Governance & Program Info

HIPAA-Sovereign Ambient Clinical Documentation — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 13 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Document HIPAA Security Rule Technical Safeguards for the AI stack
required
Access control, audit controls, integrity, person/entity authentication, transmission security — per 45 CFR 164.312 applied to ASR, LLM, and audit logs.
05 · Governance & Compliance
Establish BAA chain for every pipeline component
required
Every vendor touching audio, transcript, or note — ASR, LLM, storage, monitoring, integration — must be BAA-covered or on-prem.
05 · Governance & Compliance
Document Safe Harbor / Expert Determination de-identification
required
45 CFR 164.514(b) for any corpus used in training or evaluation outside the originating site.
05 · Governance & Compliance
Implement breach notification workflow for model failures
required
Playbook for when a model error exposes PHI (wrong-patient note, misrouted transcript) — triggers HIPAA §164.404 analysis.
05 · Governance & Compliance
Classify the scribe against ONC HTI-1 Predictive DSI criteria
required
ONC HTI-1 (2023 final rule) defines Predictive Decision Support Interventions and associated source/logic/intended-use transparency obligations.
05 · Governance & Compliance
Document CMS AI-generated note accountability workflow
required
CMS 2025 rules hold the provider accountable for AI-drafted note accuracy — document the clinician attestation and sign-off path.
05 · Governance & Compliance
Enforce clinician review before EHR commit
requiredtrinidy
No AI-drafted note reaches the legal record without clinician review — technical enforcement in the integration layer, not policy alone.
05 · Governance & Compliance
Map 21 CFR Part 11 scope where notes touch regulated trial documentation
optional
If ambient scribing is used in clinical-trial encounters, 21 CFR Part 11 electronic record and signature controls apply.
05 · Governance & Compliance
Align ambient AI program to NIST AI RMF 1.0
recommended
Govern-Map-Measure-Manage profile for the scribe — especially measurement against clinical safety and bias risks.
05 · Governance & Compliance
EU AI Act conformity assessment for EU deployments
optional
Regulation 2024/1689 — medical AI generally classified as high-risk and subject to conformity assessment, quality management, and post-market monitoring.
05 · Governance & Compliance
Establish ISO 27001 / 27701 alignment for the AI environment
recommended
Information security and privacy management baseline for the inference substrate, audit log, and training corpus.
05 · Governance & Compliance
Medical staff / IRB oversight of the scribe
required
Institutional medical staff committee and (where applicable) IRB review of the scribe's clinical use and fine-tuning corpus.
05 · Governance & Compliance
Board-level AI accountability reporting
recommended
Note accuracy, edit rate, clinician acceptance, and safety event metrics reported to the board and quality committee, not only to IT ops.