AI Healthcare Governance Framework

Model Research and Design by Kelly Emrick, DHSc, PhD, MBA

Interactive Governance Tool
Overall Completion: 0%

AI Governance Dashboard & Task List

A comprehensive framework for healthcare organizations to implement, monitor, and mature their AI governance programs — aligned with JC/CHAI, NIST AI RMF, HAIRA, and emerging state/federal regulations.

AI Governance Landscape

Healthcare AI governance sits at the intersection of accreditation standards, federal frameworks, state legislation, and organizational readiness. This dashboard integrates the leading frameworks into a single actionable tool.

1,250+
FDA-Authorized AI Devices
12%
Hospitals with Formal AI Governance
46%
Orgs Implementing GenAI
15+
State AI Laws Active in 2026

Integrated Framework Sources

Navigate the Dashboard

🏛
Governance Structure
Build your AI governance committee using the PPTO framework. Define roles, subcommittees, and decision-making authority.
JC/CHAI Compliance
Work through all 7 Elements of the Responsible Use of AI in Healthcare (RUAIH) guidance with item-level checklists.
Regulatory Tracker
Federal (FDA, NIST) and state (CA, TX, CO, IL) AI law tracker with compliance status and healthcare-specific requirements.
🔄
AI Lifecycle Tasks
Complete 6-phase task list from Problem Formulation through Monitoring & Maintenance, with 78 actionable checklist items.
📈
Maturity Assessment
Self-assess across HAIRA’s 7 governance domains with an interactive 5-level maturity model and radar chart visualization.
Equity & Bias
HEAAL-aligned equity assessment across 5 domains and 8 decision points with bias evaluation checklists.
HAIRA (2026) PPTO Framework (2026) JC/CHAI RUAIH (2025) NIST AI RMF 1.0 HEAAL Framework FDA AI/ML Guidance AMA STEPS Forward DiMe Maturity Model NEJM AI Roadmap

AI Governance Committee Builder

Structure your AI governance using the People, Process, Technology, and Operations (PPTO) framework. An effective governance committee requires multidisciplinary expertise with clearly defined roles and decision-making authority.

👥 People Domain Core
  • Executive Sponsor / Chief AI Officer designated
    Senior leader with AI oversight aligned to enterprise strategy
  • Clinical Operations representative appointed
    Ensures AI aligns with care delivery and serves as patient advocate
  • IT/Technical Infrastructure lead assigned
    Manages AI systems architecture, integration, and security
  • Data Science / Clinical Informatics lead assigned
    Bridges data analysis, model validation, and clinical practice
  • Regulatory/Compliance officer included
    Navigates FDA, state laws, HIPAA, and accreditation requirements
  • Legal counsel engaged
    Contract review, liability, data use agreements, vendor terms
  • Ethics representative included
    Evaluates AI projects for alignment with organizational values
  • Cybersecurity officer included
    AI-specific threat assessment, SBOM review, incident response
  • Quality Improvement / Patient Safety officer
    Integrates AI monitoring into existing QI infrastructure
  • Patient/Community representative included
    Ensures tools align with real-world patient priorities and builds trust
⚙ Process Domain Critical
  • Centralized AI intake process established
    Single pathway for all AI proposals to enter governance review
  • Risk classification methodology defined
    High/Medium/Low based on patient proximity and decision impact
  • Lifecycle decision checkpoints documented
    Stage-gate approvals from intake through decommissioning
  • Standard operating procedures written
    SOPs for evaluation, approval, deployment, monitoring
  • Decision-making model formalized
    Voting vs. consensus; quorum requirements; escalation paths
  • Meeting cadence and reporting structure set
    Regular schedule with minutes, board reporting, and KPIs
  • Vendor evaluation criteria standardized
    Validation data, bias testing, demographic performance requirements
  • Incident management protocols defined
    AI-specific reporting, response strategies, corrective actions
  • Decommissioning criteria established
    Triggers for removing or replacing AI tools from production
🖥 Technology Domain Infrastructure
  • AI solution registry/inventory system deployed
    Track all AI tools across the organization with metadata
  • Document management for model artifacts
    Versioned storage for validation reports, change logs, audits
  • Secure computing environment for validation
    Isolated environments for testing AI models on local data
  • Data extraction and cohort tools available
    Infrastructure for building representative validation datasets
  • AI performance monitoring dashboards built
    Real-time tracking of accuracy, drift, bias, and usage metrics
  • Integration pathways mapped (EHR, PACS, etc.)
    APIs, FHIR endpoints, HL7 interfaces for clinical integration
📋 Operations Domain Sustainability
  • AI governance budget allocated
    Dedicated funding for committee operations, tools, and training
  • FTE support for governance operations identified
    Full-time staff to manage day-to-day governance activities
  • Committee member compensation structure defined
    Protected time, stipends, or role integration for participants
  • Board reporting template created
    Standardized format for regular updates to fiduciary board
  • Annual governance review process scheduled
    Yearly reassessment of policies, committee effectiveness, maturity
  • Cross-departmental champion network built
    AI advocates in each department to facilitate adoption and feedback
Governance Domain Progress

JC/CHAI Responsible Use of AI in Healthcare (RUAIH)

The Joint Commission and Coalition for Health AI released this landmark guidance in September 2025, establishing seven elements for responsible AI use across U.S. health systems. A voluntary AI certification program based on forthcoming playbooks is expected in 2026.

1. Policy & Gov
2. Privacy
3. Data Security
4. Quality Mon.
5. Safety Rpt
6. Risk & Bias
7. Education
Element 1: AI Policies and Governance StructuresFoundation
  • Formal AI-usage policies established and documented
  • Cross-functional governance committee formed with defined charter
  • Committee includes compliance, IT, clinical, operations, privacy, cybersecurity
  • Policies set expectations for AI use including permitted and prohibited uses
  • AI policies aligned with other internal policies and external regulatory/ethical frameworks
  • Regular AI usage reporting to the board of directors / fiduciary governing body
  • Policies regularly reviewed and updated as regulations shift
Element 2: Patient Privacy and TransparencyTrust
  • Data access and use policies specific to AI tools documented
  • Mechanism to disclose AI’s role in patient care to patients and families
  • Patient education materials on how AI may benefit their care
  • Transparency extends to staff on how AI tools function and handle data
  • Compliance with applicable state disclosure requirements (CA, TX, CO)
Element 3: Data Security and Data Use ProtectionsCritical
  • All AI data uses comply with HIPAA Privacy and Security Rules
  • Data encrypted in transit and at rest for all AI systems
  • Role-based access controls enforced for AI tools
  • Regular security risk assessments conducted for AI systems
  • AI-specific incident response plan in place
  • Data use agreements executed with all AI vendors
  • DUAs define permitted uses, data minimization, re-identification prohibitions
  • Third-party security obligations documented with audit rights
Element 4: Ongoing Quality MonitoringContinuous
  • Pre-deployment validation completed for each AI tool
  • Post-deployment risk-based monitoring program established
  • Validation evidence requested from vendors during procurement
  • Bias evaluations reviewed and documented per vendor/tool
  • AI performance dashboard deployed (accuracy, drift, usage)
  • Post-implementation reviews at 30, 90, and 180 days
  • Process for managing vendor updates and version changes
  • Responsible parties for monitoring formally assigned
Element 5: Voluntary, Blinded Reporting of AI Safety EventsSafety
  • Internal incident system updated to capture AI-related events
  • AI near misses and harms tracked (unsafe recommendations, bias, degradation)
  • De-identified AI safety events shared through existing channels (e.g., PSOs)
  • Pattern recognition process for AI-related safety trends
  • Feedback loop established with AI vendors on safety events
Element 6: Risk and Bias AssessmentEquity
  • Process for categorizing and documenting AI risk levels established
  • Bias assessment process formalized for all AI tools
  • Verification that AI tools are tuned to the population served
  • Training data representativeness reviewed per AI tool
  • Subgroup performance analysis required (age, sex, race/ethnicity)
  • Ongoing bias monitoring integrated into quality monitoring process
Element 7: Education and TrainingWorkforce
  • AI education program developed for all staff levels
  • Role-specific AI training modules created (clinical, admin, IT)
  • Training covers AI limitations, risks, and appropriate reliance
  • AI tool access limited to need-to-use basis by role
  • All staff know where to find AI policies and procedures
  • Training updated when new AI tools are deployed or policies change
JC/CHAI Element Progress

Regulatory & Legal Landscape Tracker

Healthcare AI governance operates within a complex, rapidly evolving regulatory environment. Federal frameworks provide voluntary guidance while state laws impose binding requirements. Organizations should adopt a "highest common denominator" compliance strategy.

Federal Frameworks & Guidance

NIST AI Risk Management Framework (AI RMF 1.0)Active
Voluntary framework with four core functions: GOVERN, MAP, MEASURE, MANAGE. Accompanied by the AI RMF Playbook with suggested actions per subcategory. The GenAI Profile (AI 600-1) extends coverage to generative AI risks including confabulation, content provenance, and data poisoning.
Released Jan 2023 · Playbook updated ~2x/year · GenAI Profile July 2024
FDA AI-Enabled Device Software Functions GuidanceDraft
Draft guidance on lifecycle management and marketing submissions for AI-enabled medical devices. Introduces Total Product Lifecycle (TPLC) approach. Covers Predetermined Change Control Plans (PCCPs), Good Machine Learning Practice (GMLP), and Software Bill of Materials (SBOM) requirements. Over 1,250 AI devices now authorized.
Published Jan 2025 · QMSR alignment effective Feb 2026
Federal Executive Order on AI (Jan 2026)Active
Signals potential federal preemption of "burdensome" state AI laws. Directs DOJ to form AI litigation task force. Commerce Dept to evaluate state laws by March 2026. Does NOT preempt child safety, procurement, or infrastructure regulations. Only Congress can enact true preemption through legislation.
Issued Jan 2026 · Commerce evaluation due March 2026

Accreditation Standards

Joint Commission / CHAI — RUAIH GuidanceActive
Seven elements for responsible AI use: Policies & Governance, Patient Privacy, Data Security, Quality Monitoring, Safety Reporting, Risk & Bias Assessment, Education & Training. Governance playbooks in development. Voluntary AI certification program expected in 2026.
Released Sept 2025 · Certification expected 2026

State Laws — Healthcare-Specific Requirements

California — AB 3030 (GenAI Patient Communications)Effective
Clinics and physician offices using generative AI for patient communications must include a clear disclaimer and tell patients how to reach a human healthcare professional.
Effective Jan 1, 2025
California — SB 1120 (Health Plan AI Safeguards)Effective
Health plans and disability insurers must implement safeguards when AI is used for utilization review. Mandates disclosure and confirms licensed professionals make medical necessity decisions.
Effective Jan 1, 2025
California — AB 489 (Healthcare AI Licensure Deception)Effective
Prohibits AI systems from using terms, titles, or design elements implying the AI possesses a healthcare license. Requires clear disclosure that users are interacting with AI, not a licensed professional. Each violation a separate offense.
Effective Jan 1, 2026
Texas — SB 1188 (AI in Diagnosis & Treatment)Effective
Practitioners may use AI for diagnostic or treatment purposes if acting within their license scope and personally reviewing all AI-generated content before clinical decisions. Requires disclosure of AI use to patients.
Effective Sept 1, 2025
Texas — TRAIGA (Responsible AI Governance Act)Effective
Broad governance requirements. Written patient disclosure of AI use required before or at time of service. Prohibits intentional AI discrimination based on protected characteristics. Intent-based liability framework. State agencies deploying high-risk AI face additional obligations.
Effective Jan 1, 2026
Colorado — SB 24-205 (Colorado AI Act)June 2026
Most comprehensive state AI law. Targets high-risk AI in consequential decisions including healthcare. Requires impact assessments, transparency disclosures, algorithmic discrimination safeguards. Mandates notification before high-risk AI use. Additional disclosures for adverse AI-driven decisions.
Enforcement delayed to June 30, 2026
Illinois — AI in Therapy/PsychotherapyEffective
Prohibits AI systems in therapy from making independent therapeutic decisions, directly interacting with clients in therapeutic communication, or generating treatment plans without licensed professional review and approval.
Effective Aug 1, 2025
Key Compliance Action Items
  • Audit all patient-facing AI systems for disclosure compliance
  • Implement written patient disclosure protocols (TX, CA, CO)
  • Review AI tools for implied licensure or misleading design elements
  • Ensure practitioner review of all AI-generated clinical content
  • Update vendor contracts with AI-specific data use provisions
  • Map organizational AI use against Colorado high-risk categories
  • Prepare impact assessments for high-risk AI systems (CO requirement)
  • Monitor federal preemption developments and adjust strategy

AI Lifecycle Governance Task List

A comprehensive task list spanning all six phases of the AI lifecycle, integrating requirements from NIST AI RMF (Govern → Map → Measure → Manage), the HAIRA framework, and JC/CHAI guidance. Complete tasks are tracked across phases with live progress.

0%
Total Lifecycle Completion
0/78
Tasks Completed
6
Lifecycle Phases
🎯
Phase 1: Problem Formulation & Intake
0/10
  • Clinical need formally identified and documented
    NIST MAP 1.1 — Define the purpose and context of the AI system
  • Use case prioritized using clinical value, patient impact, and feasibility criteria
  • AI system risk classification assigned (High / Medium / Low)
    Based on proximity to patient care and decision impact
  • Financial impact assessment completed
  • Strategic alignment confirmed with organizational goals
  • Key stakeholders identified and consulted
  • Equity objectives defined for the AI use case
    HEAAL Decision Point 1 — Define how AI should impact health equity
  • Data requirements and availability assessed
  • Build vs. buy decision framework applied
  • Proposal submitted to governance committee via centralized intake
🔍
Phase 2: Vendor/Solution Evaluation
0/14
  • Vendor due diligence checklist completed
  • Validation data and testing results requested from vendor
  • Bias testing results and demographic performance data reviewed
  • FDA clearance/authorization status verified (if applicable)
  • Training data representativeness evaluated
    Age, sex, race/ethnicity, geography alignment with service population
  • Model architecture and decision logic reviewed for transparency
  • Data use agreement (DUA) negotiated and executed
  • DUA includes data minimization, re-identification prohibitions, audit rights
  • Security assessment completed (encryption, access controls, SBOM)
  • Vendor willingness to tune/validate on local representative sample confirmed
  • Vendor update/version change notification process agreed upon
  • Monitoring responsibilities allocated between vendor and organization
  • Contract includes performance guarantees and exit clauses
  • Ethics review completed for the AI solution
🧪
Phase 3: Validation & Testing
0/13
  • Local validation dataset assembled from representative population
  • Performance testing completed (sensitivity, specificity, AUC, PPV/NPV)
  • Subgroup analysis completed across demographic groups
    NIST MEASURE 2.6 — Evaluate for bias across subpopulations
  • Edge case and failure mode analysis conducted
  • Clinical workflow integration tested (user acceptance testing)
  • Interoperability with EHR/PACS/existing systems verified
  • Performance meets or exceeds the established baseline threshold
  • Safety testing for clinical decision-making scenarios completed
  • Cybersecurity penetration testing / vulnerability assessment completed
  • Validation results documented in standardized format
  • Results reviewed and approved by governance committee
  • Risk mitigation strategies documented for identified weaknesses
  • Go/No-Go decision formally recorded
🚀
Phase 4: Deployment & Integration
0/13
  • Change management plan developed and communicated
  • Staff training completed (role-specific modules)
  • Patient disclosure protocols activated
    State-specific requirements for CA, TX, CO, IL as applicable
  • EHR/clinical workflow integration deployed
  • Go-live support structure in place (helpdesk, escalation, clinical backup)
  • Human-in-the-loop safeguards activated where required
  • AI tool registered in organizational AI inventory/registry
  • Monitoring infrastructure activated (dashboards, alerts, feedback loops)
  • Incident reporting pathway communicated to all users
  • Access controls and role-based permissions configured
  • Communication to patients/community about new AI capability
  • Equity communication to end-users and disadvantaged subgroups
    HEAAL Decision Point 6 — Raise awareness about biases and consequences
  • Deployment formally documented and governance committee notified
📡
Phase 5: Monitoring & Maintenance
0/16
  • 30-day post-implementation review completed
  • 90-day post-implementation review completed
  • 180-day post-implementation review completed
  • Ongoing performance monitoring active (accuracy, drift detection)
  • Data drift detection protocols in place
    NIST MANAGE 4.1 — Monitor for changes in data distribution
  • Concept drift monitoring active
  • Bias monitoring ongoing with subgroup performance tracking
    HEAAL Decision Points 7–8 — Monitor equity impact continuously
  • AI-related incidents captured and tracked in reporting system
  • De-identified safety events shared with PSOs or industry channels
  • Vendor updates/version changes reviewed and validated before deployment
  • Clinician feedback mechanisms active and reviewed regularly
  • Patient outcome tracking linked to AI tool usage
  • Annual comprehensive reassessment completed
  • Third-party vendor controls reassessed periodically
  • AI policies and governance reviewed against evolving regulations
  • Board reporting on AI performance and incidents maintained
🔚
Phase 6: Update or Decommission
0/12
  • Decommissioning criteria defined and documented
  • Triggers for AI tool replacement identified (performance, safety, equity)
  • Process for evaluating major model updates/retraining established
  • Re-validation requirements defined for significant changes
  • PCCP compliance maintained for FDA-regulated devices
  • Decommissioning workflow includes data retention/disposal plan
  • Clinical workflow contingency plan ready (manual fallback)
  • Staff communication plan for AI tool changes prepared
  • Patient notification plan if AI tool is removed from care pathway
  • Lessons learned documented and shared with governance committee
  • AI inventory/registry updated to reflect decommissioned tools
  • Post-decommission review conducted at 30 days

HAIRA Maturity Self-Assessment

Assess your organization across the seven critical domains of healthcare AI governance using the HAIRA maturity model. Your overall maturity level is determined by the "weakest-link" rule — capped at the lowest-scoring domain. Rate each domain from Level 1 (Ad Hoc) to Level 5 (Leading).

1. Organizational StructureLevel 1
Ad HocDevelopingDefinedManagedLeading
No dedicated AI oversight; ad hoc decisions made by individual departments.
2. Problem FormulationLevel 1
Ad HocDevelopingDefinedManagedLeading
AI projects initiated without systematic needs assessment or prioritization.
3. External Product EvaluationLevel 1
Ad HocDevelopingDefinedManagedLeading
Vendor claims accepted at face value; no independent evaluation.
4. Algorithm DevelopmentLevel 1
Ad HocDevelopingDefinedManagedLeading
No internal development capability; reliance entirely on vendor solutions.
5. Model EvaluationLevel 1
Ad HocDevelopingDefinedManagedLeading
No internal capability to validate or test AI model performance.
6. Deployment & IntegrationLevel 1
Ad HocDevelopingDefinedManagedLeading
AI tools deployed without structured change management or workflow planning.
7. Monitoring & MaintenanceLevel 1
Ad HocDevelopingDefinedManagedLeading
No post-deployment monitoring; issues discovered only through clinical complaints.
Overall Maturity Level
Level 1
Ad Hoc
Weakest-link rule: Overall level = lowest domain score
Maturity Radar — 7 Governance Domains

Health Equity & Bias Assessment

The HEAAL framework evaluates how AI implementation may affect health equity across five assessment domains and eight lifecycle decision points. This tab provides structured checklists for each domain to ensure AI tools do not worsen health disparities.

Accountability
🎯
Fairness
🔧
Fitness for Purpose
Reliability
👁
Transparency
Accountability
Who is responsible for equity outcomes throughout the AI lifecycle?
  • Executive sponsor accountable for equity outcomes identified
  • Equity objectives documented for each AI use case
  • Governance committee includes equity/diversity expertise
  • Patient/community voice incorporated in AI governance decisions
  • Accountability for equity assigned at each lifecycle decision point
  • Corrective action process established when equity objectives are not met
🎯
Fairness
Does the AI system perform equitably across demographic groups?
  • Training data reviewed for demographic representation
  • Outcome label definitions examined for proxy discrimination
    E.g., healthcare cost as proxy for illness severity can disadvantage minorities
  • Performance metrics stratified by race, ethnicity, sex, age, socioeconomic status
  • Fairness metrics applied (demographic parity, equalized odds, predictive parity)
  • Bias audit toolkit deployed (IBM AI Fairness 360, Google Fairness Indicators, Aequitas)
  • Disparate impact analysis conducted before deployment
  • Ongoing fairness monitoring post-deployment with trigger thresholds
🔧
Fitness for Purpose
Is the AI solution appropriate for the population and clinical context?
  • AI tool validated on a population similar to the deployment context
  • Clinical workflow context assessed for fit with diverse patient populations
  • Language and literacy considerations evaluated for patient-facing tools
  • Digital access barriers assessed (internet, devices, digital literacy)
  • Pediatric vs. adult population considerations addressed where applicable
Reliability & Validity
Does the AI system perform consistently across populations over time?
  • External validation conducted on local population data
  • Performance consistency across clinical sites verified
  • Temporal stability assessed (performance over time)
  • Data quality and completeness evaluated for equity impact
  • Drift monitoring includes equity dimension (performance by subgroup over time)
👁
Transparency
Are stakeholders informed about AI’s role, limitations, and equity impact?
  • AI tool documentation includes known limitations and populations underrepresented
  • End-users informed about AI limitations affecting disadvantaged groups
  • Patients from disadvantaged subgroups specifically educated about AI’s role
  • Equity monitoring results shared transparently with governance committee
  • TRIPOD+AI or equivalent reporting standard used for model documentation
  • Community engagement conducted on AI equity concerns
Equity Domain Progress

Auto-Generated Action Plan

This action plan is dynamically generated based on your self-assessment results and checklist completion across all tabs. Items are prioritized by urgency and impact. Complete checklists and adjust maturity sliders across the dashboard to see this plan update in real time.

0
Critical Priority
0
High Priority
0
Medium Priority
0
Completed / Low
Governance Completion by Area

Priority Action Items

Complete checklists to generate your action plan
Work through the Governance, JC/CHAI, Lifecycle, and Equity tabs to populate this auto-generated priority list.

Kelly Emrick, DHSc, PhD, MBA