Current as of June 2026. Regulatory dates, framework versions, and device counts shift, and the EU rules for AI medical devices are mid-revision. Every date below reflects the most recent confirmed status, and uncertainty is flagged where it exists.

Healthcare AI compliance is not one rulebook. It is a stack: a horizontal governance layer that applies to any AI program, the health-data privacy laws that bite the moment protected health information moves, a binding EU regime that treats most clinical AI as high-risk, and the FDA and ONC rules written specifically for medical AI. They are layers, not options you choose between, and published crosswalks let one program satisfy several at once. The harder problem sits underneath all of them: none were written for AI agents that take clinical and administrative actions through tool calls, and that is where health systems are now exposed.

NIST AI RMF and ISO/IEC 42001 Are the Horizontal Backbone for Health AI

Every healthcare AI program should align to two horizontal instruments first: the NIST AI Risk Management Framework supplies the methodology, and ISO/IEC 42001 supplies the certifiable management system. NIST AI RMF organizes risk work into four functions, Govern, Map, Measure, and Manage, and its Generative AI Profile (NIST, 2024) adds roughly 12 generative-AI risk categories on top. ISO/IEC 42001, published December 2023, is the first standard an external auditor can certify a health system against (ISO, 2023).

NIST tells a hospital how to manage AI risk. ISO/IEC 42001 lets it prove it did, through accredited third-party certification and a Statement of Applicability that records which controls apply and why. Two values-based references sit alongside them: the OECD AI Principles, the intergovernmental baseline for trustworthy AI (OECD, 2024), and IEEE 7000, an ethics-by-design process for embedding stakeholder values into system design. Neither is a law. Both give a clinical AI program defensible structure that the sector-specific rules below then build on.

HIPAA Is Where Daily Healthcare AI Risk Actually Lands

HIPAA attaches the moment a clinician or staff member moves protected health information (PHI) toward an AI tool, which makes it the layer where most day-to-day healthcare AI risk concentrates. Healthcare has been the costliest sector for data breaches for 14 consecutive years, averaging 7.42 million dollars per breach and 279 days to identify and contain (IBM Cost of a Data Breach Report, 2025). An AI assistant is simply a new channel for PHI to leave through.

The HIPAA Privacy Rule governs how PHI may be used and disclosed, including minimum-necessary limits and patient rights, and it binds covered entities and their business associates (HHS, 2024). The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI, including access control, encryption, integrity controls, and audit logging (HHS, 2024). A clinician pasting a patient note into a consumer AI summarizer is a HIPAA question before it is anything else. The compliance work is concrete: know what PHI exists, detect it in real time as it moves toward an AI tool, and stop or redact it before it crosses a boundary the Privacy Rule cares about.

GDPR Article 9 Treats Patient Data as Special Category

For any health system whose AI touches people in the EU, GDPR Article 9 classifies health, genetic, and biometric data as special-category data, which carries stricter processing conditions than ordinary personal data (GDPR, 2018). Processing it generally requires an explicit legal basis such as patient consent or a specific health or research exemption.

This matters for clinical and pharmaceutical AI because the data flowing into a model, a retrieval system, or an AI assistant is exactly the category GDPR protects most tightly. Article 9 conditions have to be satisfied for the AI use case itself, not just for the underlying record system. A research copilot trained on or querying EU patient records inherits those conditions, and consent obtained for clinical care does not automatically extend to a new AI processing purpose.

The EU AI Act Makes Most Clinical AI High-Risk

AI that is itself a medical device, or a safety component of one, is high-risk under the EU AI Act whenever the device needs a notified body to sign it off, which captures most clinical AI (Reed Smith, 2025). High-risk classification layers AI-specific duties, risk management, data governance, logging, transparency, human oversight, and post-market monitoring, on top of the existing Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Fines reach 35 million euros or 7% of global annual turnover for prohibited practices (EU AI Act Article 99, 2024).

The reach is extraterritorial: any organization whose AI output affects people in the EU is in scope, regardless of where it sits. A practical note for medtech and pharma teams: the obligations can be folded into the technical documentation and quality processes a manufacturer already runs under MDR/IVDR, rather than built as a parallel system.

One caveat that needs care. A Digital Omnibus simplification proposal published in December 2025 would move MDR/IVDR within the AI Act’s Annex I in a way that could largely disapply the Act’s high-risk requirements to AI medical devices, leaning on the device rules instead. It is a proposal, not adopted law, as of this writing. Treat the current dual-regime obligation as the live requirement and confirm status before planning against any change.

ONC HTI-1 Forces Algorithm Transparency Into Certified EHRs

The ONC HTI-1 final rule is the first US regulation to set transparency and risk-management requirements for AI inside certified electronic health record technology, through its predictive decision support intervention (DSI) criterion (ONC HTI-1, 2024). Developers of certified health IT that ship a predictive DSI must disclose a defined set of source attributes covering purpose, development, validation, and limitations, and must run an Intervention Risk Management program.

For a health system, HTI-1 turns “the EHR has an AI alert” into a documentation obligation: clinicians are entitled to know how a predictive model was built, what data it used, and where it should not be trusted. It is the first official acknowledgment that an algorithm influencing clinical decisions needs the same scrutiny as the decision support it replaced. Provenance and risk information become part of the certified product, not an afterthought.

The FDA Governs AI as a Medical Device and Across Drug Development

The FDA regulates clinical AI through its Software as a Medical Device (SaMD) framework, and it has now authorized more than 1,200 AI/ML-enabled medical devices, with 2025 setting a single-year record (FDA, 2025). A device team has to satisfy expectations for safety, effectiveness, and lifecycle management, not just initial clearance.

Three FDA instruments matter most for adaptive AI. The Predetermined Change Control Plan (PCCP) lets a manufacturer pre-specify how an algorithm may be retrained and updated, so the model can evolve without a new submission for each change (FDA, 2024). Good Machine Learning Practice (GMLP) gives the day-to-day principles for data management, training, and monitoring (FDA, 2024). For pharma specifically, draft FDA guidance addresses using AI to generate information supporting drug and biologic regulatory decisions, with a risk-based credibility assessment (FDA, 2025).

Two long-standing rules bound AI in regulated pharma workflows. ICH E6(R3) Good Clinical Practice (GCP), adopted January 2025 and adopted by the FDA in September 2025, modernizes trial conduct around risk-based, technology-enabled approaches, which is the standard AI in protocol design, patient selection, and monitoring must uphold (FDA, 2025). And 21 CFR Part 11 applies whenever AI systems create, modify, or maintain electronic records and signatures, requiring validation, audit trails, access control, and data integrity (eCFR, 2025).

WHO Sets the Global Ethics Bar for Health AI

The World Health Organization provides the international ethics benchmark for health AI through six principles: protect autonomy, promote well-being and safety, ensure transparency and explainability, foster responsibility and accountability, ensure inclusiveness and equity, and promote sustainability (WHO, 2021). A companion document addresses the regulatory dimension directly, covering safety, effectiveness, transparency, and risk management for AI health products (WHO, 2023).

For a multinational provider or pharma company, WHO guidance is the common reference point when local law is silent or still forming. It does not certify or fine. It sets the expectations that national regulators increasingly translate into binding rules, which makes aligning to it early a hedge against the next wave of health-AI regulation.

How the Healthcare AI Compliance Stack Lines Up

Each layer of the healthcare stack governs a different thing, and each was built for AI a clinician operates, not for autonomous tool calls. The table below maps what each instrument is, whether it is mandatory, and how far it reaches into agentic AI. The pattern is consistent: strong coverage of human-operated clinical AI, minimal coverage of agents acting on their own.

Read down the last column and the gap is obvious. Every instrument was written for a person operating the AI. None reaches the agent that acts on its own.

Every Framework Assumes a Clinician at the Keyboard, and Agents Broke That Assumption

The major healthcare frameworks all assume a human operates and oversees the AI, and AI agents acting through Model Context Protocol (MCP) tool calls remove that human from the chain. MCP is the open standard that lets an agent connect to external tools, electronic record systems, and data sources and act through them. An agent that schedules, queries a record, or drafts an order is taking an action no clinician reviewed in the moment.

This is the hinge. The NIST AI RMF Govern function assumes accountable humans making decisions. The EU AI Act’s human-oversight duties assume a person to oversee. HIPAA’s access model assumes a workforce member, not an autonomous service. ONC HTI-1 governs a clinician reading an alert. An agent chaining tool calls across a health system satisfies none of those assumptions cleanly, because the action surface moved from a screen a person reads to a tool call that fires in milliseconds. Singapore’s Infocomm Media Development Authority launched the first governance framework written specifically for autonomous AI agents in January 2026. It is the first official signal that the existing stack does not reach agents, and the control for that gap has to come from architecture, not the frameworks.

You Cannot Comply With What You Cannot See

Aurascape catalogues more than 20,000 AI applications and ships production-ready connectors within 48 hours of a new tool appearing, which is the inventory layer every healthcare framework assumes a health system already has (Aurascape Product Brief, 2026). Without it, the Govern function of NIST AI RMF, the scope of an ISO/IEC 42001 Statement of Applicability, and any HIPAA risk analysis are built on a guess.

Discovery is where written policy meets reality. A hospital can have an AI policy and still be blind to the personal ChatGPT accounts clinicians use for note drafting, the AI features switched on inside an approved scheduling or documentation tool, and the copilots staff enabled without asking. Aurascape secures user activity across tens of thousands of AI apps with prompt and response decoding and automated remediation, the inventory-plus-enforcement combination the frameworks assume is in place. You cannot write a Statement of Applicability, or complete a HIPAA risk analysis, for tools you have not found.

Sensitive Data Controls Operationalize HIPAA and GDPR at the Prompt

Aurascape’s real-time, multimodal data classification catches PHI at the prompt, before it reaches any external AI service, because HIPAA and GDPR Article 9 attach liability the moment regulated health data moves toward an AI tool. The AI Proxy inspects prompts, responses, file uploads, and multi-turn conversations across text, code, and images, then enforces policy inline: allow, block, redact, or coach the user.

Sensitive Data Fingerprinting tags protected health information and other regulated content so enforcement is context-aware rather than blunt. This is the control HIPAA implies but does not provide: the technical means to stop a clinician’s note, a patient identifier, or a genetic record from leaving through an AI channel. The same mechanism addresses GDPR Article 9 for EU-facing care, because the data being caught is exactly the special category Article 9 protects.

Audit Logging Is How You Prove It to an OCR Investigator or FDA Auditor

HIPAA’s Security Rule, the EU AI Act, and 21 CFR Part 11 all treat logging as an evidence requirement, not a best practice, and records must be producible on demand. Aurascape generates audit-ready, conversation-level logs of every AI interaction: what was prompted, what was returned, what data was involved, and what policy decision fired. That is the record an HHS Office for Civil Rights investigator, an ISO/IEC 42001 auditor, or an FDA reviewer asks for.

This is the difference between asserting governance and demonstrating it. A Part 11 audit trail, an EU AI Act logging obligation, and a HIPAA access review all want the same thing: a traceable record that the stated controls actually ran. Decoded interaction histories and policy-decision logs are that record. The platform does not make an organization compliant and does not replace legal counsel. It produces the evidence compliance and privacy teams use to demonstrate the controls were in place and enforced.

Copilot Readiness Closes the Embedded-AI Privacy Gap in Health Systems

Microsoft 365 Copilot and similar Embedded AI tools surface everything a user can technically reach, which turns a tolerable permissions mess into a live HIPAA exposure the moment someone runs a cross-department summary prompt. Aurascape’s Copilot Readiness module finds overshared permissions before a rollout, Copilot Oversight monitors live usage, and Copilot Unlearning removes sensitive data already ingested by the AI system.

In a hospital, a permissions structure that staff navigated one record at a time becomes a HIPAA and GDPR problem when a copilot can summarize across all of it in a single prompt. Finding the oversharing before go-live is the readiness step. Monitoring usage and removing exposed PHI afterward is the ongoing control. All three map to the privacy and record-keeping duties those rules impose on the channel copilots opened.

The Zero-Bypass MCP Gateway Is the Control the Frameworks Are Missing

Only 31% of organizations say they are fully equipped to control and secure agentic AI systems, even as 83% plan to deploy them (Cisco AI Readiness Index, 2025), and the gap is structural: the healthcare frameworks assume a human oversees the action. Aurascape’s Zero-Bypass MCP Gateway inspects, verifies, signs, and controls every Model Context Protocol tool call, API invocation, and data retrieval before an agent reaches any external system. Secure Agentic AI wraps the rest of the lifecycle: pre-build adversarial testing, Code Path and CVE Detection, and Safe Output Governance at runtime.

Where the frameworks assume a clinician in the loop, the Gateway treats the agent as a privileged user and inspects both legs of its behavior: the agent-to-model leg and the agent-to-tool leg. The control fires at the tool call itself, where a clinical or administrative agent reaches a record system or external service, not at a URL the agent already moved past.

Auri Gives Compliance Teams the Evidence Without the Console

Auri, Aurascape’s natural-language agent, gives privacy, legal, and compliance teams role-based access to AI activity records, summaries, and audit evidence through plain-language questions, with no dashboard login or query syntax required (Aurascape, 2026). The people who own the HIPAA and AI Act obligation are rarely the people who run the security tooling.

A privacy officer preparing for an OCR inquiry, or a GRC lead readying an ISO/IEC 42001 surveillance audit, needs to pull relevant interaction records and policy decisions on their own timeline. Self-service, role-bound access to that evidence lets compliance operate the program rather than filing a ticket and waiting on the security team for every request.

The Stack Holds, but Only If Something Watches the Agents

The healthcare frameworks cover the human-operated AI surface well when an organization builds to them together: NIST AI RMF as the methodology, ISO/IEC 42001 as the external proof, the EU AI Act and FDA rules as the binding obligations, and HIPAA as the data backbone. The crosswalks are real, and an organization that builds to the strongest common denominator can satisfy several layers without duplicating the work.

The stack’s one structural gap is the agent. Only one in five companies has a mature model for governing autonomous AI agents, even as agentic AI use is set to rise sharply (Deloitte State of AI in the Enterprise, 2026). The frameworks were written for a clinician at the keyboard, and autonomous tool calls through MCP removed that clinician from the loop faster than the rules could adapt. Gartner predicts guardian agents will capture 10 to 15% of the agentic AI market by 2030, establishing AI-on-AI governance as a defined category (Gartner, 2025). Until the frameworks catch up, the control for autonomous healthcare AI has to come from architecture that inspects the tool call directly, because a rule that assumes human oversight cannot govern an action no human sees.

Frequently Asked Questions

Does HIPAA apply to AI tools that process PHI?

Yes. HIPAA applies to protected health information regardless of the channel, so an AI assistant, summarizer, or coding tool that processes PHI falls under the Privacy and Security Rules. If a vendor processes PHI on a covered entity’s behalf, it is a business associate and needs a business associate agreement. The tool being new does not change the obligation.

Is clinical decision support AI high-risk under the EU AI Act?

Usually yes. AI that is a medical device or a safety component of one is high-risk under the EU AI Act when the device requires third-party (notified body) conformity assessment, which covers most clinical AI above the lowest risk class. A December 2025 Digital Omnibus proposal could change how the Act and MDR/IVDR interact, but it is not adopted, so the dual-regime obligation remains the live requirement.

What is ONC HTI-1 and does it apply to my AI?

ONC HTI-1 is the US final rule that requires transparency and risk management for predictive AI inside certified electronic health record technology. It binds developers of certified health IT that ship a predictive decision support intervention, who must disclose defined source attributes and run an Intervention Risk Management program. It applies to the certified product, so a health system inherits the transparency information rather than the certification duty itself.

Does an ISO/IEC 42001 certificate satisfy HIPAA or the FDA?

No. ISO/IEC 42001 is a voluntary management-system certification. HIPAA is a binding US law and FDA device rules are binding regulations, each with their own specific requirements. A 42001 certificate strengthens governance evidence and can streamline parts of an audit, but it does not substitute for HIPAA safeguards or FDA clearance.

Can clinicians use a public chatbot with patient data?

Not without controls. Pasting PHI into a consumer chatbot with no business associate agreement and no data protections is a HIPAA exposure, and in the EU a GDPR Article 9 issue. The practical answer is real-time detection at the prompt that blocks or redacts regulated data before it reaches the external service, plus an approved, governed alternative for clinicians to use.

What is a Predetermined Change Control Plan?

A Predetermined Change Control Plan (PCCP) is an FDA mechanism that lets a manufacturer pre-specify how an AI-enabled device’s algorithm may change, including data, retraining, and performance bounds, so the model can be updated safely without a new marketing submission for each change. It is how adaptive AI devices evolve under regulatory oversight rather than freezing at first clearance.

Do GDPR and HIPAA both apply to the same AI system?

They can, in parallel. HIPAA governs PHI in the US healthcare context, while GDPR governs personal data of people in the EU, treating health data as special category under Article 9. A multinational provider’s AI system can be subject to both at once, and each has to be satisfied independently because they impose different conditions.

Can a security platform make my health system compliant?

No. A platform like Aurascape operationalizes and evidences compliance: it discovers AI use, enforces data controls at the prompt, governs agent tool calls, and produces audit-ready records. Compliance itself is a legal and clinical determination that requires counsel and formal assessment. Tooling supports and demonstrates it but does not replace either.

Where does healthcare AI risk actually concentrate?

In HIPAA and GDPR, because regulated health data becomes exposed the moment it moves into an AI tool. Most real incidents are not exotic agentic attacks. They are PHI leaving through a new channel, which is why real-time detection at the prompt matters more than any single AI-specific rule, and why healthcare has remained the costliest sector for data breaches.

How Aurascape Operationalizes Healthcare AI Compliance Across Every AI Interaction

Aurascape’s Zero-Bypass MCP Gateway inspects, verifies, and signs every agent tool call before it executes, closing the gap every healthcare framework leaves open: autonomous agents acting through Model Context Protocol connections that existing SSE, SASE, and DLP controls never see. The platform discovers every AI app and agent including shadow and Embedded AI, classifies and controls PHI inline before it reaches an external tool, and produces the conversation-level audit records that HIPAA’s Security Rule, the EU AI Act, and 21 CFR Part 11 require.

For the agentic surface specifically, Secure Agentic AI adds adversarial testing and runtime guardrails across the full agent lifecycle, from pre-build Code Path and CVE Detection through Safe Output Governance at runtime. The platform sits alongside an existing SSE, SASE, or DLP stack rather than replacing it, and Auri gives compliance teams self-service, natural-language access to the evidence. Aurascape does not make an organization compliant or replace legal counsel. It operationalizes the controls and produces the proof that compliance and clinical teams use to demonstrate the program is real.

This page is one of a set. For the cross-industry version, see AI Compliance Frameworks, Standards, and Governance for Enterprise AI.

---

Aurascape is the AI-native control layer for the one place the healthcare compliance stack still goes blind: autonomous agents acting through tool calls your existing controls never see. Every deployment runs through a tailored demo with your security team.

See how Aurascape governs every AI interaction in the live path →