← Toutes les ressources
AI & Healthcare · 10 min

Generative AI in healthcare: what the regulatory framework actually requires

GDPR, AI Act, HDS, MDR: clarifying what applies to non-clinical AI agents.

The regulatory framework for healthcare AI is often confused with medical devices. This confusion blocks many administrative projects that could move forward quickly, and slows innovation where it brings the most immediate value.

An administrative AI agent (third-party billing, invoicing, collections, scheduling, documentation) is not a medical device and does not fall under MDR. The criterion is intent: an agent that does not contribute to a diagnosis, therapeutic decision or treatment is not a medical device, even when it manipulates health data.

The texts that actually apply are four. GDPR governs all personal data processing, with reinforced rules for health data. Health-data hosting applies as soon as such data is stored or processed. The AI Act, currently rolling out, qualifies certain AI systems as high-risk, but administrative use largely escapes that classification. And data protection authority doctrine specifies operational details.

GDPR requires for AI agents: a clear legal basis, data minimization, transparent information of individuals, and a data protection impact assessment for high-risk processing.

The DPIA must be conducted before production and document risks for individuals: disclosure risk, automated decision risk, re-identification risk. For most administrative agents, these risks are low and the DPIA remains light.

Health-data hosting compliance is non-negotiable. Any vendor that stores or processes health data on behalf of an operator must be certified, or rely on a certified subcontractor. This requirement also covers AI models and vector databases.

The AI Act qualifies as high-risk certain healthcare AI systems, but mainly targets clinical uses (triage, diagnostic aid, emergency management). Administrative systems are generally not in the high-risk scope, which considerably simplifies their deployment.

Understanding this boundary unblocks deployments. Many administrative projects are currently slowed by an excessive reading of the framework, applying constraints designed for medical devices.

Conversely, some practices remain risky even in administration: training a model on patient data without a clear legal basis, transferring data to non-EU models, or making automated decisions with high impact without human supervision.

Granit publishes a reading grid to qualify in minutes the regulatory risk level of an administrative agent, with the questions to ask the DPO and CISO before launching a project.