Morning Overview

Labcorp’s new app uses AI to explain your lab results in plain language

Patients who get blood work through Labcorp can now receive AI-generated plain-language explanations of their results inside the company’s MyLabcorp mobile app. The feature sits at the intersection of two federal regulatory frameworks that were not designed with consumer-facing AI in mind: HIPAA privacy rules governing how labs share data, and FDA guidance defining when software crosses the line from educational tool to regulated medical device. How Labcorp and similar apps handle that boundary will shape whether millions of patients get faster, clearer answers or run into a new set of compliance problems.

Why AI-powered lab explanations create regulatory friction

The core tension is straightforward. Patients want to understand what their lab numbers mean without waiting for a doctor’s callback. An AI feature that translates a hemoglobin count or lipid panel into everyday language fills that gap. But the same step that turns clinical shorthand into readable sentences can drift toward advice, and federal regulators draw a hard line between the two.

The FDA maintains four criteria that clinical decision support software must satisfy to remain outside the definition of a medical device. According to the agency’s CDS FAQ, if any single criterion is not met, the function is classified as a device. That classification would trigger premarket review requirements, quality system obligations, and ongoing reporting duties. For an app positioned as informational and educational, the stakes of even a small misstep in AI output are significant.

On the privacy side, HHS guidance on the patient right of access spells out that HIPAA restrictions apply to covered entities like labs and hospitals, not necessarily to the apps patients choose to receive their data through. Once a patient directs Labcorp to send results to a third-party tool, the right-of-access rules make clear that HIPAA limits on the original lab no longer control how the app handles the information downstream. That gap means an AI feature could store, reprocess, or share patient data in ways the original lab never intended, and the patient may not fully grasp the difference.

If more labs and health systems roll out similar AI explainers, the volume of patient-directed data requests will grow. That growth is likely to pressure the HHS Office for Civil Rights to publish new enforcement examples clarifying what apps can and cannot do with health records after disclosure. The current guidance addresses the handoff but says little about post-disclosure AI processing, a gap that becomes more consequential with every new consumer health tool.

FDA device criteria and HIPAA gaps behind the feature

The FDA’s final guidance on clinical decision support software, published as an official agency document, outlines when CDS functions qualify for an exemption from device regulation. The four criteria require, among other things, that the software not be intended to replace professional clinical judgment and that the end user be able to independently review the basis for any recommendation. MyLabcorp is positioned as informational and educational, a framing that aligns with the exemption’s intent. Yet no public documentation from Labcorp details exactly how the AI feature satisfies each of the four criteria, leaving outside observers unable to verify compliance.

The privacy question runs in parallel. HHS has published scenarios describing when an app developer may qualify as a HIPAA business associate, a designation that would subject the developer to the same privacy and security rules as the lab itself. Whether Labcorp’s AI vendor or internal development team falls into that category depends on the specific data-sharing arrangement. If the AI processes protected health information on behalf of the lab, business associate obligations attach. If the patient independently directs data to a separate app, those obligations may not. The distinction matters because it determines who is accountable if patient data is breached or misused after the AI generates its explanation.

No public test results or accuracy benchmarks for the AI model have been released. Without that data, there is no independent way to confirm the tool stays within educational, non-diagnostic bounds across the full range of lab panels it covers. A cholesterol summary that says “your LDL is above the reference range” is informational. A summary that says “you should talk to your doctor about starting a statin” edges toward clinical recommendation, and that shift could trigger device classification under the FDA’s own criteria.

Design details will matter. If the app clearly labels AI explanations as general information, avoids treatment suggestions, and repeatedly directs patients back to their clinicians for decisions, it is more likely to stay on the non-device side of the FDA line. If, instead, patients can toggle between different AI-generated “options” or receive personalized risk scores that appear to guide therapy, regulators could view the same feature as a decision-support tool intended for diagnosis or treatment, with all the regulatory weight that implies.

Transparency is another unresolved issue. The FDA guidance expects users to be able to understand the basis of a recommendation, but large language models are often opaque. Unless Labcorp exposes the clinical references, ranges, and logic behind each explanation, patients and clinicians may not be able to assess why the AI described a result in a particular way. That lack of explainability could undermine the very criteria the company must satisfy to avoid device status.

Open questions for patients and regulators watching Labcorp’s AI

Several concrete questions remain unanswered. First, Labcorp has not disclosed the specific AI model powering the feature or whether it was trained on the company’s own patient data, licensed from a third party, or built on a general-purpose large language model with medical fine-tuning. That distinction affects both accuracy and privacy risk. Second, there is no public record of OCR or FDA taking a position on whether AI-generated lab explanations constitute a new category of post-disclosure app behavior that warrants updated guidance. The existing frameworks were written before consumer-facing health AI became widespread, and they show the strain.

Third, the business associate question remains open. HHS guidance on health apps suggests that when a developer handles data solely at the patient’s direction, HIPAA may not apply to the app at all. If Labcorp’s AI is tightly integrated into its own systems, the company may shoulder direct HIPAA responsibility. If the AI is operated by a separate vendor that also uses the data to improve its models or build other products, patients could find their most sensitive information governed primarily by consumer privacy policies rather than federal health-privacy rules.

Fourth, accountability for errors remains murky. If an AI explanation downplays a dangerously abnormal value and a patient delays seeking care, is that a matter for malpractice law, product liability, or regulatory enforcement? The answer may depend on how prominently Labcorp presents the AI output, what disclaimers accompany it, and whether clinicians are expected to review or correct explanations before patients see them. At present, those workflow details are not public.

For patients, the practical advice is cautious engagement. AI explanations can help people prepare better questions for their clinicians and reduce anxiety about unfamiliar terminology, but they are not a substitute for medical judgment. Patients using MyLabcorp’s feature should treat the summaries as a starting point, confirm any concerning interpretations with their healthcare providers, and pay close attention to how their data may be reused or shared.

For regulators, Labcorp’s rollout is an early test of how existing rules can stretch to cover AI without stifling useful innovation. OCR could clarify when AI processing of lab results turns an app developer into a business associate, and the FDA could offer examples of language that keeps patient-facing explanations on the safe side of the device boundary. Absent that clarity, labs and developers risk either over-regulating themselves into inaction or underestimating their obligations until an enforcement action or high-profile error forces the issue.

MyLabcorp’s AI feature shows how quickly routine health services are absorbing generative models. Whether it ultimately becomes a template for responsible deployment or a cautionary tale will depend less on the novelty of the technology and more on how carefully Labcorp and its regulators navigate the well-established, but newly stressed, lines between information and advice, access and control.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.