Agentic AI
,
Artificial Intelligence & Machine Learning
,
Healthcare
Experts Say Clinical Laboratory Improvement Amendments Are Seriously Outdated

The Department of Health and Human Services is asking for public feedback on cybersecurity practices and the use of artificial intelligence for a possible update to decades-old rules-of-the-road regulations for U.S. clinical laboratories.
See Also: AI Agents Introduce a New Insider Threat Model
Clinical laboratories that test human specimens for health conditions have evolved dramatically since the Clinical Laboratory Improvement Amendments regulations were implemented in 1992, HHS noted in its request for information published Thursday in the Federal Register.
In their joint request, HHS’ Centers for Medicare and Medicaid Services and the Center of Disease Control and Prevention are seeking stakeholder input to possibly update CLIA regulations regarding modern technology advances in laboratory AI, cybersecurity, biosecurity and several other areas.
Although certain aspects of CLIA have been updated over the years, the current regulations contain very little substance related to cybersecurity or AI, some experts said.
“CLIA barely speaks to cybersecurity at all. It is focused on test accuracy and quality, not protecting data, evaluating diagnostic algorithms, etc.,” said regulatory attorney Jordan Cohen, a partner at the law firm Akerman LLP. “The CLIA rules were implemented in the 1990s. Lab medicine has changed considerably since then, so HHS is trying to catch the regs up to how testing works today,” he said.
Increasingly, many clinical testing labs in the U.S. are implementing AI tools for an assortment of uses, including to help achieve more precise and efficient testing results.
“The regulations predate clinical AI entirely, so, for example, there’s no framework for validating AI algorithms used in testing or result interpretation,” Cohen said. “Interestingly, CLIA’s existing focus on the technical aspects of testing, validation and other lab processes are principles that could be adapted for AI.”
Meanwhile, clinical labs in the United States and elsewhere have increasingly been targets of cyberattacks, including ransomware and data theft incidents.
That includes a 2024 Medusa ransomware gang attack on Colorado-based Summit Pathology Laboratories, which compromised the names, addresses, medical billing and insurance information, diagnoses, dates of birth, Social Security numbers, and financial information of more than 1.8 million people (see: Medusa Ransomware Hack on Pathology Lab Affects 1.8 Million).
While most U.S. labs fall under the HIPAA privacy, security and breach notification rule umbrella, CLIA regulations currently do little to address the evolving cybersecurity threats facing clinical labs, experts said.
Therefore, any potential update that HHS considers to CLIA related to cyber issues should focus on gaps that HIPAA doesn’t adequately cover, Cohen suggested.
Such matters could include protecting laboratory AI systems from corruption like prompt injection, he said. “It could also regulate laboratory stakeholders who may not be regulated by HIPAA, such as software embedded by instrument companies,” he said.
Related to AI, HHS is asking labs about whether they’re using software algorithms or AI tools in postanalytic processes; the circumstances under which those tools are used for the interpretation of test results; the methods labs use to verify the performance and accuracy of AI tools; and about several related AI issues.
Pertaining to cybersecurity, HHS is asking labs about the security protocols and policies they have in place to protect patient data and laboratory operations, including:
- Identity and access;
- How labs restrict access to the internet;
- Cyber incident response plans;
- Cyber training for personnel;
- Job positions responsible for the cybersecurity of the lab.
HHS is accepting public comment until Sept. 14.
If HHS moves forward with refreshing CLIA, regulators should set clear rules that are practical and won’t overburden small labs, Cohen suggested.
“Coordinate with other regulators like the Food and Drug Administration so that regulated entities don’t face conflicting rules,” he said. “Design the rules so that they can evolve as the technology evolves – which is easier said than done.”
