2 posts tagged with "Healthcare"

If your AI agent touches clinical decision-making, diagnostic recommendations, treatment planning, or patient risk scoring, it may be classified as a Software as a Medical Device (SaMD). SaMD classification triggers regulatory requirements that are separate from and stricter than HIPAA — you're now in the FDA's jurisdiction (US) or EU MDR/IVDR jurisdiction (EU), not just privacy law territory.

The distinction matters because SaMD regulations aren't primarily about privacy. They're about safety: ensuring that software used in medical decisions is clinically validated, properly labeled, manufactured under quality controls, and doesn't cause patient harm when it behaves unexpectedly.

HIPAA was written in 1996. AI agents weren't part of the threat model. But the obligations translate directly: any AI agent that accesses, uses, or discloses Protected Health Information (PHI) is subject to the same rules as any other HIPAA-covered entity or business associate.

That means the clinical documentation AI, the patient communication bot, the diagnostic support tool, the prior authorization agent — all of them need HIPAA controls built in at the infrastructure level, not just the application level.