Governance & Program Info

Clinical NLP & Unstructured Data Extraction — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 13 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Complete HIPAA risk analysis for the NLP pipeline
required
45 CFR 164.308(a)(1) — required risk analysis covering training data, inference runtime, logs, and model artifacts.
05 · Governance & Compliance
Execute BAAs with every entity touching PHI
required
Cloud vendors (AWS, Azure, Google), NLP vendors (Nuance, John Snow Labs), validation partners — every BA must have a current BAA.
05 · Governance & Compliance
Classify fine-tuned model weights as PHI-derivative artifacts
requiredtrinidy
Weights fine-tuned on PHI inherit access, storage, and audit obligations — treat as PHI-class assets.
05 · Governance & Compliance
Audit-log every PHI access from the pipeline
required
45 CFR 164.312(b) — audit controls. Every read of PHI by the extractor must be logged with user / service identity, timestamp, and purpose.
05 · Governance & Compliance
Produce HTI-1 source attributes for every extraction model
required
ONC HTI-1 §170.315(b)(11) source-attribute documentation — training data, validation, intended use, cautions, bias assessment.
05 · Governance & Compliance
Document Intervention Risk Management (IRM) practices
required
HTI-1 / HTI-2 IRM — governance, validation, monitoring, and update practices for the predictive component.
05 · Governance & Compliance
Publish plain-language explainability documentation
required
A clinician-readable description of what the extractor does, what it does not do, and where it has been validated.
05 · Governance & Compliance
Map CMS-0057-F obligations for prior-auth-adjacent extraction
recommended
Extraction feeding prior authorization workflows is within scope of CMS-0057-F Interoperability and Prior Authorization rule.
05 · Governance & Compliance
Capture per-entity source span + model version
requirednlptrinidy
Every extracted entity carries the source document ID, character offsets, model version, and terminology version that produced it.
05 · Governance & Compliance
Store model card per deployed model version
required
Public-style model card: training data, validation metrics, intended use, limitations, known failure modes.
05 · Governance & Compliance
Change-control and versioning for terminology updates
required
ICD-10-CM annual refresh, CPT annual refresh, RxNorm weekly — each refresh is a change-controlled event with regression validation.
05 · Governance & Compliance
Evaluate extraction fairness across demographic subgroups
required
Report extraction F1 stratified by age, sex, race/ethnicity, and language — required under HTI-1 bias-assessment criteria.
05 · Governance & Compliance
Board-level AI governance reporting
recommended
Extraction quality, HTI-2 transparency compliance, and HIPAA audit findings should reach the board risk committee, not only ops.