Summary
Internal CMS information security and privacy guidance that sets best practices for CMS staff, contractors, and partners using generative AI tools, with a focus on safeguarding PII and PHI, avoiding disclosure of sensitive CMS data to public AI systems, maintaining human oversight, documentation, and risk assessment aligned with NIST AI RMF and federal directives.
Healthcare Implications
Strengthens governance around AI use within Medicare, Medicaid, and Marketplace operations by restricting how CMS-related health data can be fed into AI tools, pushing vendors and contractors to meet stricter privacy and security expectations, and indirectly shaping how analytics and automation that touch federal health programs are designed, deployed, and monitored.