Regulatory Compliance for Enterprise AI

Common Mistakes

1. Assuming SOC 2 covers HIPAA. SOC 2 is a security framework; HIPAA is a privacy and security law. An organization can be SOC 2 Type II certified while being out of HIPAA compliance. Both must be addressed independently.

2. Not classifying clinical AI as potentially SaMD. Organizations deploy clinical decision support AI without asking whether it meets FDA's definition of a medical device. If the AI is "intended to diagnose, treat, mitigate, cure, or prevent disease," it may require FDA clearance regardless of whether the organization considers it a "software tool."

3. Not including AI in the SOC 2 scope. SOC 2 audits cover the systems in scope. If the AI platform is not explicitly in scope, the audit does not cover AI controls. Ensure AI platform components are explicitly included in the SOC 2 scope definition.

Key Takeaways

  • Clinical AI is subject to multiple simultaneous regulatory frameworks: HIPAA (data privacy), SOC 2 (security assurance), HITRUST (healthcare security certification), FDA SaMD (medical device regulation), and EU AI Act (high-risk AI)
  • Each framework makes distinct implementation demands; map all to a single control implementation where possible
  • Clinical decision support AI is classified as high-risk under the EU AI Act, requiring conformity assessment and human oversight mechanisms
  • FDA SaMD classification must be evaluated before deploying AI for clinical decision support — "software tool" framing does not exempt clinical AI from medical device regulation
  • Compliance must be designed in from the start; it cannot be retrofitted to a deployed AI system