Clinical AI governance software built for hospitals and health systems
Risk Meridian helps healthcare organizations inventory every clinical AI system, run patient-harm risk assessments, document the patient-facing AI-use disclosures TRAIGA requires of healthcare providers, and produce board-ready AI governance reports — all in one HIPAA-aware platform that needs no PHI.
Jan 1, 2026
TRAIGA in effect across Texas
Texas HB 149, as enacted
Sept 1, 2025
SB 1188 healthcare AI rules in effect
Texas SB 1188 (89th Legislature)
$10K–$200K
TRAIGA civil penalty range
Enforced by the Texas Attorney General
60-day
cure period before AG enforcement; no private right of action
TRAIGA enforcement provisions
Which clinical AI systems carry the most governance risk?
Some clinical AI carries more legal and patient-safety risk than others. Here are the categories Texas healthcare providers should govern most closely — and why each matters under TRAIGA, SB 1188, and FDA guidance.
Clinical decision support systems
AI that assists physicians with diagnosis, treatment selection, medication dosing, or discharge planning sits at the center of patient safety. When AI is used in a patient's treatment, TRAIGA's healthcare provision requires the provider to disclose that use, and SB 1188 requires provider review of AI-generated record entries. Documented risk reviews and human oversight are how you show that use is responsible and defensible.
Prior authorization and utilization management
Health plans using AI to approve or deny care face real exposure — including TRAIGA's prohibition on using AI to intentionally and unlawfully discriminate against a protected class. Documenting the system, testing for bias across demographic groups, and keeping clear member communications are how you reduce that risk.
Patient scheduling and triage algorithms
AI that prioritizes which patients receive care — ED triage support, appointment scheduling, call-routing — directly affects patient access. Where it informs treatment or healthcare-service decisions, provider disclosure duties can apply, and a documented governance record helps you show the system is used fairly.
Revenue cycle and billing AI
AI-driven coding, billing optimization, and fraud detection can carry regulatory risk when they influence patients' financial outcomes. TRAIGA doesn't require you to inventory back-office AI, but keeping these systems in your governance record helps you spot bias and demonstrate responsible use.
Vendor-supplied AI embedded in EHR platforms
AI embedded in Epic, Cerner, Oracle Health, and other EHR platforms is easy for compliance teams to overlook. Because your providers are the ones using these tools with patients, the disclosure and record-review duties under TRAIGA and SB 1188 fall on your organization — not the vendor.
Predictive analytics and population health tools
Population health platforms that stratify patient risk, identify care gaps, or predict readmissions can shape who gets outreach and resources. Tracking these systems, checking them for bias, and documenting oversight keeps your use of them defensible.
Not sure if a specific AI system is covered? Read the TRAIGA compliance guide →
Everything a health system needs to govern clinical AI
Eight integrated capabilities purpose-built for the healthcare AI governance workflow — from initial inventory to ongoing board reporting.
Clinical AI System Inventory
Centralized registry for every AI system across your health system — from EHR-embedded tools to third-party clinical decision support. Capture the vendor, model, clinical context, patient population, and deployment setting regulators require.
Patient-Harm Risk Scoring
Healthcare-specific risk weighting that accounts for patient harm potential, clinical AI context, affected patient populations, and human-in-the-loop oversight mechanisms. Produces a calibrated Risk Meridian risk class (low, moderate, or high) to help you prioritize oversight and align with FDA guidance.
Patient Disclosure Generator
One-click drafts of the patient-facing AI-use notices that Texas healthcare providers must give under TRAIGA's healthcare disclosure duty and SB 1188. Auto-populated from your AI system inventory — saving weeks of manual drafting.
Clinical Control Framework
Auto-generated control recommendations for each clinical AI system based on its risk class. Covers human oversight checkpoints, explainability requirements, model monitoring, and bias testing — all trackable within the platform.
Board Governance Report Pack
Board-ready AI governance report packs generated in seconds. Includes executive summary, system inventory summary, risk heat map, control status, and open incident log — designed to support hospital boards' growing oversight role in AI governance.
Clinical AI Incident Management
Structured workflow for logging, triaging, investigating, and resolving AI-related clinical incidents. Links incidents to AI system records, controls, and risk reviews for full traceability across the patient safety chain.
Multi-Framework Mapping
Organize clinical AI controls once and reuse that documentation across frameworks — TRAIGA today, with the EU AI Act, NIST AI RMF, ISO 42001, and FDA AI/ML guidance on the roadmap.
Continuous Monitoring
Schedule periodic risk re-assessments, track model performance drift, and maintain a living governance record as clinical AI systems are updated, replaced, or decommissioned. AI governance isn't a one-time exercise — your governance record should stay current as systems change.
The clinical AI governance workflow
Risk Meridian guides your clinical informatics, compliance, and legal teams through a structured workflow that produces documentation supporting a defensible TRAIGA governance record.
Inventory every clinical AI system
Register all AI tools deployed across your health system — including EHR-embedded AI from Epic, Cerner, and Oracle Health. Capture clinical context, patient population, vendor details, and deployment setting. Most hospitals inventory their first 10 systems on day one.
Tip: Risk Meridian provides a vendor questionnaire template to collect governance documentation from your AI suppliers.
Run patient-harm risk assessments
Risk Meridian's healthcare-specific risk engine scores each clinical AI system on patient harm likelihood, clinical impact severity, affected population vulnerability (pediatric, elderly, underserved), reversibility, and human oversight adequacy.
Tip: Risk Meridian automatically generates a risk class — low, moderate, high, or critical — to help you prioritize oversight and align with FDA guidance.
Implement clinical controls and oversight
Receive auto-generated control recommendations for each system based on its risk class. Assign owners (clinical informatics, legal, compliance), set due dates, track implementation, and maintain a complete audit trail. All controls link back to the AI system record.
Generate disclosures and board reports
One-click drafts of the patient AI-use disclosures TRAIGA requires of providers, plus board AI governance report packs — all pre-populated from your inventory data. What used to take weeks takes minutes.
Tip: Board reports include the executive summary, risk heat map, and control status that help hospital governing boards carry out their oversight role.
The regulatory landscape for healthcare AI
Healthcare AI governance sits at the intersection of multiple regulatory frameworks. Risk Meridian helps you organize your controls with these frameworks in mind.
Texas Responsible AI Governance Act (TRAIGA)
Supported todayScope
Texas healthcare providers and organizations using clinical AI
Key Requirements
- Prohibits AI used for specific harmful or intentionally discriminatory purposes
- Providers must disclose AI use in a patient's treatment or healthcare services
- SB 1188: provider review of AI-generated record entries
- Enforced by the Texas Attorney General — no private right of action
- 60-day cure period before penalties apply
- Documentation supports the law's safe harbors
FDA AI/ML-Based SaMD Action Plan
MonitoringScope
AI/ML software that meets the definition of a medical device
Key Requirements
- Predetermined change control plan (PCCP)
- Real-world performance monitoring
- Transparency and labeling requirements
- Algorithm change protocols
EU AI Act
On roadmapScope
High-risk AI in healthcare — diagnostic, treatment, monitoring
Key Requirements
- Conformity assessment
- Technical documentation
- Human oversight mechanisms
- Post-market surveillance
- EU database registration
NIST AI RMF
On roadmapScope
Voluntary framework broadly adopted in healthcare
Key Requirements
- Govern, Map, Measure, Manage functions
- Trustworthy AI characteristics
- Organizational accountability
- AI risk measurement
Healthcare AI governance — frequently asked questions
Common questions from compliance officers, clinical informatics teams, and hospital legal counsel evaluating AI governance software.
- Does TRAIGA apply to hospitals and health systems?
- Yes — TRAIGA applies to organizations operating in Texas, including healthcare. But as enacted (effective January 1, 2026) it is an intent-based law, not a general governance mandate. It prohibits using AI for specific harmful purposes (including intentional, unlawful discrimination against a protected class) and requires healthcare providers to disclose to patients when AI is used in their treatment or healthcare services. Texas SB 1188 adds related duties (see below). TRAIGA is enforced solely by the Texas Attorney General after a 60-day cure period, with no private right of action — there is no AI-inventory or registration requirement for private deployers.
- Which clinical AI systems should we govern most closely?
- TRAIGA doesn't require you to document or register your AI systems, but the systems closest to patient care carry the most risk: clinical decision support, prior authorization AI, triage and scheduling tools, predictive readmission models, and population health stratification. When a provider uses AI in a patient's treatment, TRAIGA's disclosure duty and SB 1188's record-review rules apply — and because your providers are the ones using EHR-embedded tools from Epic or Cerner with patients, those duties fall on your organization, not the vendor. A governance record is the practical way to meet them and stay defensible.
- What patient disclosures does TRAIGA require for healthcare AI?
- This is a real duty. TRAIGA's healthcare provision requires healthcare providers to disclose to a patient (or their representative) when AI is used in the patient's treatment or healthcare services — clearly and, except in emergencies, no later than the time of service. Texas SB 1188 (effective September 1, 2025) goes further: AI-generated entries in the medical record must be reviewed by the treating provider consistent with Texas Medical Board standards, electronic medical records are subject to offshoring limits, and patients must be notified per its rules. Risk Meridian helps you draft the patient AI-use notices and keep the review and oversight records these duties call for.
- How does Risk Meridian handle vendor-supplied AI in EHR systems?
- Risk Meridian's position is that the organization deploying AI — not the vendor — is closest to the patient and carries the disclosure and oversight duties, whether the AI was built in-house or procured from Epic, Oracle Health, or a third-party clinical AI company. Risk Meridian gives you a vendor questionnaire and procurement checklist to collect governance documentation (model cards, validation, bias testing) from your suppliers, so you can document oversight and generate the patient disclosures the law requires.
- What does a hospital board AI governance report include?
- Risk Meridian's board AI governance report pack includes an executive summary of your AI governance program, a complete inventory of clinical AI systems with their Risk Meridian risk class, a control implementation status summary, an open incident log, and a governance maturity score. It is designed to give hospital boards the evidence to support their oversight discussions as AI-governance expectations continue to develop.
- How long does it take to complete a hospital's initial AI inventory?
- Most hospitals complete their initial AI system inventory within one to three weeks, depending on the number of systems and the responsiveness of internal stakeholders. Risk Meridian provides a structured intake form, a vendor questionnaire template, and automated reminders to keep the process moving. Many organizations inventory their first ten systems on day one.
- How does Risk Meridian handle HIPAA and PHI?
- Risk Meridian stores governance metadata about your AI systems — vendors, use-cases, risk scores, controls — not patient records, so no PHI is required to use the platform; that keeps it HIPAA-aware by design. Where a workflow could involve PHI, we can offer a Business Associate Agreement (BAA). Risk Meridian's infrastructure runs on AWS with encryption at rest and in transit, role-based access controls, and audit logging.
- Can Risk Meridian handle multi-site health systems with dozens of AI systems?
- Yes. Risk Meridian is a fully multi-tenant SaaS platform designed to scale from a single-hospital operator to a large integrated delivery network. Role-based access allows compliance officers, clinical informatics teams, legal counsel, and board members to have appropriately scoped access. You can organize AI systems by facility, service line, or business unit and generate consolidated governance reports across your entire system.
Start governing your clinical AI systems today
Hospitals and health systems using Risk Meridian get their first AI system inventoried in under 10 minutes. Start now — no implementation project, no waiting.
HIPAA-aware — no patient data required
TRAIGA disclosures generated in one click
Board governance reports ready in minutes