Skip to main content

Regulatory References

Comprehensive reference for regulations, standards, and compliance frameworks applicable to healthcare AI systems.

United States Regulations

HIPAA (Health Insurance Portability and Accountability Act)

Federal law enacted in 1996 establishing national standards for protecting sensitive patient health information. HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.Key Components:
  • Privacy Rule: Standards for PHI use and disclosure
  • Security Rule: Administrative, physical, and technical safeguards
  • Breach Notification Rule: Requirements for reporting breaches
  • Enforcement Rule: Penalties and procedures
Relevant Provisions for AI Systems:
  • Minimum Necessary Standard: Access only the PHI needed for the specific purpose
  • Authorization Requirements: Patient consent for uses beyond treatment, payment, operations
  • De-identification Standards: Safe Harbor and Expert Determination methods
  • Business Associate Agreements: Required for vendors handling PHI
Rubric Compliance:
  • All PHI processed under signed BAA
  • Minimum necessary data access enforced
  • De-identification options available for evaluation datasets
Required Safeguards:
CategoryExamples
AdministrativeRisk analysis, workforce training, contingency planning
PhysicalFacility access controls, workstation security
TechnicalAccess controls, audit controls, integrity controls, transmission security
Rubric Implementation:
  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Role-based access controls
  • Comprehensive audit logging
Requirements:
  • Individual notification within 60 days of discovery
  • HHS notification for breaches affecting 500+ individuals
  • Media notification for breaches affecting 500+ in a state
Rubric Protocol:
  • 24-hour initial assessment
  • Customer notification within 48 hours
  • Full incident report within 30 days

FDA Regulations for AI/ML Medical Devices

FDA regulates software intended for medical purposes as medical devices under 21 CFR Part 820.Classification Levels:
ClassRisk LevelExamplesRegulatory Path
ILowWellness appsGenerally exempt
IIModerateClinical decision support510(k) clearance
IIIHighAI diagnostics, triagePMA approval
Rubric Relevance: Rubric is an evaluation platform, not a medical device. However, AI systems evaluated by Rubric may be SaMD subject to FDA regulation.
Requirements for electronic records and signatures:
  • Validation: Systems must be validated for intended use
  • Audit Trails: Secure, computer-generated, time-stamped trails
  • Access Controls: Unique user identification, automatic logoff
  • Authority Checks: Ensuring users have permission for actions
  • Device Checks: Ensuring data integrity
Rubric Compliance:
  • Complete audit trail with tamper-evident logging
  • User authentication with MFA option
  • Role-based access controls
  • Data integrity verification
Key Guidance:
  1. Predetermined Change Control Plan (PCCP): Framework for modifications to AI/ML-based SaMD
  2. Good Machine Learning Practice (GMLP): 10 guiding principles for AI/ML development:
    • Multi-disciplinary expertise
    • Good software engineering practices
    • Representative data
    • Independent datasets
    • Model design transparency
    • Focus on performance in clinically relevant conditions
    • Human-AI team performance consideration
    • Testing in real-world conditions
    • Clear user communication
    • Monitoring of deployed models
  3. Clinical Decision Support Guidance: Criteria for CDS software exemption from device regulation

HITECH Act

Health Information Technology for Economic and Clinical Health Act (2009)Strengthened HIPAA enforcement and established:
  • Increased penalties for HIPAA violations (up to $1.5M per violation category per year)
  • Breach notification requirements
  • Business associate direct liability
  • Meaningful Use incentives for EHR adoption
Penalty Tiers:
TierCulpabilityMinimumMaximum
1Did not know$100$50,000
2Reasonable cause$1,000$50,000
3Willful neglect (corrected)$10,000$50,000
4Willful neglect (not corrected)$50,000$1.5M

State Privacy Laws

California Consumer Privacy Act / California Privacy Rights ActKey Rights:
  • Right to know what data is collected
  • Right to delete personal information
  • Right to opt-out of data sales
  • Right to non-discrimination
  • Right to correct inaccurate information (CPRA)
Healthcare Exemption: PHI governed by HIPAA is generally exempt, but de-identified consumer data may be subject to CCPA/CPRA.
Several states have additional health privacy requirements:
StateLawKey Provisions
TexasTHIPAStricter consent requirements
New YorkSHIELD ActData security requirements
Massachusetts201 CMR 17.00Comprehensive data security
WashingtonMy Health My DataConsumer health data protection
Rubric Approach: Comply with most restrictive applicable requirements.

International Regulations

European Union

Key Principles:
  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
Special Category Data: Health data requires explicit consent or specific legal basis.Data Subject Rights:
  • Access, rectification, erasure
  • Restriction of processing
  • Data portability
  • Object to processing
  • Not be subject to automated decision-making
Cross-Border Transfer: Requires adequacy decision, SCCs, or BCRs.
Risk-Based Classification:
Risk LevelExamplesRequirements
UnacceptableSocial scoring, subliminal manipulationProhibited
HighMedical devices, AI diagnosticsConformity assessment, registration, monitoring
LimitedChatbotsTransparency requirements
MinimalSpam filtersNo requirements
Healthcare AI: Typically classified as high-risk, requiring:
  • Risk management system
  • Data governance
  • Technical documentation
  • Record-keeping
  • Transparency and user information
  • Human oversight
  • Accuracy, robustness, cybersecurity
EU regulation 2017/745 for medical devices including software.Classification (Annex VIII Rule 11):
  • Software intended to provide information for diagnostic/therapeutic decisions: Class IIa minimum
  • Decisions with serious impact: Class IIb or III
Requirements:
  • CE marking
  • Conformity assessment
  • Post-market surveillance
  • Unique Device Identification (UDI)

United Kingdom

Post-Brexit Framework:
  • UK GDPR: Retained EU GDPR with modifications
  • MHRA: Medicines and Healthcare products Regulatory Agency regulates medical devices
  • UKCA Marking: Required for medical devices (transition period from CE marking)
AI Regulation: UK taking sector-specific approach rather than horizontal AI legislation.

Canada

Personal Information Protection and Electronic Documents Act10 Fair Information Principles:
  1. Accountability
  2. Identifying purposes
  3. Consent
  4. Limiting collection
  5. Limiting use, disclosure, retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual access
  10. Challenging compliance
Health Information: Provincial health privacy laws may also apply (e.g., PHIPA in Ontario).
Medical Device Regulations for Software as a Medical Device:
  • Classification based on risk (Class I-IV)
  • Medical Device Establishment License (MDEL)
  • Device licensing for Class II-IV
  • Quality management system requirements

Industry Standards & Frameworks

Security Frameworks

Service Organization Control 2 - Trust Services Criteria:
PrincipleDescription
SecurityProtection against unauthorized access
AvailabilitySystem availability for operation
Processing IntegrityComplete, accurate, timely processing
ConfidentialityInformation designated as confidential
PrivacyPersonal information collection and use
SOC 2 Type I: Controls at a point in time SOC 2 Type II: Controls over a period (typically 6-12 months)Rubric Status: SOC 2 Type II certified
Health Information Trust Alliance Common Security FrameworkControl Categories:
  • Information Protection Program
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Wireless Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Transmission Protection
  • Password Management
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training & Awareness
  • Third Party Assurance
  • Incident Management
  • Business Continuity & Disaster Recovery
  • Risk Management
  • Physical & Environmental Security
  • Data Protection & Privacy
Certification Levels: e1 (essential), i1 (implemented), r2 (risk-based)Rubric Status: HITRUST r2 certified
International standard for information security management systems (ISMS).Key Components:
  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement
Annex A Controls: 93 controls across 4 themes (organizational, people, physical, technological)

Healthcare Interoperability Standards

Fast Healthcare Interoperability ResourcesKey Concepts:
  • Resources: Basic units of interoperability (Patient, Observation, etc.)
  • RESTful API: Standard HTTP methods for CRUD operations
  • Profiles: Constraints on resources for specific use cases
  • Implementation Guides: Detailed specifications for implementations
US Core: Required profiles for US healthcare interoperabilityRubric Integration: Native FHIR R4 support for data ingestion and export
Digital Imaging and Communications in MedicineComponents:
  • Information Object Definitions (IODs)
  • Service Classes (Store, Query/Retrieve, Worklist)
  • Communication Protocols
  • Media Storage
Conformance Statement: Documentation of supported featuresRubric Integration: DICOMweb support (WADO-RS, STOW-RS, QIDO-RS)

Compliance Certifications

Rubric Compliance Status

HIPAA

Status: Compliant
  • Business Associate Agreements available
  • Annual risk assessments
  • Workforce training program
  • Breach notification procedures

SOC 2 Type II

Status: Certified
  • Annual audit by independent CPA firm
  • All five trust principles
  • Continuous control monitoring

HITRUST r2

Status: Certified
  • Comprehensive healthcare security
  • Risk-based approach
  • Two-year certification cycle

21 CFR Part 11

Status: Capable
  • Audit trails
  • Electronic signatures
  • System validation support

Regulatory Resources

Official Sources

RegulationAuthoritative Source
HIPAAHHS.gov/hipaa
FDA Medical DevicesFDA.gov/medical-devices
GDPRGDPR.eu
EU AI ActEU AI Act
HITRUSTHITRUST Alliance
HL7 FHIRhl7.org/fhir

FDA AI/ML Action Plan

FDA’s framework for regulating AI/ML-based medical devices

ONC Interoperability Rules

21st Century Cures Act interoperability requirements

NIST AI RMF

AI Risk Management Framework for trustworthy AI

WHO AI Ethics

Ethics and governance of AI for health
Disclaimer: This reference is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance on specific regulatory compliance requirements.