Healthcare AI — Quick Reference

Last Updated: 2026-06-30 Full Chapters: docs/07-Healthcare-AI/


Healthcare AI Categories

Category Examples Regulatory Risk HIPAA Required
Diagnostic AI Radiology AI, sepsis prediction High (FDA SaMD likely) Yes
Clinical Decision Support Drug alerts, guideline recommendations Medium (evaluate vs. CDS guidance) Yes
Clinical Documentation Discharge summary AI, ambient documentation Low (no direct care impact) Yes
Administrative AI Prior auth, coding, scheduling Low Yes
Patient Engagement Post-discharge chatbot, reminders Low-Medium Yes

FDA Regulatory Classification (Quick Reference)

Non-device CDS (NOT SaMD): Clinician can independently verify the basis for the AI recommendation by reviewing the same information the AI used. AI organizes and displays information; clinician applies judgment.

Device CDS (SaMD): Clinician cannot independently verify the basis — they are relying on the software's analysis. Model produces a risk score or recommendation from complex inputs the clinician cannot re-derive manually.

Key question: "Can the clinician look at the same data and derive the same conclusion without the AI's model?"

  • Yes → Likely non-device CDS
  • No → Likely SaMD requiring FDA regulatory engagement

For LLM-based SaMD: File a Predetermined Change Control Plan (PCCP) at 510(k) submission to enable model version updates without repeated submissions.


HIPAA Quick Reference for Clinical AI

Question Answer
Is an LLM API inference request PHI? Yes, if it contains patient clinical data
Does the LLM vendor need a BAA? Yes — they process PHI on your behalf
Can patient name be in the prompt? Only if the use case requires it (Minimum Necessary)
Can PHI appear in observability traces? No — scrub at AI gateway; metadata only
Can eval datasets use real patient data? Only after Safe Harbor de-identification
Do vector indexes of clinical notes need PHI controls? Yes — they are PHI data stores

18 HIPAA identifiers to remove for Safe Harbor de-identification: Names, geographic data (<state level), dates (except year), phone, fax, email, SSN, MRN, health plan ID, account number, certificate/license, vehicle ID, device ID, URLs, IPs, biometrics, photos, any other unique identifier.


FHIR R4 — Key Resources for Clinical AI

Resource Clinical Content Common Use Case
Patient Demographics, identifiers Discharge summary personalization
Encounter Visit type, dates, providers Context scoping for queries
Condition Diagnoses, problem list Clinical AI context
MedicationRequest Ordered medications, doses Drug interaction checking, med rec
Observation Vital signs, labs Sepsis scoring, care gap analysis
DocumentReference Clinical notes, summaries AI output write-back to EHR
DiagnosticReport Lab panels, imaging reports Radiology AI integration

SMART on FHIR scope pattern: {context}/{resource}.{permission} Example: patient/Condition.read patient/DocumentReference.write


CDS Hooks — Standard Hooks

Hook Fires When AI Use Case
patient-view Clinician opens patient chart Care gap display, risk score
order-sign Clinician signs an order Drug interaction, formulary check
encounter-discharge Discharge workflow initiated Discharge summary, care gap check

CDS response time requirement: < 5 seconds (EHR timeout). LLM inference only if necessary.

Circuit breaker rule: If the CDS service is unavailable, the EHR workflow MUST proceed. Clinical workflow cannot depend on AI availability.


Clinical RAG — Key Design Decisions

Decision Recommendation
Embedding model Clinical-domain model (voyage-medical-2 or equivalent) > generic
Chunking strategy Recommendation-as-atomic-unit for guidelines; section-boundary for protocols
Metadata required Title, organization, date, section, evidence grade
Index update SLA Formulary: within 5 business days of change; guidelines: quarterly
Citations Always include in AI response — clinicians must be able to verify

Medical ontologies for query expansion:

  • SNOMED CT: clinical concepts, diagnoses
  • RxNorm: medication standardization
  • LOINC: lab tests and clinical observations
  • ICD-10-CM: diagnosis codes

Clinical Documentation AI — Quality Metrics

Metric Target Alert If
Section completion rate ≥ 95% < 90%
Physician edit rate 10–25% < 5% (rubber-stamping?) or > 40% (quality gap?)
Documentation time reduction ≥ 15% < 5%
Physician satisfaction ≥ 3.5/5.0 < 3.0/5.0

Mandatory rule: AI-generated content must NEVER be written to the medical record without explicit physician review and approval. The physician's signature attests to accuracy and completeness.


Clinical Decision Support — Alert Design

Severity Delivery Mode When to Use Override Mechanism
Critical Workflow-blocking Imminent patient harm (active allergy) Explicit reason required
Warning Non-blocking card Significant risk requiring attention Dismissible with reason
Informational Non-blocking card or async Advisory, no immediate action Freely dismissible

Alert fatigue thresholds:

  • Override rate > 70% → Alert specificity problem
  • Override rate > 85% → Clinical staff has learned to dismiss without reading
  • Alert volume > 10 per provider per shift → Fatigue risk

Medical Imaging AI — Quick Reference

Concept Detail
Image format DICOM (.dcm) — pixel data + structured header (patient demographics, acquisition metadata)
PACS role Central hub; receives from modalities; delivers to AI and reading workstations
Routing mechanism DICOM C-STORE or DICOMweb STOW-RS to AI service on study arrival
AI output format DICOM Structured Report (SR), Segmentation Object, or Presentation State overlay
Regulatory status Almost all radiology AI requires 510(k) clearance as SaMD
PHI risk DICOM header contains patient name, MRN, DOB — de-identify before cloud AI

Patient Engagement AI — Design Principles

Principle Requirement
Health literacy Write at ≤ 6th grade reading level; plain language; no medical jargon
Language access Title VI / ACA Section 1557 — serve non-English patients; multilingual required
Access equity SMS > portal for equity (works on basic phone; no login required)
Escalation router Fail-safe — unknown situations escalate; 24/7 human coverage required
Scope boundary AI cannot answer clinical questions outside defined scope — always escalate
Opt-out Every patient must be able to opt out and receive human alternative

Clinical AI Safety — Pre-Deployment Checklist

  • [ ] Risk tier classified (Tier 1 / 2 / 3)
  • [ ] FDA SaMD status determined; regulatory counsel engaged if applicable
  • [ ] HIPAA BAA signed with all AI vendors
  • [ ] Demographic bias evaluation: no subgroup > 10 points below overall accuracy
  • [ ] Golden dataset evaluation: ≥ 50 cases, meets quality threshold
  • [ ] Adversarial testing: prompt injection, edge cases
  • [ ] Clinical panel review: qualified reviewers approved output quality
  • [ ] FMEA completed: failure modes documented with mitigations
  • [ ] Rollback procedure defined and tested
  • [ ] Safety event reporting channel established (low-friction)
  • [ ] Model Review Board approval obtained

HMS AI Platform — Build Sequence

text
Phase A — Foundation (before use case 1):
  AI Gateway → Prompt Registry → Model Registry → Audit Log → BAAs

Phase B — First Use Case (Discharge Summary AI):
  SMART on FHIR registration → FHIR client → SMART app → Eval pipeline → MRB

Phase C — Platform Expansion (before use case 3):
  Embedding Service → Clinical Vector Store → Integration Engine →
  CDS Hooks → Observability stack

Phase D — Scale (use cases 4–7):
  Prior Auth agent → Medical Coding batch → Care Gap → Patient Chatbot →
  Full champion network

Interview Quick Reference

Healthcare AI Landscape:

  • FDA SaMD classification: key question is whether clinician can independently verify the AI's reasoning basis
  • PCCP at 510(k) submission = mechanism to update LLM model versions without repeated submissions

HIPAA and AI:

  • BAA required before any PHI is transmitted to any external AI vendor
  • Observability traces must scrub PHI — metadata only (hashed IDs, token counts, latency)
  • Vector indexes of clinical notes = PHI data stores requiring same controls as source EHR data

EHR Integration:

  • FHIR R4 for data retrieval; HL7 v2 ADT for event notification
  • SMART on FHIR: minimum necessary scopes; EHR launch passes patient context automatically
  • CDS Hooks: must respond < 5 seconds; circuit breaker — clinical workflow cannot depend on AI

Clinical RAG:

  • Chunk at recommendation boundaries, not character counts
  • Index metadata (organization, date, evidence grade) is required for citations and source weighting
  • Index must be updated on a defined schedule — stale clinical knowledge is a patient safety risk

Clinical Documentation AI:

  • AI draft must be reviewed and approved by physician before entering medical record
  • Physician edit rate 10–25% = healthy engagement; < 5% = investigate rubber-stamping

Medical Imaging AI:

  • 510(k) clearance verification: patient population + modality + indication must match deployment
  • Deliver AI overlay in radiologist's standard PACS view without extra workflow steps

Patient Engagement AI:

  • Escalation router is the safety-critical component: fail-safe, 24/7 human coverage
  • SMS channel is most equitable: works on basic phone, no app required

Clinical AI Safety:

  • Demographic bias evaluation: no subgroup > 10 points below overall accuracy
  • FMEA before deployment: identify failure modes and mitigations
  • Override rate > 70%: alert fatigue; < 5%: rubber-stamping risk

See Also