Clinical AI is proliferating faster than hospital governance programs can track. This guide covers what the TRAIGA healthcare disclosure duty, SB 1188, CMS, The Joint Commission, and state health regulators expect from hospitals and health systems using AI in clinical workflows — and how to build an AI oversight program that supports compliance across all of them.

Why healthcare AI governance is uniquely demanding

Healthcare organizations face the most demanding AI governance environment of any sector for three reasons:

  • Highest stakes: AI errors in clinical contexts can directly harm patients. Regulatory scrutiny is correspondingly intense.
  • Most regulatory overlap: Healthcare AI is subject to TRAIGA (if it affects Texas residents), HIPAA, FDA regulations (for Software as a Medical Device), CMS conditions of participation, and The Joint Commission accreditation standards — simultaneously.
  • Fastest deployment pace: AI is being deployed in clinical workflows — prior authorization, diagnosis support, clinical documentation, patient interaction — faster than governance programs can evaluate it.

TRAIGA's healthcare disclosure duty — and what else applies

Unlike the broad documentation regime described in TRAIGA's earlier draft, the enacted law's main affirmative duty for healthcare is disclosure: providers must disclose the use of AI in patient treatment and healthcare-service contexts. Texas SB 1188 (effective September 1, 2025) adds related duties — provider review of AI-generated records under Texas Medical Board standards, limits on offshoring electronic medical records, and patient-notification rules. Beyond those specific duties, the governance practices below are recommended to keep clinical AI defensible:

  • Clinical AI categorization: AI systems used in clinical decision support, diagnosis, treatment planning, or patient-facing interactions warrant separate documentation and a higher risk classification in your register
  • PHI processing documentation: Risk assessments for systems that process Protected Health Information should explicitly address HIPAA controls
  • Patient impact disclosure: Patient disclosures should be in plain language and align with TRAIGA's healthcare disclosure duty and applicable informed-consent standards

Clinical AI systems that warrant governance

System typeExamplesTypical risk classification
Diagnostic AIRadiology AI, pathology analysis, symptom checkers that produce diagnosesHIGH / CRITICAL
Treatment recommendation AIMedication dosing algorithms, treatment protocol suggestions, oncology decision supportHIGH / CRITICAL
Prior authorization AIAutomated insurance approval systems, utilization management toolsHIGH
Clinical documentation AIAmbient scribing tools, AI-generated clinical notes, coding assistantsMODERATE / HIGH
Patient interaction AIChatbots, virtual assistants, patient-facing triage toolsMODERATE / HIGH
Operational AIScheduling optimization, supply chain AI, staffing modelsLOW / MODERATE

Joint Commission requirements

The Joint Commission updated its accreditation standards to address health equity and algorithmic bias in clinical AI. Standards applicable to most accredited hospitals now require:

  • Documented evaluation of AI systems for potential bias in clinical decision-making
  • Policies addressing the use of AI in clinical settings, including who may use AI tools and under what supervision
  • Processes for monitoring AI performance over time and detecting performance degradation
  • Incident reporting for AI-related adverse events and near misses

Board-level AI oversight

Hospital boards have a fiduciary and governance responsibility for AI risk that is increasingly scrutinized by regulators and accreditors. Board members are not expected to understand the technical details of AI systems — but they are expected to understand the governance program and the organization's risk posture.

Effective board AI governance requires a regular reporting cadence (at minimum quarterly) covering:

  • AI system inventory summary — how many systems, at what risk levels
  • Control completion rates — what percentage of planned controls are implemented
  • Open incidents — how many AI incidents are active, at what severity
  • Compliance status — any open regulatory inquiries or known gaps
  • Upcoming reviews — systems with risk assessments coming due

Risk Meridian generates board-level AI governance reports designed specifically for hospital governance requirements — summary-level, non-technical, and suitable for presentation to a board committee.

Getting started

Healthcare organizations should begin their AI governance program with a clinical AI discovery exercise — a systematic effort to identify every AI system in use across the organization, including vendor-provided AI embedded in EHR platforms, RCM systems, and other enterprise software that may not have been purchased or approved as “AI.”

Many healthcare organizations discover more AI systems in this process than their governance team expected. This is normal. The important thing is to capture everything and assess it — not to be surprised by it in a regulatory inquiry.