tools and vendor negotiations, and monitoring of ongoing AI activities (3).
Key points for healthcare buyers and investors
AI is evolving as a legal and operational risk area in healthcare transactions. Conducting an effective due diligence review of AI in a proposed transaction requires buyers and their attorneys to have a detailed understanding of the technology itself and the potential risks and liabilities associated with its use. This rapidly evolving area of law will continue to shape the healthcare regulatory landscape, but with the right preparation, a diligent process can minimize a buyer’s exposure and best position them for post-closing success.
footnote
(1) AB 489, State Law. 2025–26 session. (Cal. 2025) https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB489
(2) HB 1806, 104th Congress. (Illinois 2025) https://www.ilga.gov/legislation/PublicActs/View/104-0054
(3) Sheppard Mullin Healthcare Law Blog, Key Considerations Before Negotiating Healthcare AI Vendor Contracts (March 2024) https://www.sheppardhealthlaw.com/2025/03/articles/artificial-intelligence/key-considerations-between-negotiating-healthcare-ai-vendor-contracts/
(View source.)
