Lilly Tech Systems
Advanced
Healthcare AI Regulations
Medical AI is one of the most heavily regulated areas of artificial intelligence. Understanding the regulatory landscape is essential for anyone building or deploying AI in healthcare settings.
FDA Regulation (United States)
The U.S. Food and Drug Administration (FDA) regulates AI/ML-based software as a medical device (SaMD). Key concepts:
Device Classification
| Class | Risk Level | Pathway | Example |
|---|---|---|---|
| Class I | Low risk | Exempt or 510(k) | General wellness apps |
| Class II | Moderate risk | 510(k) clearance | AI-assisted radiology triage |
| Class III | High risk | Premarket Approval (PMA) | Autonomous diagnostic AI |
Key FDA Pathways for AI
- 510(k): Demonstrates that the device is substantially equivalent to an existing approved device. Most common pathway for medical AI
- De Novo: For novel devices with no predicate. Creates a new device classification
- PMA: Most rigorous pathway, requiring clinical evidence of safety and effectiveness
- Breakthrough Device Designation: Expedited review for devices that provide significant advantages over existing alternatives
Predetermined Change Control Plan: The FDA has introduced a framework allowing AI/ML devices to make certain modifications (like retraining on new data) without requiring a new submission, as long as changes follow a pre-approved plan. This is a significant evolution in how the FDA handles adaptive AI.
CE Marking (European Union)
In the EU, medical AI must comply with the Medical Device Regulation (MDR) and obtain CE marking:
- Classification: Rules-based classification system (Class I, IIa, IIb, III) similar to but different from the FDA
- Notified Body: An independent organization assesses conformity for Class IIa and above
- Clinical evidence: Clinical evaluation reports demonstrating safety and performance
- Post-market surveillance: Ongoing monitoring of device performance after market entry
- EU AI Act: Additional requirements for high-risk AI systems, including healthcare AI
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) governs the use of protected health information (PHI) in the United States:
- Privacy Rule: Defines what constitutes PHI and how it can be used and disclosed
- Security Rule: Technical safeguards for electronic PHI (encryption, access controls, audit logs)
- De-identification: Methods to remove identifying information from data for research use
- Business Associate Agreements: Required contracts when sharing PHI with AI vendors
- Minimum necessary standard: Only the minimum necessary PHI should be used for any purpose
GDPR and Health Data
In the EU, health data receives special protection under GDPR:
- Health data is classified as a "special category" requiring explicit consent or other legal basis
- Data Protection Impact Assessments are required for AI processing of health data
- Patients have rights to access, rectify, and delete their data
- Cross-border data transfers face additional restrictions
Global Regulatory Landscape
| Region | Regulator | Key Framework |
|---|---|---|
| United States | FDA | SaMD guidance, 510(k), De Novo, PMA |
| European Union | National authorities + Notified Bodies | MDR + EU AI Act |
| United Kingdom | MHRA | UK MDR (post-Brexit framework) |
| China | NMPA | AI medical device classification |
| Japan | PMDA | SaMD regulatory framework |
Regulatory strategy matters: Consider your regulatory strategy from day one. The classification of your AI product, the evidence you need to collect, and the markets you target should inform your entire product development process.