AI Governance in Healthcare: Clinical AI, Patient Safety, Privacy, and Regulatory Compliance

Healthcare AI governance operates at the intersection of multiple regulatory regimes that did not anticipate AI as a category. Medical device regulators (FDA, TGA, EU MDR, MHRA) treat AI-enabled medical devices as Software as a Medical Device, with specific iterative-update provisions. Health information privacy regulators (HHS for HIPAA, OAIC for Australian Privacy Act health records, EU DPAs for GDPR special category data) apply existing rules adapted for AI processing. Clinical governance bodies (Joint Commission, ACSQHC, NHS Improvement) require AI integration with clinical safety and quality frameworks. AI-specific obligations (EU AI Act high-risk classification, emerging US state AI rules) layer on top. This guide covers the regulatory landscape and operational implementation for healthcare AI.

Medical device regulation

The FDA has been the most active regulator on AI in medical devices, with the AI/ML-based Software as a Medical Device action plan, the Predetermined Change Control Plan framework (which addresses the iterative update problem AI creates), and ongoing guidance on specific use cases (radiology AI, dermatology AI, pathology AI). Approximately 1000+ AI-enabled medical devices have FDA clearance as of 2026. The TGA (Australia) regulates AI-enabled medical software under the Software-Based Medical Device framework, with specific guidance on AI considerations. The EU Medical Device Regulation (MDR) treats AI-enabled medical devices as devices, with the EU AI Act adding AI-specific obligations (high-risk classification for most clinical AI, delayed to August 2028 under Digital Omnibus for Annex I embedded products). The UK MHRA has issued its own software and AI guidance post-Brexit.

Health information privacy

HIPAA (US) applies to protected health information (PHI) processed by AI, with the Privacy Rule, Security Rule, and Breach Notification Rule each having AI implications. Business Associate Agreements (BAAs) must address AI processing of PHI. The Privacy Act 1988 (Australia) treats health information as sensitive information requiring higher consent thresholds. The ADM transparency obligation (10 December 2026) applies to substantially automated decisions about individuals — relevant for any AI making or substantially supporting clinical or administrative decisions about patients. GDPR Article 9 treats health data as special category, requiring explicit consent or specific lawful basis for processing.

Clinical safety integration

Clinical AI must integrate with existing clinical safety, quality improvement, and incident reporting frameworks. Joint Commission (US), ACSQHC (Australia), and NHS Improvement (UK) all require clinical safety governance that now extends to AI-influenced decisions. Specific clinical considerations: diagnostic AI (sensitivity, specificity, PPV/NPV across populations, integration with clinical workflow); treatment recommendation AI (evidence base, clinician override, patient communication); administrative AI (scheduling, billing, prior authorisation — affects patient care indirectly); research AI (ethics committee oversight, consent, data sharing with AI training).

Operational implementation

Healthcare AI governance operationalisation: AI inventory covering clinical AI (with regulatory status), administrative AI, and research AI. Regulatory status verification for each clinical AI use case. Clinical safety integration — AI use cases in the clinical safety program, incident reporting procedures adapted for AI events. Bias and fairness testing particularly important for healthcare given documented disparities (race, sex, age, socioeconomic). Vendor management for AI medical device manufacturers and digital health vendors. Workforce training for clinicians using AI — appropriate use, recognising failure modes, escalation. Patient communication — how AI use is disclosed to patients and consent obtained.

Sector-specific considerations

Hospital and health systems: AI inventory across clinical specialties, integration with clinical governance, vendor management for AI-enabled medical devices, workforce training, patient communication. Medical device manufacturers: regulatory clearance pathway, post-market surveillance, AI-specific update management (Predetermined Change Control Plans), real-world performance monitoring. Digital health companies: position in the regulatory framework (medical device vs not), privacy compliance, clinical evidence base, scope creep risk (operational AI features expanding into clinical territory). Pharmaceutical companies: AI in drug discovery (research AI), AI in clinical trials (sponsor obligations, FDA/TGA/EMA scrutiny), AI in pharmacovigilance, AI in HCP-facing communications.

Useful third-party resources

• FDA AI/ML-Enabled Medical Devices
• TGA — Australian Therapeutic Goods Administration Software-Based Medical Device guidance
• EU Medical Device Regulation
• UK MHRA
• HHS HIPAA
• OAIC — Australian Information Commissioner, health information
• ACSQHC — Australian Commission on Safety and Quality in Health Care
• WHO — Global guidance on AI in healthcare

Related reading on AIRiskAware

• AI Governance in Healthcare
• Healthcare AI Governance Case Study
• Healthcare Sector Hub
• For General Counsel