本文目前仅提供英文版本。
AI in Healthcare: Board Obligations, Clinical Governance, and the Regulatory Framework Executives Need to Understand
Healthcare boards approving AI deployment in clinical settings are taking on governance obligations they may not understand. From TGA regulation of AI medical devices to the intersection with privacy law and clinical governance standards, here is what healthcare executives need to know.
Key Takeaways
AI diagnostic tools are medical devices in most jurisdictions — TGA (Australia), FDA (US), CE marking under MDR (EU). Deploying an AI diagnostic tool without the appropriate regulatory approval is deploying an unapproved medical device.
Clinical governance obligations — duty of care, informed consent, professional accountability — apply to AI-assisted clinical decisions. The AI does not substitute for clinical judgment; it creates additional obligations to document how AI outputs were considered.
Healthcare boards that approve AI deployment in clinical settings without specific clinical governance oversight are taking on personal liability for patient safety failures that occur because of inadequate AI governance.
The automation bias risk in clinical AI is well-documented: clinicians who are trained to defer to AI recommendations produce worse outcomes than those trained to critically evaluate them. Governance must address training and culture, not just technology.
Privacy law creates specific obligations for health data used in AI — in Australia, the Privacy Act's health information provisions; in the EU, GDPR special category data rules; in the US, HIPAA. These apply to training data as well as operational data.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
Healthcare board obligations for AI governance
Healthcare boards face a distinct AI governance challenge. AI is increasingly embedded in clinical care, operational management, patient engagement, and research — but healthcare AI failures carry consequences that extend beyond financial loss to patient safety, clinical outcomes, and regulatory sanctions. Boards of healthcare organisations have specific duties that AI governance must address.
What healthcare AI governance must cover
Clinical AI. AI for diagnosis, treatment planning, screening, monitoring, clinical decision support. Regulated as medical devices by the FDA (US), MHRA (UK), TGA (Australia). Clinical AI must demonstrate safety and effectiveness; the board must ensure appropriate clinical governance integration, including clinical safety cases (DCB0129/DCB0160 in UK NHS), medical staff oversight, and adverse event reporting.
Operational AI. Scheduling, resource allocation, workforce management, billing, coding. Less regulated than clinical AI but still subject to employment law, data protection, and operational risk management. AI-driven scheduling that creates unsafe staffing levels creates clinical and WHS exposure.
Patient-facing AI. Chatbots, patient portals, ambient scribes, telehealth AI. Subject to consumer protection, disclosure requirements (California AB 489 effective 1 January 2026), and data protection. The Air Canada chatbot precedent (Moffatt v Air Canada, 2024 BCCRT 149) applies — the organisation is liable for AI-provided information.
Research AI. AI in clinical trials, population health, genomics. Subject to ethics committee oversight, informed consent, data protection (HIPAA, UK GDPR special category), and research-specific frameworks.
Board-specific duties
Healthcare boards owe duties under corporate law (directors' duties), sector regulation (CQC in UK, AHPRA accreditation in Australia, CMS Conditions of Participation in US), and clinical governance frameworks. For AI, these duties mean:
Oversight of clinical AI risk. Board-level visibility into what clinical AI is in production, what risk classification applies, what validation has occurred, and what adverse events have been reported. ASIC's REP 798 approach — understanding the organisation's AI position and asking the right questions — applies equally to healthcare boards.
Patient safety accountability. AI errors in clinical care create patient safety events. Board reporting should capture AI-related clinical incidents separately from general incidents to enable trend analysis.
Regulatory compliance. FDA for US, MHRA for UK (call for evidence 18 December 2025 for National Commission into AI Healthcare Regulation), TGA for Australia. EU AI Act classifies healthcare AI as potentially high-risk under Annex III.
Data governance for health data. Health data is special category under GDPR/UK GDPR, PHI under HIPAA, health information under Australian Privacy Act. The board must ensure AI processing of health data has lawful basis, appropriate safeguards, and DPIA where required.
Practical governance for healthcare boards
Maintain an AI inventory covering all clinical, operational, patient-facing, and research AI. Integrate AI governance with existing clinical governance committee structure. Ensure clinical AI undergoes validation appropriate to the clinical use case — local validation, not just vendor claims. Implement patient disclosure for AI involvement in care where required by law or good practice. Monitor AI-related adverse events and near-misses. Brief directors on AI literacy appropriate to healthcare context. The Joint Commission and Coalition for Health AI (CHAI) are developing voluntary AI certification for healthcare — track this development.
Primary sources: FDA AI/ML Medical Devices · NHS England AI Guidance
Related reading
US Healthcare AI Governance · NHS Patient Rights with AI · Board AI Governance Training