Hidden Risks in Medical Technology Contracts — Evergreen Clauses and Undisclosed AI Use

Many healthcare providers assume their technology contracts are static—negotiated once and largely administrative thereafter. That assumption is increasingly risky. Vendors are rapidly embedding artificial intelligence (AI) into existing platforms, often relying on legacy contract provisions that were never designed to address AI-driven data use, automation, or decision-making. As a result, providers may be bound by automatically renewing agreements that permit the use of their data—and the deployment of AI tools—in ways they have not evaluated, approved, or even identified.

Two issues are emerging with increasing frequency: (1) evergreen renewal provisions that limit a provider’s ability to revisit key contractual terms, and (2) expansive data rights that may allow vendors to develop or deploy AI tools using provider data without clear disclosure or consent.

Evergreen provisions, which automatically renew agreements absent timely notice of termination, have long been standard in technology contracts. In the current environment, however, these provisions can lock providers into outdated risk allocations. Vendors are integrating AI capabilities into existing platforms at a rapid pace, often through updates that fall within the scope of existing agreements. When contracts renew automatically, providers may lose the opportunity to renegotiate provisions addressing data use, liability, cybersecurity, regulatory compliance, and pricing tied to expanded functionality.

Equally significant is the scope of vendor data rights. Many agreements permit vendors to use “aggregated,” “de-identified,” or “operational” data for product improvement. With the rise of AI, these provisions may enable vendors to use provider data to train models, enhance proprietary algorithms, or develop new products. These uses may not be apparent from the face of the agreement and may not have been contemplated at the time of execution.

This creates several risks. Provider data may be used to support competing services or products. De-identification methodologies may not fully mitigate re-identification risk, particularly in large or longitudinal datasets. Intellectual property rights may accrue to the vendor based on provider operations. In addition, responsibility for AI-generated outputs—particularly where those outputs inform clinical or billing decisions—may not be clearly addressed.

A related concern is the manner in which AI functionality is introduced. Vendors may deploy AI-enabled features through routine software updates, characterizing them as enhancements rather than material changes. This can have practical consequences for providers. Clinical staff may rely on algorithmic outputs without understanding underlying assumptions or limitations. Documentation workflows may shift in ways that affect reimbursement or audit defensibility. AI-generated content may also become part of the designated record set, raising additional compliance considerations.

Providers should take a proactive approach to these risks. As an initial step, organizations should inventory their technology agreements, with particular attention to renewal provisions, termination notice periods, and data use clauses. Agreements nearing renewal present an opportunity to revisit terms and address AI-related issues directly.

Key areas for review include: (i) the scope of permitted data use, including any rights to use data for model training or product development; (ii) transparency obligations regarding AI deployment and functionality; (iii) allocation of liability for errors associated with AI-generated outputs; and (iv) alignment between underlying agreements and applicable Business Associate Agreements under HIPAA.

Where appropriate, providers may consider narrowing data use rights, requiring affirmative consent for AI deployment, and establishing audit or reporting rights related to vendor data practices. Evergreen provisions should also be evaluated to ensure providers have sufficient flexibility to reassess vendor relationships in light of evolving regulatory and operational risks.

Regulatory scrutiny of AI in healthcare continues to increase, with particular focus on data use, transparency, and accountability. Providers that fail to understand how their vendors are using data—or how AI tools are being deployed within their operations—may face heightened exposure.

Providers that have not recently reviewed their technology contracts should assume that AI-related risk is already present—not hypothetical. A targeted contract audit can quickly identify where vendors have broad data rights, where AI functionality may be introduced without oversight, and where liability remains misaligned. Addressing these issues now—before renewal cycles or enforcement scrutiny—can materially reduce regulatory exposure and strengthen negotiating leverage. We are actively advising healthcare organizations on revising vendor agreements, implementing AI governance controls, and aligning contracts with current regulatory expectations.

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.