Governance & Program Info
AI-Powered Care Management & Chronic Disease Coaching — Governance
Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 15 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Complete HIPAA risk analysis for the AI coaching stack
45 CFR 164.308(a)(1)(ii)(A) risk analysis covering the LLM runtime, RAG index, device telemetry, and audit log — not just the EHR integration.
05 · Governance & Compliance
BAA coverage across every vendor in the coaching path
LLM API, vector store, fine-tuning runtime, device vendor, SMS vendor, analytics — every party that touches PHI has a signed BAA.
05 · Governance & Compliance
Minimum-necessary and purpose-limitation review
Each data element in the coaching context passes a minimum-necessary test — we pull only what the coaching message needs.
05 · Governance & Compliance
Patient consent / notice of AI-assisted communication
Patients are informed that coaching messages may be AI-generated, with opt-out path — increasingly expected under HTI-2 and state law.
05 · Governance & Compliance
Register the coaching model as a Decision Support Intervention (DSI)
Under ONC HTI-2 the patient-facing AI coaching model is a DSI — patient-comm oversight is under active enforcement.
05 · Governance & Compliance
Publish HTI-2 transparency attributes
Source attributes, funding, use of the intervention, IRM, and fairness attributes as required by HTI-2.
05 · Governance & Compliance
Intervention Risk Management (IRM) framework
Documented IRM covering selection, evaluation, monitoring, and update of the coaching DSI.
05 · Governance & Compliance
Per-message DSI audit trail
Every coaching output captured with model version, retrieved passages, guardrail verdict, and delivery status — retained for the statutory window.
05 · Governance & Compliance
SaMD classification assessment
Whether the coaching model functions as Software as a Medical Device under 21 CFR Part 880 and the FDA AI/ML Action Plan depends on whether it makes treatment-specific recommendations.
05 · Governance & Compliance
Predetermined Change Control Plan (PCCP)
If SaMD-classified, document an FDA-style PCCP governing model updates so routine retrains do not require new submissions.
05 · Governance & Compliance
21 CFR Part 11 electronic records posture
If outputs become part of the medical record or trigger billing, 21 CFR Part 11 audit, signature, and record-integrity controls apply.
05 · Governance & Compliance
Map controls to NIST AI RMF 1.0 (Govern / Map / Measure / Manage)
NIST AI RMF 1.0 is the voluntary baseline US regulators increasingly reference — map our controls into it.
05 · Governance & Compliance
EU AI Act (Regulation 2024/1689) classification for EU deployments
Patient-facing health AI coaching is likely high-risk under the EU AI Act for any EU deployment — obligations include conformity assessment and post-market monitoring.
05 · Governance & Compliance
Board-level AI governance reporting
Coaching outcomes, hallucination incidents, escalation misses, equity findings, and DSI audit exceptions appear in board risk reporting.
05 · Governance & Compliance
Incident response and disclosure plan
Defined response path for adverse-event disclosure, HIPAA breach notification, and HTI-2 DSI malfunction reporting.