AI in Healthtech: Where It's Working, Where It Isn't (Regulatory Edition)

What AI is actually doing in healthtech today

Strip away the conference slides and the press releases, and the 2026 picture is clearer than it's ever been — and more modest than most predictions from three years ago.

AI is genuinely working in clinical decision support: surfacing drug interactions, flagging abnormal labs, nudging a clinician toward a differential they might have missed. It's working in medical scribing, where tools like Suki, Abridge, and Nuance DAX have meaningfully reduced the time physicians spend on documentation. It's working in intake and triage chatbots — not diagnosing anything, but gathering symptoms, routing patients to the right channel, and collecting structured data that feeds into the clinical workflow. It's working in imaging prioritisation, where radiology AI helps surface the reads that need eyes first. It's working in revenue cycle management, where AI handles prior auth, claims scrubbing, and denial prediction with measurable ROI. And it's working at the early stages of drug discovery, where AI narrows the candidate field before expensive wet-lab work begins.

What it is not doing: autonomous diagnosis. Autonomous prescribing. Autonomous surgery beyond tightly constrained robotic-assist scenarios. It is not replacing a psychiatrist or therapist. And "let's feed all our patient data into an AI and see what it finds" is not a research methodology — it is a liability exposure with a Jupyter notebook attached.

That distinction — working versus not-yet-working — is less about capability and more about regulatory reality, liability structure, and how clinical workflows actually absorb new tools.

Five categories that are working

Administrative AI is the clearest win. Claims processing, prior authorisation, eligibility verification, and medical scribing have something in common: errors are costly but rarely catastrophic in the moment, there's a human reviewing the output before it reaches a patient, and the ROI is measurable in hours per week. Nuance DAX, Abridge, and Suki have moved from "interesting pilot" to "we renewed and expanded" at major health systems. RCM AI vendors have demonstrated 15–20% denial rate reductions in published case studies. This is where the money is actually flowing.

Clinical decision support — when positioned correctly — is also working. "Correctly" means suggestion-only, surfaced in the existing EHR workflow, with the physician retaining full authority. AI that flags a potential sepsis risk early, highlights a medication interaction, or reminds a clinician about a screening that's overdue is genuinely useful. The key design constraint: it must be easy to dismiss without friction. Systems that require a clinician to click through a warning every time they disagree get ignored or suppressed. Good HITL design here isn't optional.

Imaging triage has real traction. Radiology AI that helps prioritise a queue — surfacing likely stroke reads or fractures so they get eyes first — improves time-to-read on time-sensitive cases without requiring the AI to be autonomous. The radiologist still reads and signs. The AI is a prioritisation engine, not a diagnostician. FDA 510(k) clearances in this space have accelerated significantly since 2023.

Drug discovery support is working at the target identification and candidate screening stages. Companies using AI to narrow the chemical search space before synthesis are running smaller, more targeted preclinical programs. The regulatory pathway for the eventual drug is unchanged — AI doesn't shortcut FDA approval — but it can compress the years and dollars spent getting to a viable candidate.

Patient communication — scheduling, appointment reminders, medication adherence nudges, post-discharge follow-up — is mature enough to be table stakes. The volume of outbound patient communication that can be handled without a human touch is large, and AI handles it well. The nuance: escalation paths must be clearly defined and fast. A patient who replies to a medication reminder with "I think I'm having a reaction" cannot land in a queue.

Five categories that aren't (yet)

Autonomous diagnosis remains off the table — not because AI can't identify a condition in a controlled dataset, but because the liability structure of medicine doesn't accommodate autonomous clinical decisions. If an AI misses a cancer on a scan, who is responsible? The radiologist who didn't review it? The hospital that deployed it? The vendor? None of those questions have settled legal answers, and no insurer or health system is willing to find out the hard way. Accuracy floor arguments are real too: a system that is 97% accurate sounds impressive until you do the math on how many patients that 3% represents at scale.

Prescribing autonomy is similarly blocked. Prescribing carries direct patient-safety consequences that the regulatory and liability environment requires a licensed clinician to own. AI-assisted prescribing — surfacing options, flagging interactions, recommending dose adjustments — is fine. AI that writes the script without a human signing off is not.

Surgical autonomy beyond narrow, tightly-bounded robotic assist is not happening at any real scale. Robotic surgery with AI-assisted guidance in defined moments (tremor reduction, tissue identification) is real and growing. Autonomous surgical decision-making is not. The kinesthetic feedback loop, the need to respond to intraoperative findings, and the catastrophic downside of an error make full autonomy a distant target regardless of what any demo video implies.

Mental health as replacement is where the harm signals are clearest. Several peer-reviewed studies published between 2023 and 2025 found that AI-only mental health interventions, when used as a primary care modality rather than a supplement, produced worse outcomes in moderate-to-severe cases than standard care. The conversational surface area of an LLM can feel therapeutically useful in ways that mask absence of clinical progress. AI as a supplement to a therapist, for between-session support or CBT exercises, is different and shows more promise — but the framing matters enormously.

Patient-data-fishing AI — deploying an AI on a population dataset without a clinical hypothesis — is not a research methodology. It is an exercise in generating statistically valid but clinically spurious correlations. The findings require prospective validation regardless. The data governance cost is high. And the regulatory questions about secondary use of patient data under HIPAA and GDPR are genuinely unresolved in many implementations. Hypothesis-driven AI analysis on patient data is fine. "Let's see what the model finds" is not.

The HIPAA / GDPR / DPDPA reality

"We're HIPAA-compliant" is the minimum viable credential in US healthtech, and it usually means: we have a Business Associate Agreement in place, we encrypt data at rest and in transit, and we've checked the relevant boxes on our security questionnaire. That matters. It is also not the hard part.

The hard part is de-identification done correctly. HIPAA's Safe Harbor and Expert Determination methods sound well-defined until you try to apply them to unstructured clinical notes, imaging metadata, or genomic data. Re-identification risk from AI-generated embeddings is a genuine open problem that most compliance frameworks haven't caught up with.

The hard part is audit logs that actually answer a regulator's questions. Who accessed which patient record, when, and why — at the field level, not the session level. Most AI systems are not designed with this in mind from the start, and retrofitting it is expensive.

The hard part is consent flow that reflects what the AI is actually doing with data. Patients who consent to treatment are not automatically consenting to their de-identified records being used to train a model. State laws in California, Texas, and New York layer additional requirements on top of federal HIPAA minimums.

In India, the Digital Personal Data Protection Act 2023 (DPDPA) is now the governing framework for patient data, layered on top of the Telemedicine Practice Guidelines that have been in force since 2020. DPDPA establishes data principal rights — consent, correction, erasure — that apply to health data and require explicit consent architecture that most legacy health IT systems were not built to support. Telemedicine guidelines constrain what AI can do in a remote consultation context, particularly around prescribing and diagnosis.

In the EU, the AI Act explicitly classifies AI systems used in clinical decision-making as high-risk, which triggers conformity assessments, technical documentation requirements, and post-market monitoring obligations. If you're shipping a clinical AI product into the EU, "we'll deal with the AI Act later" is not a viable posture.

Why most healthtech AI startups fail at integration

The technical integration problem in healthtech is not AI — it's EHR. Epic, Cerner, and eClinicalWorks collectively hold the majority of inpatient and ambulatory data in the US, and the path into those systems is narrow, expensive, and slow. Epic's App Orchard requires certification. Cerner's integration partner process is similarly gated. Both have commercial incentives to make third-party integration friction-full.

HL7 FHIR was supposed to fix this. It is partially fixing it. FHIR R4 is broadly adopted in name, variably implemented in practice. The field designations, terminologies, and data models that are technically FHIR-compliant differ enough between implementations that every new integration requires custom mapping work. "We support FHIR" is not the same as "we plug in anywhere."

The deeper problem is workflow change management. Even a technically clean integration fails if the clinical staff don't use it, don't trust it, or find it adds steps to their day. Physician adoption of new digital tools is historically slow, driven by peer influence and departmental champions more than by vendor sales cycles. Healthtech teams that treat this as a sales problem — rather than a change management problem that requires clinical operations expertise — find their pilots sitting unused at month six.

The startups that navigate this successfully tend to share one trait: they got a clinical champion involved early, before the product was built, not after it was built and needed selling.

What to look for in a healthtech AI partner

The credentials that actually matter are narrower than most vendor websites suggest.

A partner who has shipped past a real BAA — not just claimed compliance, but navigated a health system's security review, addressed their questions about data residency and breach notification, and had their BAA accepted — has demonstrated something real. Ask for reference health systems you can call.

A partner who understands at least one EHR integration deeply — not just "we've done Epic integrations" but can tell you which APIs they used, what the limitations were, and how they handled data mapping edge cases — is not starting from scratch when the technical work begins.

A partner who has done HITL design in a clinical setting understands that "human-in-the-loop" is not a checkbox. It's a set of workflow decisions: where does the AI surface its output, how does a clinician dismiss or accept it, what happens when the AI is uncertain, how is disagreement logged. These decisions have patient safety implications and require clinical input, not just UX design.

A partner who has clinical advisors embedded in their evaluation design — not on their advisory board for their website, but actually shaping how the model is evaluated against real clinical tasks — is more likely to produce a system that does what it claims. The gap between benchmark performance and clinical utility is large and consistently underestimated.

In healthtech, the regulatory and integration work is 70% of the project. The model is the easy part. Teams that understand this ship products that actually get used; teams that don't ship impressive pilots that nobody renews. At Reveronix, the projects we've seen move from pilot to production share that same pattern — the AI capability got the attention, but the compliance architecture and EHR integration work is what made it real.