As artificial intelligence (AI) tools become more integrated into clinical laboratories and diagnostics, healthcare employers face an increased risk of whistleblowing and retaliation from employees who raise concerns about how these tools are used. While AI-based diagnostic support systems, automated laboratory processes, intelligent workflow automation, and other AI tools can increase efficiency, they can also create patient safety, privacy, data misuse, and other legal and regulatory compliance issues if not used properly, overused, or with insufficient human oversight and analysis. A bipartisan federal AI whistleblower law was introduced in May 2025 and is in its early stages.1 As this bill makes its way through Congress and the federal government works to preempt the advancement of state AI laws, employers should be aware that employees who report concerns about AI tools in healthcare diagnostics may be protected by existing whistleblower laws. Employers who mishandle these complaints face costly litigation, reputational damage and regulatory scrutiny.
Existing statutes regarding denunciation
Employees who raise concerns about the use of AI in clinical laboratories and diagnostics may be protected by the following laws:2
The law on safety and health at work
Employees who report that AI tools are creating unsafe working conditions or endangering patient safety may be protected under the Occupational Safety and Health Act (OSH Act), which requires employers to maintain safe working conditions for their employees.3 For example, a laboratory technician who reports that an AI-based diagnostic tool endangers a patient’s safety because it produces inaccurate cancer test results may be eligible for protection under the OSH Act. Failure to properly handle these reports can trigger investigations, citations and sanctions from the Occupational Safety and Health Administration.
The Health Insurance Portability and Accountability Act
Employees who report that AI tools are mishandling protected health information (PHI) may be protected under the Health Insurance Portability and Accountability Act (HIPAA). AI systems that access, process, or generate PHI must comply with the HIPAA Privacy and Security Rules, which prohibit the use and disclosure of PHI without patient authorization, except for treatment, payment, or health care operations. Failure to properly handle these reports may result in legal action and privacy-related investigations by the Office for Civil Rights. For example, a case pending in the U.S. District Court for the Northern District of California, in San Francisco, Sloan v. Verily Life Sciences LLC,4 concerns a former executive who alleges that his employer retaliated against him after he reported HIPAA violations involving unauthorized use of patient data by AI systems.
False Claims Law
Employees who report that AI tools are misclassifying tests and thereby generating fraudulent bills to Medicare or Medicaid may be protected by the False Claims Act (FCA).5 The FCA imposes liability on anyone who submits a false or fraudulent payment request to the federal government. For example, if an AI diagnostic test misclassifies normal results as “abnormal,” that error could cause the provider to order additional tests that are not medically necessary and bill Medicare for the unnecessary tests, which could constitute a false claim under the FCA. Failure to properly handle these FCA reports may result in monetary penalties.
State Whistleblower Statutes
Finally, many state laws also protect employees who report violations of the law or public health risks associated with the use of AI. The recent executive order from the Trump administration, Ensuring a national policy framework for artificial intelligenceaims to establish a national policy framework on AI and anticipate conflicting national laws on AI.6 Employers must maintain compliance with current state mandates while monitoring federal guidance and litigation.
Proposed Statute on AI Whistleblowers
Congress is considering the bipartisan AI Whistleblower Protection Act (S.1792, HR3460), which was introduced on May 15, 2025, by Senators Chuck Grassley (R-IA) and Chris Coons (D-DE) in the Senate and Representatives Jay Obernolte (R-CA) and Ted Lieu (D-CA) in the House of Representatives. The bills have been referred to the Senate Health, Education, Labor and Pensions, and House Energy and Commerce committees, each with at least one cosponsor in the relevant committee, increasing the likelihood of committee consideration. Various whistleblower and AI groups have expressed support for the bills, including the National Whistleblower Center,7 the Center for Democracy and Technology and the Government Accountability Project. While the proposed legislation is not limited to the healthcare industry, the bill would prohibit retaliation against current and former employees and independent contractors who report AI security vulnerabilities or violations, including those that create risks to patient safety, data privacy, or regulatory compliance.
Best practices
Healthcare employers find themselves at the intersection of AI innovation and increasing regulatory scrutiny. As AI continues to reshape health diagnostics, whistleblower protections will likely expand, both legislatively and through enforcement. Proactively preventing retaliation claims can reduce legal risk and build employee confidence in AI-related changes.
Best practices include:
Develop reporting policies and protections against retaliation
Maintain up-to-date policies on reporting AI-related errors, including policies to protect against retaliation.
Create robust reporting channels
Establish internal systems for employees to raise concerns about AI tools confidentially, with documented investigation protocols.
Maintain clear AI governance policies
Define how AI tools are implemented, validated and monitored. Establish clear frameworks for accountability, transparency, fairness and security. Assign responsibility for quality assurance and compliance.
Train supervisors and managers
Educate leaders on how to respond appropriately to complaints, emphasizing non-retaliation obligations under federal and state laws.
Audit Vendor Contracts
Ensure contracts with AI vendors include provisions for compliance, quality control, and shared responsibilities.
Document corrective actions
When issues are raised, record all investigations and remediation efforts to demonstrate good faith compliance.
Risk management
Conduct regular audits, risk assessments and bias testing of AI systems. Monitor performance and resolve issues quickly. Organizations should regularly conduct risk assessments, vulnerability scans, and penetration testing for AI systems. Technical protections include encryption, access controls and data anonymization.
1 The AI Whistleblower Protection Act (1792) (RH 3460)
2 This list is not exhaustive. Employers should contact K&L Gates if they are interested in laws that impact their workforce.
3 29 USC § 651 and following..
4 Sloan v. Verily Life Scis. SARLNo. 24-CV-07516-EMC, 2025 WL 2597393 (ND Cal. September 8, 2025)
5 31 USC §§ 3729-3733.
6 Executive. Order, Eliminate state law obstruction of national artificial intelligence policy(December 11, 2025), https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-national-artificial-intelligence-policy/.
7 See, for exampleNational Whistleblower Center (September 19, 2025), https://www.whistleblowers.org/campaigns/the-urgent-case-for-the-ai-whistleblower-protections-congress-must-pass-the-ai-whistleblower-protection-act/.