Is this regulatory or legal advice?

No. It is an educational checklist to help you scope compliance work for AI in clinical settings. Medical-device and health-data law is complex and fact-specific — engage qualified regulatory and legal experts before deployment.

When does my AI become a medical device?

Under EU MDR/IVDR, software intended to diagnose, prevent, monitor, or treat is generally a medical device (Software as a Medical Device). Pure administrative or wellness tools usually are not, but the line is intent-driven, so document your intended purpose carefully.

What does HIPAA require technically?

HIPAA's Security Rule mandates technical safeguards — access controls, audit logging, integrity controls, and encryption of PHI in transit and at rest — plus a Business Associate Agreement with any AI vendor that processes PHI.

Why is explainability a requirement for clinical AI?

Clinical decision-support guidance increasingly expects clinicians to understand the basis of a recommendation so they can exercise independent judgment. Black-box outputs that drive care without a clinician's ability to review the rationale carry higher regulatory and liability risk.

Does this checklist send my answers anywhere?

No. It runs entirely in your browser and stores nothing. Your selections and progress never leave your device.

AI in Healthcare Compliance Checklist

AI in healthcare compliance checklist

Clinical AI sits at the intersection of medical-device law, health-data privacy, and patient-safety expectations — three of the strictest regimes there are. Whether your system triages symptoms, flags scans, or drafts clinical notes, the obligations differ sharply by intended use and jurisdiction. This checklist helps you scope that work: tell it what your system does and where it operates, and it surfaces the relevant requirements across classification, technical safeguards, clinical validation, and explainability.

How it works

You select the system type (clinical decision support, diagnostic imaging, patient-facing triage, or administrative), the clinical use case, and the jurisdiction (EU, US, or UK). The tool assembles the applicable checklist from four families: device classification (EU MDR/IVDR, FDA SaMD), data-protection technical safeguards (HIPAA Security Rule, GDPR special-category data), clinical validation (evidence, intended-purpose definition, post-market surveillance), and explainability/human-oversight obligations. Tick items as you confirm them and the readiness score updates. Everything runs locally.

How to use it

Pin your intended purpose first. Classification flows entirely from what you claim the system is for. A vague intended purpose creates the worst regulatory ambiguity.
Do not skip the BAA / DPA. If any vendor touches patient data, the contract controls are as load-bearing as the technical ones.
Validate against the real population. Clinical validation on a non-representative dataset is a leading cause of post-deployment failure and regulatory action.
Keep a human in the loop. Most regimes expect a clinician to be able to understand and override the AI; design for that from the start.