Governance & Program Info
Real-Time Clinical Decision Support — Governance
Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 15 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Complete HIPAA Security Rule (45 CFR 164.312) technical safeguards mapping
Access control, audit controls, integrity, transmission security — mapped against the ML training and inference stack.
05 · Governance & Compliance
Business Associate Agreement coverage for every ML vendor
Every vendor that touches PHI in the ML pipeline (including cloud, model hosting, and annotation) must have an executed BAA with HITECH-aligned terms.
05 · Governance & Compliance
NIST SP 800-66 Rev. 2 alignment
Align HIPAA Security Rule implementation to NIST SP 800-66 Rev. 2 (2024) as the de-facto operational standard.
05 · Governance & Compliance
De-identification / limited data set strategy for training
Training pipelines should run on de-identified data (45 CFR 164.514 Safe Harbor) or a limited data set under DUA unless there is a specific documented reason otherwise.
05 · Governance & Compliance
Document FDA SaMD classification decision and rationale
Maintain the written regulatory determination (Non-Device CDS vs. Class II/III SaMD) with clinical and regulatory counsel sign-off.
05 · Governance & Compliance
Quality management system aligned to IEC 62304 (if SaMD)
If the model is FDA SaMD, IEC 62304 software-lifecycle processes apply — development, verification, validation, and maintenance.
05 · Governance & Compliance
21 CFR Part 11 electronic records and signatures compliance
If the CDS system supports FDA-regulated activities (trials, FDA-submitted evidence), Part 11 controls apply to records and signatures.
05 · Governance & Compliance
Produce HTI-2 source attribute package per predictive DSI
Intended use, input features, training population, performance across demographic groups, known limitations — surfaced to the end user per HTI-2.
05 · Governance & Compliance
Per-prediction audit trail with model version and provenance
Every alert traceable to model version, feature snapshot, training data window, and bias-testing attestation.
05 · Governance & Compliance
CMS-0057-F Interoperability & Prior Authorization readiness
CMS-0057-F effective January 1, 2026 — FHIR-based API obligations for Prior Auth and data exchange may intersect CDS pipelines.
05 · Governance & Compliance
Clinical AI governance committee approval
Every new CDS model and every material threshold / retraining change approved by a standing clinical AI governance committee with physician, nursing, informatics, quality, and patient safety representation.
05 · Governance & Compliance
Align model risk program to NIST AI RMF 1.0
Govern-Map-Measure-Manage structure applied to the CDS program — the reference standard for AI risk management in US healthcare.
05 · Governance & Compliance
IRB / research compliance review for model development
Development using retrospective PHI typically requires IRB review or waiver. Confirm research vs. operational designation.
05 · Governance & Compliance
EU AI Act (Regulation 2024/1689) high-risk mapping if applicable
Any deployment or data subject touching the EU triggers EU AI Act high-risk classification for clinical AI — obligations are additive to HIPAA / FDA / ONC.
05 · Governance & Compliance
Adverse event reporting and post-market surveillance plan
Pathway for clinician-reported adverse events tied to CDS output — required for FDA SaMD and good practice for non-device CDS.