Your healthcare malpractice policy may no longer cover AI.

Three things have already happened — and none of them require a new law to hurt you.

First, your carrier moved. As of January 2026, standard-form AI exclusion endorsements are available to every malpractice insurer in the country. W.R. Berkley, Hamilton Select, and Philadelphia Indemnity have already adopted them. These exclusions cover AI scribes, EHR algorithms, scheduling chatbots — any AI tool touching patient care. If your policy has one, an AI-related claim gets denied. You bear the full cost.

Second, the laws are already enforceable. Texas TRAIGA carries $200,000 per uncurable violation. Illinois enacted two AI laws — the IHRA AI Amendment (employment discrimination, eff. Jan 2026) and the WOPR Act (HB 1806, $10,000 per violation for AI in therapy without licensed oversight, eff. Aug 2025). Colorado has three AI statutes touching healthcare: SB 26-189 (general AI Act, effective Jan 1, 2027, exempts most HIPAA-covered clinical AI use), HB 26-1139 (AI in health insurance coverage decisions, effective Jan 1, 2027), and HB 26-1195 (AI in psychotherapy, effective Aug 12, 2026). For most general practices Colorado is a monitor-not-trigger; for behavioral health practices HB 26-1195 is directly applicable. If you conduct telehealth follow-ups with patients who have returned to any of these states — and in Florida, with its snowbird population, you almost certainly do — those states\' laws apply to those encounters. Globally, the EU AI Act now classifies healthcare AI as high-risk and requires conformity assessments — U.S. states are building on that model.

Third, the standard of care shifted. The Federation of State Medical Boards established that physicians are liable for AI errors just as for any diagnostic tool — and went further: both reckless use and failure to use beneficial AI can fall below the standard of care. You cannot opt out. You can only govern it or remain exposed on both sides.

Independent third-party certification is the documented evidence that you govern AI properly. It's what carriers evaluate at renewal, what defense counsel can draw on if your governance is challenged, and what you can present to regulators as evidence of good-faith compliance posture. Self-attestation carries zero evidentiary weight. Certification does.

It protects the vendor. Not you. Most AI scribe contracts shift all compliance, regulatory, and clinical liability to the practice. The vendor retains broad rights to modify their software — including changing the underlying AI model — without advance notice or your consent. Accuracy warranties are typically disclaimed entirely or limited to vague "commercially reasonable" standards that wouldn't survive regulatory scrutiny.

But even if you negotiated the most favorable vendor agreement possible — full indemnification, accuracy guarantees, mandatory model update notifications — that only governs your relationship with the vendor. It does nothing for your liability to patients under malpractice law, to payers under the False Claims Act, to regulators under state AI laws, or to carriers under your insurance policy. Better vendor terms might give you a contribution claim against the vendor after you've already been sued — but they don't prevent the lawsuit, the regulatory fine, the payer recoupment, or the insurance denial.

Contracts are between you and your vendor. Governance is between you and everyone else — patients, payers, regulators, carriers. Our certification optionally includes a vendor governance assessment that identifies where your agreement leaves you exposed.

Because of telehealth. The practice of medicine occurs where the patient is physically located during the encounter — not where your office is. A Texas snowbird who sees you in-person at your Florida office? That visit is governed by Florida law. But when that patient returns home to Texas and you do a telehealth follow-up, Texas TRAIGA applies to that visit — $200,000 per uncurable violation — because the patient is now physically in Texas. The same logic applies to Colorado: a patient who visited Florida returns to Colorado, and your telehealth follow-up may trigger Colorado HB 26-1195 if you provide psychotherapy services with AI (effective Aug 12, 2026; enforced by DORA licensing boards), or HB 26-1139 if you do health-insurance utilization review (effective Jan 1, 2027). Colorado’s general SB 26-189 framework largely exempts HIPAA-covered clinical AI use. The Illinois WOPR Act (HB 1806) applies to behavioral health encounters where AI is used therapeutically — $10,000 per violation.

This is not hypothetical. 71% of physicians now use telehealth weekly (AMA, 2024). If you conduct telehealth follow-ups with patients who have returned to states with enacted AI laws, those laws apply to those visits. Each cross-state telehealth encounter potentially triggers disclosure requirements, documentation obligations, and penalty exposure in the patient's state. As more states enact AI laws (47 states have introduced bills, 17 enacted in 2025 and counting), the compliance footprint for every telehealth-enabled practice expands with every out-of-state follow-up.

Internal policies are valuable groundwork — but without external assessment against an independent framework, they aren't defensible to carriers, OCR, or regulators. When a malpractice carrier evaluates your AI risk, when a plaintiff's attorney asks whether your governance was independently validated, when a regulator reviews your compliance posture — self-attestation has no evidentiary weight. Every credible compliance standard for organizations requires independent third-party validation: SOC 2, ISO 27001, Joint Commission accreditation, HITRUST. None of those include AI-specific governance evaluation. There is no published AI governance standard for healthcare practices yet, which is exactly why third-party AI certification is the only defensible posture available today. Certification is the external assessment that makes your existing posture credible.

No — and that's the critical insight most practices miss. The Federation of State Medical Boards issued guidance in May 2024 establishing that physicians are liable for AI errors just as for any diagnostic tool. But FSMB went further: both reckless use of AI and failure to use beneficial AI can fall below the standard of care. This is the first licensing body to suggest that not using AI where it would benefit patients could itself be problematic. You cannot opt out. You can only choose whether you govern it properly or remain exposed on both sides.

No — but the window to act is narrowing. Certification doesn't undo an existing exclusion. What it does give you is documented evidence to negotiate at renewal, a defensible governance posture to shop to competing carriers, and protection under any remaining coverage lines (E&O, cyber, general liability) that may still cover AI-adjacent claims. Carriers are rational — they exclude risks they can't evaluate. Give them something to evaluate. The cybersecurity insurance parallel is instructive: by 2022, carriers weren't just requiring security controls — they were offering better rates for documented frameworks. AI governance is on the same trajectory, roughly 12–18 months behind.

No. You're exposed right now — and waiting makes it worse.

17 states have already enacted AI healthcare laws. Texas TRAIGA is in effect. Colorado has three AI statutes touching healthcare — SB 26-189 (general AI Act with broad HIPAA carveout), HB 26-1139 (health-insurance utilization review), and HB 26-1195 (psychotherapy AI). Illinois, California, New York — all enforceable. These laws don't pause because Washington is drafting a framework. Your practice is subject to them today, through every telehealth visit that crosses state lines.

The federal executive order signed in December 2025 signals intent to establish a national AI standard — but an executive order does not preempt state law. Only Congress can do that through legislation, and the current legislative draft still requires governance obligations, risk assessments, and duty of care for high-risk AI in healthcare. The question isn't whether governance will be required — it's whether the framework is state, federal, or both.

Meanwhile, your malpractice carrier isn't waiting. Carrier exclusion decisions are private market decisions that no federal framework changes. The DOJ False Claims Act applies regardless. Common law negligence applies regardless. The standard of care applies regardless. None of these depend on AI-specific statutes.

Practices that certify now are governed before any mandate — state or federal — requires it. When the framework arrives, you're already compliant. Practices that wait will certify under pressure, at higher cost, with less favorable terms.

Because AI healthcare regulation is moving faster than any compliance area in modern medicine.

In the past 12 months alone: multiple states passed new AI transparency and liability laws, CMS updated billing guidance for AI-assisted documentation, the ONC finalized new rules on AI in health IT, and major malpractice carriers introduced AI-specific exclusion endorsements. A certification based on last year's regulatory landscape does not protect you from this year's enforcement actions.

The parallel is HIPAA Security Risk Assessments — HHS recommends annual reviews, and OCR has fined practices for stale assessments. AI governance moves faster than HIPAA ever did. A two-year-old governance framework would miss entire categories of risk that didn't exist when it was written.

Annual recertification ensures your practice stays current with the law — not just current with the technology. Our renewal process is streamlined for returning clients, recognizes the governance foundation you've already built, and is priced at a reduced renewal rate. You're not starting over — you're staying ahead.

You get a roadmap, not a rejection.

Most practices have items requiring remediation on their first assessment — that's the entire point of an independent evaluation. If your practice doesn't meet the criteria for full certification, you receive a Conditional outcome: an AI Governance Shield™ Gap Assessment & Remediation Roadmap that lists each finding with required remediation and a 30 / 60 / 90-day timeline.

Here's the key: one re-assessment is included at no additional cost. You complete the remediation items at your own pace, we re-review, and if you meet the criteria, you're certified. The remediation window is 180 days from your initial assessment — long enough to do the work properly, short enough that the assessment is still current when you re-engage. Within that window, a re-review is included; beyond it, a fresh engagement applies.

The Gap Assessment itself is a valuable deliverable. It tells you exactly where governance stands, what to address, and the operative authority behind each item. None of the findings represent a finding of failure — they represent a defined and closeable list. The goal is certification — the assessment just gets you there safely.

Concierge practices have a leaner exposure profile than insurance-billing practices, but not zero. Here's the honest breakdown.

What may not apply (only if your practice receives no federal financial assistance — no Medicare, no Medicaid, no TRICARE, no FEHB, no ACA marketplace billing, no HHS grant funding):

• HHS Section 1557 § 92.210 algorithmic-discrimination obligations
• OIG and Medicare Advantage coding-fraud scrutiny
• 21st Century Cures Act ONC Information Blocking (only triggers with certified EHR use)

What still applies — universally, regardless of payer mix:

• HIPAA Privacy, Security, and Breach Notification Rules
• Every state AI healthcare law in your operating jurisdictions (TX HB 149, CA AB 3030/489, CO HB 26-1195 + HB 26-1139, TN SB 1580, IL WOPR, and the rest) — these reach providers based on where you practice, not how you get paid
• FTC Act § 5 truth-in-AI obligations
• State medical board AI guidance
• 42 CFR Part 2, if any patient is treated for substance use disorder

Why concierge practices certify anyway:

• Malpractice carrier renewals. Coverys, MAG Mutual, MedMal Direct and others increasingly request AI governance documentation regardless of payer mix
• Patient trust. Concierge patients are sophisticated. They ask. Certification is a clean answer
• Practice sale or affiliation. Buyers and concierge networks (MDVIP, SignatureMD, equity-backed groups) require governance documentation in due diligence
• State law obligations are unchanged by payer model
• Future-proofing if the practice ever adds Medicare, joins a federally-funded program, or merges into a covered entity

How the engagement adapts: the scope statement explicitly notes the payer model. Domain 6 (Insurance & Coding Defensibility) is reviewed at reduced scope — focused on patient-facing financial disclosure and direct-pay medical-necessity documentation rather than CMS billing posture. Domains 1–5 are evaluated in full because they're triggered by clinical AI use, not by payer model. Same certificate, scope-adjusted report.

Yes. Confidentiality is the default. Public listing is opt-in by certification.

Every engagement — whether it ends in certification, conditional pass, or non-certification — is governed by the confidentiality terms of the engagement letter. Sentinel Risk Group does not disclose the existence or outcome of any assessment to third parties absent your written authorization or valid legal process.

If you achieve certification, your practice is listed in the public Certification Directory at sentinelriskgrp.com. The Directory listing is limited to: practice name, city, state, certification reference number, certification dates, and current status. Findings, scores, gap analyses, and remediation recommendations are never published. The Directory is the verification tool insurers, regulators, and patients use to confirm certified status. You may opt out of public listing in writing at any time.

If you do not achieve certification — including conditional pass, unable to certify, or engagements closed without issuance — your practice is never publicly identified in any Sentinel Risk Group communication. The outcome is yours; we do not advertise it, infer it, or list you as having taken the assessment. The engagement closes confidentially.

Our assessment methodology and supporting materials are proprietary and protected as trade secrets under the Florida Uniform Trade Secrets Act. Sentinel responds to legal process only after providing reasonable advance notice to allow you to seek a protective order.

Sentinel Risk Group, LLC is a governance evaluation consultancy. We are an independent third party that evaluates how a healthcare practice governs its use of AI systems and issues the AI Governance Shield™ certification based on that evaluation.

What we are not, in plain terms:

• Not a law firm. We do not provide legal advice. Engagement summaries, regulatory mappings, and findings are governance guidance, not legal counsel. Practices should consult qualified attorneys for legal questions.
• Not an insurance company. We do not underwrite policies, settle claims, or provide insurance coverage. We evaluate AI exclusion exposure in your existing malpractice and cyber policies; we do not provide the policies themselves.
• Not a healthcare provider. We do not provide clinical care, diagnose patients, or make treatment recommendations. The AI Governance Shield™ assessment evaluates governance posture; it is not clinical guidance.
• Not a government regulatory authority. We are not affiliated with HHS, OIG, FDA, CMS, the FTC, state medical boards, or any federal or state agency. AI Governance Shield™ certification is not a regulatory ruling and confers no governmental status.
• Does not certify HIPAA, FDA, or state-law compliance. AI Governance Shield™ certification is an independent governance evaluation against our published Framework. It is not a HIPAA compliance audit, an FDA premarket review, a state-board determination, or any other regulatory certification. Compliance with HIPAA, state AI laws, FDA regulation, and other authorities remains the Practice's responsibility.
• No PHI collected. Our intake and evidence workflows are engineered so Protected Health Information (PHI) does not flow to Sentinel in the ordinary course of the Services. See Master Terms § H.8 for details.

What we do: evaluate governance across six structured domains, deliver a written assessment with findings + remediation roadmap, and issue a certification outcome (Certified / Conditional / Not Certifiable). See Master Terms for full scope.