Healthcare & FDA Industry Appendix
AI Governance for Regulated Healthcare Applications
Document Control
| Field | Details |
|---|
| Document Type | Industry-Specific Appendix |
| Parent Documents | AI Governance Framework (Docs 01-18) |
| Applies To | AI systems in healthcare, life sciences, medical devices |
| Regulatory Scope | FDA 21 CFR Part 11, FDA AI/ML Guidance, HIPAA, EU MDR/IVDR |
| Version | 1.0 |
1. Overview
1.1 Purpose
This appendix extends the AI Governance Framework for organizations developing or deploying AI systems in healthcare and life sciences contexts. It provides additional controls, documentation requirements, and regulatory mappings specific to FDA-regulated environments.
1.2 Scope
| In Scope | Regulatory Framework |
|---|
| Software as a Medical Device (SaMD) | FDA 21 CFR Part 820, EU MDR |
| Clinical Decision Support (CDS) | FDA CDS Guidance, EU MDR |
| AI-Assisted Diagnostics | FDA AI/ML SaMD Framework |
| Drug Discovery AI | FDA 21 CFR Parts 11, 210, 211 |
| Clinical Trial AI | FDA 21 CFR Part 11, ICH E6(R2) |
| Healthcare Operations AI | HIPAA, State privacy laws |
| Electronic Health Records AI | HIPAA, 21st Century Cures |
For Coditect's autonomous AI development platform targeting healthcare:
| Coditect Use Case | Regulatory Requirements | Framework Mapping |
|---|
| Autonomous code generation for SaMD | FDA 21 CFR Part 11, Part 820 | This appendix + Docs 09, 16 |
| Multi-agent clinical workflow automation | HIPAA, FDA validation | This appendix + Docs 15, 16 |
| AI-generated documentation for submissions | FDA 21 CFR Part 11 | This appendix + Doc 06 |
2. FDA 21 CFR Part 11 Compliance
2.1 Electronic Records Requirements
AI systems producing electronic records for FDA-regulated processes must comply with Part 11:
| Part 11 Requirement | AI Governance Control | Implementation |
|---|
| §11.10(a) Validation | System Card validation section | Documented IQ/OQ/PQ protocols |
| §11.10(b) Record accuracy | Continuous Monitoring (Doc 16) | Output verification, drift detection |
| §11.10(c) Record protection | Security controls | Encryption, access controls |
| §11.10(d) Audit trails | Comprehensive logging | Immutable audit trail |
| §11.10(e) Operational checks | Pre-production gate | Input validation, error handling |
| §11.10(k) Authority checks | Access control policy | Role-based permissions |
2.2 AI-Specific Part 11 Controls
┌─────────────────────────────────────────────────────────────┐
│ AI SYSTEM ARCHITECTURE │
│ (Part 11 Compliant Configuration) │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ INPUT │ │ MODEL │ │ OUTPUT │
│ VALIDATION │ │ EXECUTION │ │ CONTROLS │
│ │ │ │ │ │
│ • User auth │ │ • Version │ │ • Audit │
│ • Signature │ │ control │ │ trail │
│ • Input │ │ • Config │ │ • Digital │
│ checking │ │ locking │ │ signature │
│ • Timestamp │ │ • Isolation │ │ • Timestamp │
└─────────────┘ └─────────────┘ └─────────────┘
2.3 Audit Trail Requirements
| Event | Required Data | Retention |
|---|
| AI system access | User ID, timestamp, action | 3 years minimum |
| Model invocation | Input hash, output hash, version | Life of record + 3 years |
| Configuration change | Before/after, user, timestamp, reason | Life of system |
| Output modification | Original, modified, user, reason | Life of record + 3 years |
| Error/exception | Error type, context, resolution | Life of system |
3. FDA AI/ML SaMD Framework
3.1 Predetermined Change Control Plan (PCCP)
For AI systems subject to FDA's AI/ML SaMD framework:
| PCCP Element | Documentation Requirement | Framework Reference |
|---|
| SaMD Pre-Specifications (SPS) | Anticipated modifications description | System Card §4 |
| Algorithm Change Protocol (ACP) | Change management procedures | Operating Model §8 |
| Performance Targets | Quantitative performance bounds | System Card §5 |
| Testing Protocol | Validation methodology | AIA §4 |
| Modification Reporting | Reporting commitments | Monitoring Standard |
3.2 Total Product Lifecycle (TPLC) Approach
┌─────────────────────────────────────────────────────────────┐
│ TOTAL PRODUCT LIFECYCLE (TPLC) FOR AI │
└─────────────────────────────────────────────────────────────┘
│
▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ DESIGN & │───▶│ CLINICAL │───▶│ REGULATORY │
│ DEVELOPMENT │ │ VALIDATION │ │ SUBMISSION │
│ │ │ │ │ │
│ • Intended use│ │ • Clinical │ │ • 510(k)/PMA │
│ • Risk class │ │ studies │ │ • PCCP │
│ • Algorithm │ │ • Performance │ │ • Labeling │
│ development │ │ validation │ │ │
└───────────────┘ └───────────────┘ └───────────────┘
│ │ │
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ REAL-WORLD │◀───│ ONGOING │◀───│ MARKET │
│ PERFORMANCE │ │ MONITORING │ │ RELEASE │
│ │ │ │ │ │
│ • RWPE data │ │ • Drift │ │ • Deployment │
│ • Adverse │ │ detection │ │ • Training │
│ events │ │ • Retraining │ │ • Support │
│ • Updates │ │ triggers │ │ │
└───────────────┘ └───────────────┘ └───────────────┘
3.3 Risk Classification for SaMD
| SaMD Risk Category | State of Healthcare | Significance | AI Governance Tier |
|---|
| I (Low) | Non-serious | Informs | Medium |
| II (Medium-Low) | Non-serious | Drives | High |
| II (Medium-High) | Serious | Informs | High |
| III (High) | Serious/Critical | Drives | Critical |
| IV (Highest) | Critical | Treats/Diagnoses | Critical |
4. HIPAA Compliance for AI
4.1 PHI Handling in AI Systems
| HIPAA Rule | AI Requirement | Control |
|---|
| Privacy Rule | Minimum necessary PHI | Input filtering, anonymization |
| Security Rule | Technical safeguards | Encryption, access controls |
| Breach Notification | Incident response | 24-hour reporting |
4.2 AI-Specific PHI Controls
┌─────────────────────────────────────────────────────────────┐
│ PHI PROCESSING ARCHITECTURE │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ DE-IDENTIFICATION│ │ SECURE PROCESSING│ │ RE-IDENTIFICATION│
│ │ │ │ │ CONTROLS │
│ • Safe Harbor │ │ • Encrypted │ │ │
│ method │ │ transit/rest │ │ • Authorized │
│ • Expert │ │ • Access │ │ users only │
│ determination │ │ logging │ │ • Audit trail │
│ • Token mapping │ │ • Isolation │ │ • Time-limited │
└─────────────────┘ └─────────────────┘ └─────────────────┘
4.3 BAA Requirements for AI Vendors
| BAA Provision | AI-Specific Language |
|---|
| Permitted uses | AI processing limited to contracted services |
| Training data | PHI NOT used for model training |
| De-identification | Standards for AI-processed PHI |
| Breach notification | 24-hour notification for AI incidents |
| Audit rights | AI system audit provisions |
5. Clinical Decision Support (CDS) Classification
5.1 FDA CDS Guidance Criteria
AI-based CDS is NOT a device (exempt from FDA regulation) if ALL four criteria are met:
| Criterion | Description | Documentation |
|---|
| 1. Not intended for narrow populations | Does not require analysis of device data | System Card intended use |
| 2. Intended for HCP or patient | User is qualified professional or patient | Labeling, user documentation |
| 3. Intended for enabling review | User can independently review basis | Explainability features |
| 4. Not intended to replace HCP judgment | User makes final clinical decision | Human oversight requirements |
5.2 CDS Classification Decision Tree
┌─────────────────────┐
│ AI/ML System │
│ Healthcare Context │
└─────────────────────┘
│
┌─────────┴─────────┐
│ Meets ALL 4 CDS │
│ exemption criteria?│
└─────────┬─────────┘
│
┌───────────────┼───────────────┐
│ │ │
▼ │ ▼
┌──────────┐ │ ┌──────────────┐
│ YES │ │ │ NO │
│ │ │ │ │
│ Non-device│ │ │ Device (SaMD)│
│ CDS │ │ │ │
└──────────┘ │ └──────────────┘
│ │
│ ▼
│ ┌──────────────┐
│ │ Determine │
│ │ risk class │
│ │ (I-IV) │
│ └──────────────┘
6. Healthcare AI Documentation Templates
6.1 SaMD System Card Addendum
[Supplement to standard System Card, Document 06]
| Section | Required Content |
|---|
| 6.1 Intended Use Statement | FDA-compliant intended use, indications for use |
| 6.2 Device Classification | Class I/II/III, SaMD category I-IV |
| 6.3 Clinical Validation | Study design, patient population, performance |
| 6.4 Labeling | Instructions for use, warnings, contraindications |
| 6.5 PCCP Reference | If applicable, SPS and ACP summary |
| 6.6 Substantial Equivalence | Predicate device comparison (510(k)) |
6.2 Clinical Validation Summary Template
## Clinical Validation Summary
### Study Design
- Study Type: [Prospective/Retrospective/Hybrid]
- Endpoints: [Primary and secondary]
- Sample Size: [N=X, power calculation]
- Population: [Inclusion/exclusion criteria]
- Comparator: [Ground truth or predicate]
### Performance Results
|--------|--------|--------|--------|
| Sensitivity | [X]% | [X-Y]% | >[Z]% |
| Specificity | [X]% | [X-Y]% | >[Z]% |
| AUC | [X] | [X-Y] | >[Z] |
| PPV | [X]% | [X-Y]% | >[Z]% |
| NPV | [X]% | [X-Y]% | >[Z]% |
### Subgroup Analysis
|----------|---|-------------|-------|
| [Age group] | [N] | [Result] | [Notes] |
| [Sex] | [N] | [Result] | [Notes] |
| [Race/Ethnicity] | [N] | [Result] | [Notes] |
| [Comorbidities] | [N] | [Result] | [Notes] |
### Failure Mode Analysis
|--------------|-----------|-----------------|------------|
| [Mode 1] | [X]% | [Impact] | [Mitigation] |
### Conclusions
[Summary of clinical validation findings and suitability for intended use]
6.3 HIPAA AI Risk Assessment Addendum
## HIPAA AI Risk Assessment
### PHI Elements Processed
|-------------|-------------------|-------------------|-----------|
| [Element] | [Purpose] | [Yes/No] | [Control] |
### Security Controls
|-----------------|----------------|----------|
| Access Control | [Description] | [Location] |
| Audit Controls | [Description] | [Location] |
| Integrity Controls | [Description] | [Location] |
| Transmission Security | [Description] | [Location] |
### Risk Analysis
|--------|------------|--------|------------|------------|
| [Threat] | [L/M/H] | [L/M/H] | [L/M/H/C] | [Control] |
### BAA Status
- Vendor: [Name]
- BAA Executed: [Yes/No/N/A]
- BAA Date: [Date]
- Special Provisions: [AI-specific terms]
7. Healthcare AI Monitoring Requirements
| Metric Category | Metrics | Frequency | Alert Threshold |
|---|
| Clinical Accuracy | Sensitivity, specificity, AUC | Daily | >5% degradation |
| Demographic Parity | Performance by subgroup | Weekly | >10% disparity |
| Error Patterns | False positive/negative types | Daily | Pattern emergence |
| User Feedback | Override rate, satisfaction | Weekly | >20% override |
| Adverse Events | Related clinical events | Continuous | Any occurrence |
7.2 Adverse Event Reporting
| Event Type | Reporting Timeline | Reporting Channel |
|---|
| Death or serious injury | Within 24 hours | FDA MedWatch (MDR) |
| Malfunction (potential harm) | Within 30 days | FDA MedWatch (MDR) |
| Near miss | Internal documentation | Quality system |
| User complaint | 5 business days | CAPA system |
7.3 Retraining Triggers
| Trigger | Threshold | Action |
|---|
| Accuracy degradation | >5% from baseline | Evaluate retraining need |
| Data drift detection | PSI >0.2 | Mandatory evaluation |
| Population shift | >10% demographic change | Subgroup revalidation |
| Clinical guideline change | External update | Algorithm review |
| Adverse event pattern | 3+ similar events | Root cause analysis |
8. Regulatory Submission Support
8.1 FDA Submission Document Checklist
For 510(k) Submissions:
| Document | AI Framework Source | Status |
|---|
| Intended use statement | System Card §1 | ☐ |
| Device description | System Card §2-3 | ☐ |
| Substantial equivalence | SaMD Addendum §6.6 | ☐ |
| Software documentation | System Card, AI-BOM | ☐ |
| Performance testing | Clinical Validation Summary | ☐ |
| Labeling | SaMD Addendum §6.4 | ☐ |
| Cybersecurity documentation | Security assessment | ☐ |
| PCCP (if applicable) | SaMD Addendum §6.5 | ☐ |
8.2 EU MDR Technical File for AI
| MDR Requirement | AI Framework Source |
|---|
| Device description | System Card |
| UDI information | AI-BOM header |
| Risk management file | AIA |
| Clinical evaluation | Clinical Validation Summary |
| Post-market surveillance plan | Monitoring Standard |
| Cybersecurity | Security controls documentation |
9. Coditect Healthcare Implementation Guide
| Coditect Feature | Healthcare Configuration | Regulatory Basis |
|---|
| Audit Trail | Immutable, Part 11 compliant | 21 CFR Part 11.10(e) |
| Access Control | Role-based, audit-logged | 21 CFR Part 11.10(d) |
| Electronic Signatures | Part 11 compliant signatures | 21 CFR Part 11.100 |
| Validation Package | IQ/OQ/PQ documentation | 21 CFR Part 11.10(a) |
| PHI Handling | De-identification, encryption | HIPAA Security Rule |
| Agent Boundaries | Healthcare-specific constraints | SaMD risk controls |
9.2 Coditect Healthcare Use Cases
| Use Case | Regulatory Path | Framework Controls |
|---|
| Clinical documentation generation | Part 11 electronic records | Doc 09 GenAI controls + Part 11 |
| SaMD development automation | FDA validation requirements | This appendix + Doc 16 |
| Clinical trial documentation | ICH E6(R2), Part 11 | This appendix + Doc 06 |
| Healthcare workflow AI | HIPAA, non-device CDS | Doc 09 + HIPAA controls |
9.3 Validation Approach for Coditect
┌─────────────────────────────────────────────────────────────┐
│ CODITECT HEALTHCARE VALIDATION STRATEGY │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────┼─────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ INSTALLATION │ │ OPERATIONAL │ │ PERFORMANCE │
│ QUALIFICATION │ │ QUALIFICATION │ │ QUALIFICATION │
│ (IQ) │ │ (OQ) │ │ (PQ) │
│ │ │ │ │ │
│ • Infrastructure│ │ • Functional │ │ • Real-world │
│ verification │ │ testing │ │ validation │
│ • Configuration │ │ • Boundary │ │ • Output │
│ documentation │ │ testing │ │ verification │
│ • Audit trail │ │ • Error │ │ • User │
│ verification │ │ handling │ │ acceptance │
└─────────────────┘ └─────────────────┘ └─────────────────┘
10. Compliance Checklist
10.1 FDA Part 11 Compliance Checklist
| Requirement | Control | Evidence | Status |
|---|
| Validation | IQ/OQ/PQ protocols | Validation report | ☐ |
| Audit trail | Immutable logging | Log samples | ☐ |
| Access control | RBAC implementation | Access matrix | ☐ |
| Authority checks | Permission verification | Test results | ☐ |
| Electronic signatures | Part 11 compliance | Signature policy | ☐ |
| Record protection | Encryption, backup | Security documentation | ☐ |
| System documentation | SOPs, maintenance | Document repository | ☐ |
10.2 HIPAA Compliance Checklist
| Requirement | Control | Evidence | Status |
|---|
| Risk analysis | Security risk assessment | Assessment report | ☐ |
| Access management | Workforce access controls | Access procedures | ☐ |
| Audit controls | Activity logging | Audit logs | ☐ |
| Integrity controls | Data validation | Integrity procedures | ☐ |
| Transmission security | Encryption | Encryption documentation | ☐ |
| BAA execution | Vendor agreements | Executed BAAs | ☐ |
| Training | Workforce training | Training records | ☐ |
10.3 SaMD Compliance Checklist
| Requirement | Control | Evidence | Status |
|---|
| Risk classification | SaMD category determination | Classification document | ☐ |
| Quality system | 21 CFR Part 820 compliance | QMS documentation | ☐ |
| Design controls | Design history file | DHF | ☐ |
| Clinical validation | Performance studies | Clinical validation report | ☐ |
| Labeling | IFU, warnings | Labeling documents | ☐ |
| Post-market surveillance | RWP monitoring plan | PMS plan | ☐ |
| PCCP (if applicable) | SPS and ACP | PCCP documentation | ☐ |
Appendix A: Regulatory Reference Links
Appendix B: Glossary
| Term | Definition |
|---|
| SaMD | Software as a Medical Device |
| CDS | Clinical Decision Support |
| PCCP | Predetermined Change Control Plan |
| SPS | SaMD Pre-Specifications |
| ACP | Algorithm Change Protocol |
| TPLC | Total Product Lifecycle |
| RWP | Real-World Performance |
| PHI | Protected Health Information |
| BAA | Business Associate Agreement |
| MDR | Medical Device Reporting (or EU Medical Device Regulation) |
Document Version: 1.0
Owner: AI Governance / Regulatory Affairs
Next Review: [Date + 1 year]
Approval Required: Regulatory Affairs, Quality, AI Risk Officer
CODITECT AI Risk Management Framework
Document ID: AI-RMF-22 | Version: 2.0.0 | Status: Active
AZ1.AI Inc. | CODITECT Platform
Framework Alignment: NIST AI RMF 2.0 | EU AI Act | ISO/IEC 42001
This document is part of the CODITECT AI Risk Management Framework.
For questions or updates, contact the AI Governance Office.
Repository: coditect-ai-risk-management-framework
Last Updated: 2026-01-15
Owner: AZ1.AI Inc. | Lead: Hal Casteel