Congress Stalled on Paying for Medical AI. CMS Went Ahead Anyway.
The Health Tech Investment Act has been sitting in the Senate Finance Committee for fifteen months. Meanwhile, CMS just proposed doing a version of it without waiting. Here is what actually changes for the people who have to run these systems.
If you have seen the Health Tech Investment Act come across your feed, you have probably seen it framed as the bill that will finally make Medicare pay for AI. That framing is not wrong, exactly, but it has been overtaken by events.
Sen. Mike Rounds (R-SD) introduced S. 1399 on April 9, 2025, joined by Sens. Martin Heinrich (D-NM) and Marsha Blackburn (R-TN). Rounds and Heinrich co-chair the Senate AI Caucus. The bill was read twice and referred to the Committee on Finance. That is where it still sits. A House companion, H.R. 6197, was introduced on November 20, 2025 by Rep. John Joyce, M.D. (R-PA) along with Reps. Beth Van Duyne (R-TX), Jay Obernolte (R-CA), Brad Schneider (D-IL), Scott Peters (D-CA), and Angie Craig (D-MN). It went to Energy and Commerce and to Ways and Means. Neither bill has advanced out of committee. Neither is law.
On July 2, 2026, CMS released the CY 2027 Hospital Outpatient Prospective Payment System proposed rule (CMS-1850-P), published in the Federal Register on July 7. Buried in a rule that most people are reading for the 340B fight is a section that does much of what S. 1399 would mandate, on CMS's own authority, without Congress. That is the news. The bill is the sideshow right now.
What the bill would actually do
S. 1399 amends section 1833(t) of the Social Security Act, which is the statutory basis for OPPS. It creates a special rule for what the bill calls "algorithm-based healthcare services," defined as services delivered through an FDA-cleared or approved device that uses AI, machine learning, or similar software to produce a clinical output.
For qualifying services furnished on or after January 1, 2026, the Secretary would have to assign the service to a new technology Ambulatory Payment Classification based on cost data submitted by the manufacturer, including invoice prices, subscription costs, staffing, and overhead. The Secretary could not pull the service back out of that classification until adequate claims data existed to reassign it, and in no case sooner than five years of payment under the assigned classification. The bill also directs the Secretary to adjust the eligibility criteria so that an algorithm performed concurrently with or adjunctive to an underlying service can still qualify as a distinct new procedure.
Worth noting: the Act appropriates nothing. It is a set of instructions to CMS about how to structure a payment pathway, not money.
What CMS proposed instead
The CY 2027 OPPS proposed rule takes four steps.
First, CMS proposes to retire the term "Software as a Service" and replace it with "Software as a Medical Service," or SaMS, on the reasoning that SaaS is a generic commercial cloud term and these are medical services. Second, CMS designates 36 HCPCS codes as SaMS in Table 61 of the rule, and proposes to move 21 of them out of clinical APCs and into new technology APCs at rates that approximate their CY 2026 payment. Third, it proposes to pull ten codes for algorithm-only analyses of laboratory data off the Clinical Laboratory Fee Schedule entirely and put them into new technology APCs, on the theory that once the wet lab work is done, downstream computational analysis of stored data is not a clinical diagnostic laboratory test and does not require a CLIA-certified lab. Fourth, it creates a new status indicator, O1, to identify SaMS paid separately under OPPS and to track the claims.
CMS is candid that this is interim. The agency's own reasoning is that the clinical APC structure was built to group services by comparable clinical characteristics and resource use, and it does not accommodate technologies whose costs are proprietary algorithms and scalable non-material inputs rather than supplies and staff minutes. New technology APCs are being used as a holding area while CMS collects claims data to build something durable. Read CY 2027 as a bridge year.
Notice how close the mechanism is to what S. 1399 describes: new technology APCs, a transitional period, claims data collection to support eventual reassignment. The differences are real but narrower than the legislative rhetoric suggests. The bill would lock a five-year floor into statute and require CMS to set rates from manufacturer-submitted cost data. CMS's proposal does neither. It preserves the agency's discretion and sets rates by continuity with what the codes already pay.
CMS also published the CY 2027 Physician Fee Schedule proposed rule (CMS-1848-P) on July 14, which appeared in the Federal Register on July 16 with comments due September 14. It carries the SaMS discussion into Part B, and early reads suggest the same ten lab codes would be contractor-priced under the PFS rather than assigned to new technology APCs. If you bill in both settings, that inconsistency is worth a close look before you comment.
Comments on the OPPS rule close August 31, 2026.
The part almost nobody writing about this bill mentions
Here is where the coverage of S. 1399 falls apart for a lot of our readers, and it is worth being blunt about it.
OPPS does not pay Critical Access Hospitals.
There are 1,383 CAHs in the United States as of April 2026. Medicare pays them 101 percent of reasonable cost for outpatient services, not OPPS rates. A new technology APC is a rate in a payment system that a CAH does not bill under. Whatever S. 1399 does, and whatever CMS finalizes for CY 2027, the APC assignment itself does not change what a CAH gets paid for running an AI algorithm on a chest CT.
That is not a knock on the bill and it is not a reason for CAH staff to tune out. It is a reason to understand which conversation you are actually in. If you are at a CAH, the economics of an AI-enabled device are a cost report question, not an APC question, and the person who can answer it is your cost report preparer or your MAC, not a vendor rep waving a reimbursement one-pager at you. Ask that question early, in writing, before anyone signs a subscription agreement. A subscription that behaves one way on a cost report and another way on an APC schedule is a real difference, and it is not one your radiology manager should be discovering in month nine.
Rural Emergency Hospitals are the opposite case. REHs are paid at the OPPS rate plus 5 percent for REH services, along with a monthly facility payment, so the new technology APC machinery reaches them directly. There were 42 REHs as of October 2025. If you converted, this rule is yours to read. Rural and community hospitals paid under PPS are in the same boat. So the answer to "does this affect me" splits cleanly along a line that has nothing to do with how rural you are or how many beds you have. It depends entirely on which payment system your facility sits in.
What lands on IT no matter who pays
Reimbursement stability is a procurement argument. It is not an integration plan, and none of it changes the fact that when the thing shows up, it shows up on your network.
Find out what the product physically is before anything else. "AI-enabled device" covers an on-premises appliance sitting in a rack, a pure cloud service that receives your images and sends back a result, and every hybrid in between. These are three completely different problems. The cloud case means studies leave your network, which means bandwidth, egress, latency, and a business associate relationship. The on-premises case means you own the patching and lifecycle of a box you probably cannot patch on your own schedule. Ask for an architecture diagram during evaluation, not after the PO.
Settle the business associate question in writing. If the vendor creates, receives, maintains, or transmits ePHI on your behalf, they are a business associate under 45 CFR 160.103. 45 CFR 164.308(b)(1) is the standard: you may only permit that arrangement if you obtain satisfactory assurances, in accordance with 164.314(a), that the business associate will appropriately safeguard the information. The written contract is the implementation specification at 164.308(b)(3), and it is Required. A genuinely self-contained on-premises appliance with no vendor access and no data leaving your walls may not create a BA relationship. In practice, that configuration is rare, because vendor remote support, model updates, and telemetry usually put the vendor back in scope. Do not assume the appliance form factor gets you out of it. Read the support agreement.
Your risk analysis obligation is Required, not addressable. This one gets misstated constantly. 45 CFR 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of risks and vulnerabilities to ePHI, and 164.308(a)(1)(ii)(B) requires risk management sufficient to reduce those risks to a reasonable and appropriate level. Both are Required. Separately, 45 CFR 164.308(a)(8) requires periodic evaluation in response to environmental or operational changes affecting the security of ePHI. A new AI platform ingesting imaging data is an operational change. It is a risk analysis trigger.
Network segmentation is not a HIPAA standard, and you should stop citing it as one. There is no segmentation implementation specification anywhere in 45 CFR 164.312. Segmentation is a security measure you may adopt to satisfy the risk management standard at 164.308(a)(1)(ii)(B). That distinction matters, because if you tell your board that HIPAA requires segmentation and someone checks, you have just spent credibility you will need later. Say it accurately: segmentation is how a lot of organizations reasonably reduce identified risk from medical devices and vendor-connected systems, and it is defensible on those grounds. (The proposed Security Rule update would make segmentation an explicit requirement. More on that below.)
Encryption specifications are Addressable, which does not mean optional. Encryption and decryption at 164.312(a)(2)(iv) and encryption in transit at 164.312(e)(2)(ii) are both Addressable. Addressable means you implement it, implement an equivalent alternative, or document why it is not reasonable and appropriate. For a cloud AI service moving imaging studies over the internet, the third option is not going to survive contact with an investigator.
Audit controls at 164.312(b) are Required, and this is where AI platforms tend to be weak. Can you produce a record of who viewed an algorithm's output, when, and on what study? Some of these platforms log beautifully. Some log to a proprietary store you cannot query and cannot export. Ask to see the log format during evaluation. Ask whether it ships to your SIEM. If the answer is a shrug, that is a finding, not a feature gap.
Ask where the results land, and what they cost you to keep. Imaging AI does not ride HL7 or FHIR on the way in. It takes DICOM, usually via a C-STORE from the modality or a routing rule off the worklist, and that part is well understood. The return trip is where the surprises live. Results come back as an HL7 ORU into the RIS or EHR, as a DICOM structured report, or as a derived secondary capture series written back into PACS. Plenty of platforms do more than one. That last option is the one that quietly costs money. A platform that writes a burned-in overlay series back for every study it touches is generating net-new images on your archive, at full retention, for studies you already stored once. Nobody budgets for that, because the person who bought it was comparing subscription prices, not archive growth. Get the answer in writing before signing: what objects does it write back, how large, and against what retention schedule. Then go tell whoever owns the archive, because it is not going to be you who gets the capacity alert first, but it will be you who gets the ticket.
Assume you cannot patch it, then verify. FDA-cleared devices have a long history of vendor-controlled OS layers and validated configurations you are contractually forbidden to touch. If the appliance runs Windows, find out today whether you can manage it with Configuration Manager or Intune, whether Group Policy applies, and whether the vendor will accept your patch cadence. For anything you can manage, the order of operations has not changed: Configuration Manager or Intune first, Group Policy second, PowerShell for the gaps. For anything you cannot manage, you now own a compensating control problem, and that belongs in the risk analysis with a name on it.
Identity is the easy win. Any cloud-linked AI platform should sit behind Entra ID with Conditional Access. If the vendor's answer to authentication is a shared local account on an appliance, that is a conversation to have before signing, not after.
About the Security Rule update
You will hear that the proposed HIPAA Security Rule overhaul solves the addressable-versus-required ambiguity by eliminating it. It would, if it is finalized. It has not been.
OCR published the NPRM on January 6, 2025. Roughly 4,700 comments came back, including a coalition letter from more than 100 hospital systems and provider associations asking HHS to withdraw it outright. The regulatory agenda targeted spring 2026 for a final rule. That target passed, and final action has since slipped to at least July 2027 with no confirmed timeline.
The current Security Rule is what OCR enforces today. Plan against it. The proposal would make encryption, MFA, asset inventory, network mapping, vulnerability scanning, penetration testing, segmentation, and annual business associate verification explicit requirements, and most of that is what a defensible program looks like in 2026 regardless of what the Federal Register eventually says. Building toward it is prudent. Telling your organization it is required is not accurate yet, and the vendors telling you otherwise are selling something.
What to actually do this month
Inventory what you already have. Most organizations have more algorithm-assisted tooling in the building than IT realizes, because a fair amount of it arrived bundled inside imaging and cardiology systems that were purchased by someone else. Start with radiology and cardiology and ask what modules are licensed and enabled.
Then, before the next one gets purchased, get five answers in writing: Where does the data go? Is the vendor a business associate, and is the BAA signed? Who patches it and on whose schedule? What does the audit log contain and can you export it? And, for the finance side of the house, how does this get paid for in our payment system, specifically, given what we are.
If your facility bills under OPPS, comment on CMS-1850-P by August 31. CMS is explicitly using this comment cycle to build the permanent methodology, and the number of comments from small rural facilities is going to be close to zero unless people who work in them write some. The PFS rule closes September 14.
The bill may pass eventually. It may not. GovTrack currently puts the odds of S. 1399 getting out of committee in the low single digits, which is where most bills live. Either way, CMS is building the payment plumbing now, the devices are showing up now, and the segmentation, patching, logging, and BAA work is the same work in every scenario. That part was never waiting on Congress.
This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.
Sources
- S. 1399, Health Tech Investment Act, 119th Congress, text - Congress.gov
- H.R. 6197, Health Tech Investment Act, 119th Congress - Congress.gov
- AdvaMed Applauds House Introduction of the Health Tech Investment Act - AdvaMed, sponsor and cosponsor detail
- Medicare Program; Hospital Outpatient Prospective Payment and Ambulatory Surgical Center Payment Systems, CY 2027 Proposed Rule (CMS-1850-P) - Federal Register, July 7, 2026
- Calendar Year 2027 OPPS and ASC Proposed Rule Fact Sheet - CMS
- CMS Proposes an Interim Payment Policy for Software as a Medical Service in Outpatient Rule - Reed Smith, SaMS proposal detail
- Calendar Year 2027 Medicare Physician Fee Schedule Proposed Rule (CMS-1848-P) - CMS
- Information for Critical Access Hospitals, MLN006400 - CMS, CAH payment methodology
- Critical Access Hospitals Overview - Rural Health Information Hub, CAH count as of April 2026
- Rural Emergency Hospitals Overview - Rural Health Information Hub, REH count and eligibility
- Medicare Claims Processing Manual, Chapter 4 - CMS, REH payment at OPPS plus 5 percent
- 45 CFR 164.308, Administrative safeguards - eCFR
- 45 CFR 164.312, Technical safeguards - eCFR
- HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, NPRM - Federal Register, January 6, 2025