Clinical AI is proliferating faster than hospital governance programs can track. This guide covers what the TRAIGA healthcare disclosure duty, SB 1188, CMS, The Joint Commission, and state health regulators expect from hospitals and health systems using AI in clinical workflows — and how to build an AI oversight program that supports compliance across all of them.
Why healthcare AI governance is uniquely demanding
Healthcare organizations face the most demanding AI governance environment of any sector for three reasons:
- Highest stakes: AI errors in clinical contexts can directly harm patients. Regulatory scrutiny is correspondingly intense.
- Most regulatory overlap: Healthcare AI is subject to TRAIGA (if it affects Texas residents), HIPAA, FDA regulations (for Software as a Medical Device), CMS conditions of participation, and The Joint Commission accreditation standards — simultaneously.
- Fastest deployment pace: AI is being deployed in clinical workflows — prior authorization, diagnosis support, clinical documentation, patient interaction — faster than governance programs can evaluate it.
TRAIGA's healthcare disclosure duty — and what else applies
Unlike the broad documentation regime described in TRAIGA's earlier draft, the enacted law's main affirmative duty for healthcare is disclosure: providers must disclose the use of AI in patient treatment and healthcare-service contexts. Texas SB 1188 (effective September 1, 2025) adds related duties — provider review of AI-generated records under Texas Medical Board standards, limits on offshoring electronic medical records, and patient-notification rules. Beyond those specific duties, the governance practices below are recommended to keep clinical AI defensible:
- Clinical AI categorization: AI systems used in clinical decision support, diagnosis, treatment planning, or patient-facing interactions warrant separate documentation and a higher risk classification in your register
- PHI processing documentation: Risk assessments for systems that process Protected Health Information should explicitly address HIPAA controls
- Patient impact disclosure: Patient disclosures should be in plain language and align with TRAIGA's healthcare disclosure duty and applicable informed-consent standards
Clinical AI systems that warrant governance
| System type | Examples | Typical risk classification |
|---|---|---|
| Diagnostic AI | Radiology AI, pathology analysis, symptom checkers that produce diagnoses | HIGH / CRITICAL |
| Treatment recommendation AI | Medication dosing algorithms, treatment protocol suggestions, oncology decision support | HIGH / CRITICAL |
| Prior authorization AI | Automated insurance approval systems, utilization management tools | HIGH |
| Clinical documentation AI | Ambient scribing tools, AI-generated clinical notes, coding assistants | MODERATE / HIGH |
| Patient interaction AI | Chatbots, virtual assistants, patient-facing triage tools | MODERATE / HIGH |
| Operational AI | Scheduling optimization, supply chain AI, staffing models | LOW / MODERATE |
Joint Commission requirements
The Joint Commission updated its accreditation standards to address health equity and algorithmic bias in clinical AI. Standards applicable to most accredited hospitals now require:
- Documented evaluation of AI systems for potential bias in clinical decision-making
- Policies addressing the use of AI in clinical settings, including who may use AI tools and under what supervision
- Processes for monitoring AI performance over time and detecting performance degradation
- Incident reporting for AI-related adverse events and near misses
Board-level AI oversight
Hospital boards have a fiduciary and governance responsibility for AI risk that is increasingly scrutinized by regulators and accreditors. Board members are not expected to understand the technical details of AI systems — but they are expected to understand the governance program and the organization's risk posture.
Effective board AI governance requires a regular reporting cadence (at minimum quarterly) covering:
- AI system inventory summary — how many systems, at what risk levels
- Control completion rates — what percentage of planned controls are implemented
- Open incidents — how many AI incidents are active, at what severity
- Compliance status — any open regulatory inquiries or known gaps
- Upcoming reviews — systems with risk assessments coming due
Risk Meridian generates board-level AI governance reports designed specifically for hospital governance requirements — summary-level, non-technical, and suitable for presentation to a board committee.
Getting started
Healthcare organizations should begin their AI governance program with a clinical AI discovery exercise — a systematic effort to identify every AI system in use across the organization, including vendor-provided AI embedded in EHR platforms, RCM systems, and other enterprise software that may not have been purchased or approved as “AI.”
Many healthcare organizations discover more AI systems in this process than their governance team expected. This is normal. The important thing is to capture everything and assess it — not to be surprised by it in a regulatory inquiry.