AI in the Infusion Suite: What Infusion Providers Need to Know Now

Key Takeaways

• Independent and regional infusion providers are rapidly adopting AI tools for tasks like prior authorization management, clinical documentation, revenue cycle optimization and patient scheduling—often without the legal and compliance infrastructure needed to manage the significant regulatory and liability risks those tools introduce.
• Without proper governance, infusion providers face heightened risks under HIPAA, the False Claims Act and a growing patchwork of state AI laws. Misusing or misclassifying AI—particularly in clinical decision-making or billing workflows—can trigger significant exposure and compliance gaps, all of which can impact operations and deal value.
• For infusion providers evaluating strategic transactions—whether a private equity investment, acquisition, or joint venture—AI governance has become a due diligence priority. Providers should inventory their AI tools, ensure all vendor agreements are HIPAA-compliant, implement human oversight for billing-related AI, and develop a written AI governance policy. Staying ahead of evolving state and federal requirements is essential to minimize risk and support future growth or transactions.

The AI Adoption Curve Has Reached the Infusion Suite

AI adoption in healthcare is no longer limited to large health systems and well-capitalized technology platforms. With 46% of healthcare organizations currently implementing generative AI technologies,[1] the question is no longer whether to adopt AI, but how to do so legally and safely.

Independent and regional infusion providers are firmly inside that adoption curve. The operational pressures are well understood: prior authorization burdens have intensified as payers deploy their own AI systems to manage specialty drug spending; clinical documentation requirements have grown more complex as the therapeutic mix at ambulatory infusion centers has expanded into higher-acuity biologics and immunoglobulins; and revenue cycle performance has become a critical differentiator for providers navigating reimbursement headwinds from the Inflation Reduction Act’s Part B drug pricing provisions.

AI tools promise relief on each of these fronts. Prior authorization platforms use machine learning to predict approval likelihood, surface supporting documentation and accelerate submission workflows. Ambient documentation tools capture clinical encounters and generate structured notes without manual transcription. Revenue cycle AI flags claims likely to be denied before submission and identifies coding optimization opportunities. Patient scheduling and no-show prediction tools improve chair utilization at infusion centers operating on narrow margins.

The operational case for these tools is compelling. The legal case for deploying them without proper governance is not. For infusion providers—companies that have adopted AI broadly but often lack the dedicated legal and compliance infrastructure of national platforms—the gap between adoption and governance is where risk accumulates.

The FDA’s Clinical Decision Support Line: Why It Matters

Infusion providers deploying AI in clinical workflows face a regulatory distinction that has significant implications for liability exposure and vendor selection: the FDA’s framework for clinical decision support software.

The FDA’s clinical decision support guidance draws a critical line between AI that informs clinician judgment—carrying a lower regulatory burden—and AI that replaces it, which triggers potential medical device classification.[7] Misclassifying an AI system on the wrong side of that line creates significant regulatory and liability exposure.

In the infusion context, this distinction is not always obvious. A tool that surfaces drug interaction alerts for an infusion nurse to review is clearly on the informing side of the line. A tool that automatically selects infusion protocols, recommends dose adjustments or routes patients to specific treatment plans based on algorithmic outputs—without meaningful clinician review—is potentially a medical device under FDA’s framework, subject to clearance or approval requirements that most vendors have not pursued and most providers have not evaluated.

Healthcare organizations frequently characterize AI tools as “decision support” when they function as autonomous decision-makers in practice, routing patients or recommending treatments that clinicians ratify rather than genuinely review. The practical test is not how the tool is marketed, but how it is actually used. Infusion providers should conduct an honest assessment of how their clinical staff actually interacts with AI outputs: Are recommendations genuinely reviewed and independently assessed, or do they function as defaults that clinicians accept without meaningful evaluation?

HIPAA Compliance Remains Foundational

HIPAA applies fully to AI systems that access, process or transmit protected health information (“PHI”)—and there is no AI exception. For infusion providers, virtually every AI tool in active use, from prior authorization platforms to ambient documentation tools to revenue cycle software, operates in a PHI environment subject to HIPAA’s requirements.

Three obligations deserve particular attention. First, every AI vendor that accesses PHI must execute a compliant Business Associate Agreement (“BAA”) before deployment,[9] including explicit restrictions prohibiting the use of patient data for model training without patient authorization—a provision that many vendors’ standard terms omit. Second, operation-level audit logging must capture which systems accessed which PHI, what actions were taken and who authorized the workflow; session-level logs alone are insufficient. And finally, the minimum necessary standard requires that AI tools access only the PHI essential for their specific function—a requirement that is architecturally complex and rarely addressed with sufficient precision in vendor contracts.

Prior Authorization AI: A Two-Sided Legal Problem

Prior authorization management is among the most appealing AI use cases for infusion providers, and for good reason. The prior authorization burden for specialty infusion drugs like biologics, immunoglobulins and high-cost oncology agents is substantial, and AI tools that reduce that burden have direct operational and financial impact.

What infusion providers may not fully appreciate is that prior authorization AI creates legal risk on two sides of the transaction.

On the payer side, most health insurers are already using automated AI systems for prior authorization, with roughly three out of every four plans reporting AI use for prior authorization approvals.[2] State legislatures have begun responding to concerns about fully automated denials: Texas passed legislation in 2025 prohibiting utilization review agents from using an automated decision system to issue an adverse determination without human oversight (SB 815),[3] and Arizona (H.B. 2175),[4] Maryland (H.B. 820)[5] and Nebraska (LB 77)[6] adopted similar laws prohibiting the use of AI as the sole basis for a medical necessity denial.

For infusion providers, understanding the legal constraints on payer-side AI matters because it affects appeal strategy. When a payer denies a prior authorization for a specialty infusion drug, providers who understand that the denial may have been algorithmically generated—and that state law may require human clinical review—are better positioned to challenge those denials effectively.

On the provider side, infusion centers using AI to manage their own prior authorization submissions face a different but related risk: AI-generated documentation errors may be systematic rather than isolated, affecting large numbers of claims and creating aggregate liability that far exceeds the value of individual incorrect claims. The fact that the error was AI-generated is not a defense under the False Claims Act.[8]

The State Law Patchwork Is Growing

Federal law establishes the floor for AI governance in healthcare, but state legislatures have been active in building structures above that floor—and the resulting patchwork of obligations creates particular complexity for infusion providers operating across multiple states.

In the absence of a comprehensive federal AI law, states such as California, Utah, Texas and Colorado have begun passing legislation to fill the void. The Colorado AI Act (SB 26-189) is scheduled to become effective in January 2027.[10] California has moved aggressively on healthcare-specific AI obligations: Assembly Bill 489, signed on October 11, 2025, prohibits AI systems and chatbots that communicate directly with patients from suggesting that the advice they give is coming from a licensed health professional—a prohibition that applies not only to direct statements by the AI, but also to any implication that medical advice has come from a licensed person.[11]

Illinois, where many regional infusion providers operate, has its own AI-related legislative activity that providers in the Midwest market should be tracking closely. The patchwork nature of state regulation means that a multistate infusion provider cannot assume that compliance in its home state is sufficient for its full geographic footprint.

HHS has maintained a publicly accessible inventory of AI use cases and is developing risk management practices for high-impact AI that are likely to be informative for how the private sector should develop and adopt AI.[12] Providers who are building AI governance programs now, rather than waiting for enforcement actions to define the standard, are well positioned relative to those who are not.

AI in Transactions: What PE-Backed Buyers Are Looking for

For infusion providers that may be considering a capital event—whether a private equity investment, a strategic acquisition, or a joint venture—AI governance has become a transaction due diligence issue that can affect deal value and deal structure.

Sophisticated PE buyers and their counsel are now conducting AI-specific due diligence as a standard component of healthcare transaction review. The highest risk areas relate to required disclosures of AI use in decision-making for activities such as prior authorization, patient consent and authorization in compliance with HIPAA (including for purposes of ambient listening), and consumer privacy protections.

For an infusion provider that has deployed AI tools broadly but without documented governance—without Business Associate Agreements, vendor data use restrictions, audit logging or a written AI policy—the due diligence process can surface liability that was not visible from the inside. That liability affects purchase price adjustments, indemnification obligations and, in some cases, deal certainty.

Building AI governance before a transaction process begins is materially better than building it during one.

Practical Steps for Infusion Providers

The legal framework governing AI in healthcare is still developing, but the core obligations are clear enough to act on now. Infusion providers should prioritize the following:

• Conduct an AI inventory. Map every AI tool currently in use across clinical, administrative and revenue cycle functions. Include tools deployed at the vendor level as EHR integrations, payer portal tools and pharmacy management systems may incorporate AI components that providers are not aware of.
• Audit Business Associate Agreements. For every AI vendor identified in the inventory, confirm that a compliant BAA is in place and that it includes explicit data use restrictions prohibiting the use of PHI for model training without patient authorization.
• Assess clinical decision support classification. For each AI tool used in clinical workflows, evaluate honestly whether the tool is informing or replacing clinician judgment—and whether the way it is used in practice aligns with the vendor’s regulatory characterization.
• Implement human oversight for billing-related AI. Any AI tool that influences claim submission, prior authorization documentation or coding decisions should have documented human review checkpoints and audit processes sufficient to detect and correct systematic errors before they become aggregate False Claims Act exposure.
• Calendar Compliance Deadlines. For providers operating in multiple states, identify which state AI and healthcare AI laws apply to current operations and note pending deadlines—including the Colorado AI Act’s January 2027 effective date.
• Develop a written AI governance policy. Document the organization’s approach to AI adoption, vendor evaluation, PHI handling and incident response. This document serves as both a compliance tool and a transaction asset.

How Benesch Healthcare Can Help

Benesch’s Healthcare Practice Group advises independent and regional infusion therapy providers on the full range of regulatory, transactional and compliance matters affecting their businesses. Our attorneys combine deep healthcare regulatory knowledge—including HIPAA, federal fraud and abuse law, and Medicare and Medicaid reimbursement—with practical experience helping infusion providers structure AI governance programs, negotiate vendor agreements and manage compliance risk in an evolving regulatory environment.

We understand that independent providers operate without the legal infrastructure of national platforms, and we design our counsel accordingly to be practical, efficient and calibrated to the specific challenges of providers at your stage of growth.

If you have questions about AI governance, vendor contract review or the issues discussed in this bulletin, please contact any member of the Benesch Healthcare Practice Group or the Benesch AI Commission.

[1] SAS, “Global GenAI Study Reveals Optimism and Opportunities for Health Care and Life Sciences” (March 2025), available at https://www.sas.com/en_us/news/press-releases/2025/march/genai-study-healthcare-lifesciences.html.

[2] National Association of Insurance Commissioners (NAIC), “NAIC AI Health Survey Report” (2024). Available at: https://content.naic.org/sites/default/files/inline-files/NAIC%20AI%20Health%20Survey%20Report%20.pdf

[3] Tex. S.B. 815, 89th Leg., R.S. (2025), available at https://legiscan.com/TX/text/SB815/id/3245515/Texas-2025-SB815-Enrolled.html.

[4] Ariz. H.B. 2175, 57th Leg., 1st Reg. Sess. (2025), available at https://www.azleg.gov/legtext/57leg/1R/bills/HB2175H.pdf.

[5] Md. H.B. 820, 2025 Reg. Sess. (Md. 2025), available at https://legiscan.com/MD/text/HB820/id/3251347/Maryland-2025-HB820-Chaptered.pdf.

[6] Neb. Legis. B. 77, 109th Leg., 1st Sess. (Neb. 2025), available at https://nebraskalegislature.gov/FloorDocs/109/PDF/Slip/LB77.pdf.

[7] U.S. Food & Drug Admin., Clinical Decision Support Software – Guidance for Industry and Food and Drug Administration Staff, available at https://www.fda.gov/media/109618/download; see also 21st Century Cures Act § 3060(a), Pub. L. No. 114-255 (2016) (excluding certain clinical decision support software from the definition of “device”).

[8] 31 U.S.C. §§ 3729–3733. The False Claims Act imposes liability on any person who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment.” The knowledge standard includes actual knowledge, deliberate ignorance, or reckless disregard of the truth or falsity of information. See also U.S. Dep’t of Justice, Civil Division, “The False Claims Act: A Primer” (2011), available at www.justice.gov/d9/civil/legacy/2011/04/22/C-FRAUDS_FCA_Primer.pdf.

[9] 45 C.F.R. § 160.103 (definition of “business associate”); 45 C.F.R. § 164.502(e) (requiring covered entities to obtain satisfactory assurances from business associates); 45 C.F.R. § 164.504(e) (business associate contract requirements).

[10] Colo. SB26-189, available at leg.colorado.gov/bills/sb26-189

[11] Cal. A.B. 489, 2025–2026 Reg. Sess. (Cal. 2025), signed Oct. 11, 2025, available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB489.

[12] U.S. Dep’t of Health & Human Servs., “HHS AI Use Case Inventory,” available at https://www.hhs.gov/about/agencies/asa/ocio/ai/use-cases/index.html.