AHLA’s Speaking of Health Law | Sponsored by Clearwater
Healthcare organizations are signing AI agreements faster than the law can keep up. AI-enabled tools are being layered into clinical decision support, scheduling, billing, and prior authorization, and the contracts behind them carry risk profiles that traditional IT and SaaS agreements were never built to address. For legal and compliance teams, the question is no longer whether AI vendor contracts require a different playbook. It is how quickly that playbook can be built and updated as the technology, the data, and the regulators all keep moving.
In this episode of AHLA Speaking of Health Law, sponsored by Clearwater, Zach Stephens, Senior Consultant at Clearwater, sits down with Carolyn Metnick, Partner at Sheppard Mullin Richter & Hampton LLP, and Lauren Edelman Willens, Senior Counsel at Henry Ford Health, for a candid conversation about what AI vendor contracting actually looks like inside a major health system right now — what to negotiate, where vendors push back, and how legal stays at the table after the ink is dry.
What This Episode Covers
Stephens, Metnick, and Willens move past the headlines and into the practical realities legal and compliance teams are working through every day:
- Why AI vendor contracts differ from traditional health IT and SaaS agreements — and why a model that evolves after signing changes everything that follows
- The “must-ask” due diligence questions, from SOC 2 and HITRUST attestations to bias, explainability, and the validity of underlying training data
- Where vendors push back hardest — IP rights, limitation of liability, indemnification, insurance caps, and the contested question of training data
- How the patchwork of state AI laws (Colorado, California, Texas, Utah, Illinois, Nevada, New York), federal executive orders, and the EU AI Act is reshaping contracting strategy
- Why legal stays at the table beyond signature: governance, oversight, and re-review of tools that update on their own
- High-leverage contracting strategies — AI-specific addenda, internal playbooks, most-favored-nation pricing, material-change rights, and audit rights with teeth
Why Healthcare Legal and Compliance Leaders Need to Engage Now
AI vendor agreements are not a future problem. They are landing on legal desks now, often as add-ons to existing SaaS contracts that never contemplated AI, or as net-new pilots from startups that may not understand HIPAA, CPT codes, IRB oversight, or the FDA framework. As Willens puts it, today’s AI tools require legal to stay at the table well past signing because the model itself is not static. Metnick frames it more bluntly: these are health IT SaaS agreements on steroids.
Limitation of liability and indemnification still matter, but they now sit alongside questions that did not exist five years ago: Who owns the de-identified data? How is it being used to train the model? What happens when the version you contracted for evolves into something materially different next month? State regulators are not waiting for those questions to settle — the patchwork of AI-specific healthcare laws is widening, the EU AI Act adds extraterritorial pressure in August 2026, and HIPAA, the False Claims Act, and DOJ enforcement remain very much in play. Organizations contracting without an AI-specific playbook are exposed.
| “AI vendor contracting is not just an extension of traditional IT contracting — it introduces fundamentally new considerations around data, accountability, and product evolution.” — Zach Stephens, Senior Consultant, Clearwater |
About the Speakers
Zach Stephens
Zach Stephens is a Senior Consultant at Clearwater, where he advises healthcare organizations on privacy, security, and AI governance matters. He works with hospitals, health systems, and digital health clients to translate the complex realities of AI deployment — including vendor contracting, risk allocation, and ongoing oversight — into practical, defensible compliance programs.
Carolyn Metnick
Carolyn Metnick is a Partner at Sheppard Mullin Richter & Hampton LLP, where she leads the firm’s Healthy AI initiative within the healthcare industry practice group. A privacy lawyer by training, based in Chicago, she advises healthcare providers, payers, and other industry stakeholders on the development, deployment, and contracting of AI-enabled tools.
Lauren Edelman Willens
Lauren Edelman Willens is Senior Counsel at Henry Ford Health, an integrated care delivery system and academic medical center headquartered in Detroit. She leads transactions and negotiations related to AI, IT, and sourcing, and brings a privacy lawyer’s lens — particularly HIPAA and data rights — to one of the most active in-house AI contracting practices in healthcare today.
Clearwater Can Help You Build the AI Contracting and Governance Backbone You Need
Clearwater helps healthcare organizations navigate the practical realities behind every AI deployment — from the contract on the desk today to the governance framework that will hold up as state laws, federal guidance, and the technology itself continue to shift. Whether you are negotiating your first AI vendor agreement, stress-testing the contracts already in place, or building an AI governance program from the ground up, our team brings the regulatory fluency, privacy and security depth, and healthcare-specific experience to help you move forward with confidence.
Learn more about Clearwater’s AI Risk Governance services.
About Clearwater
Clearwater is the leading provider of cybersecurity and compliance solutions for the healthcare industry, helping organizations align privacy, security, and business objectives to achieve resilience and trust.
