EU AI Act for Healthcare AI: What US Health Tech Companies Must Do Before August 2026
The EU AI Act is now enforceable, and healthcare AI is squarely in the high-risk category. If your company's AI touches clinical decisions, patient data, or diagnostic tools and has any EU users, you face mandatory obligations with seven-figure fine exposure.
Enforcement status
High-risk AI system obligations under the EU AI Act became applicable in August 2026. Prohibited AI practices have been enforceable since February 2025. If your healthcare AI product serves EU users, compliance was due before this year's enforcement date — act immediately.
Why Healthcare AI Is Almost Always High-Risk
The EU AI Act creates a risk-based framework. Most AI systems are unregulated or minimally regulated. A subset are "high-risk," triggering extensive obligations. And a narrow set of practices are outright prohibited.
Healthcare AI lands in the high-risk category because Annex III of the Act explicitly enumerates it. AI systems used in the following contexts are automatically high-risk:
- Medical diagnosis, prognosis, or clinical support (including disease detection, risk scoring, and treatment recommendations)
- Patient triage and prioritization (scheduling, emergency dispatch, acuity scoring)
- Disease monitoring and treatment adherence
- AI embedded in Class IIa, IIb, or Class III medical devices under EU MDR or IVDR
- AI used to determine access to or continuation of healthcare services
Notably, AI systems for administrative health functions — scheduling, billing, documentation — may also qualify as high-risk if they make decisions that significantly affect patient access to care. The boundary is contested, and conservative interpretation is advisable given fine exposure.
The Overlap: EU AI Act + EU MDR/IVDR
If your healthcare AI is also regulated as a Software as a Medical Device (SaMD) under the EU Medical Device Regulation (MDR) or In Vitro Diagnostic Regulation (IVDR), you face a layered compliance structure:
| Framework | Focus | Key Obligations |
|---|---|---|
| EU AI Act | AI system risk and transparency | Risk management, data governance, human oversight, conformity assessment, EU registration |
| EU MDR/IVDR | Medical device safety and efficacy | CE marking, clinical evidence, EUDAMED registration, post-market surveillance |
| GDPR | Patient data privacy | Lawful basis for processing, data subject rights, DPIAs, data transfer restrictions |
The EU AI Act includes a "sectoral law" provision: if your AI system is regulated under MDR/IVDR and those regulations provide equivalent conformity assessment requirements, MDR/IVDR compliance can partially satisfy EU AI Act obligations for that system. This requires careful legal analysis — do not assume MDR compliance automatically covers EU AI Act obligations.
High-Risk Healthcare AI Obligations: What You Must Implement
Risk Management System
Establish and maintain a risk management system throughout the AI system's lifecycle. Document identified risks, risk mitigation measures, and residual risk assessments. This is analogous to ISO 14971 risk management for medical devices and should be structured similarly for healthcare AI.
Training, Validation, and Testing Data Governance
Document your training data sources, preprocessing practices, and validation datasets. Healthcare AI faces heightened scrutiny on data representativeness — models trained on non-representative populations (e.g., data from one demographic group) that are deployed broadly may fail the data governance requirements. GDPR and EU AI Act data requirements overlap here.
Technical Documentation
Prepare and maintain technical documentation that covers the system's purpose, design, development process, performance metrics, limitations, and post-deployment monitoring plan. This documentation must be available to EU authorities on request. For US companies, this typically requires maintaining documentation in accessible form for EU market authorities.
Automatic Logging and Record-Keeping
High-risk AI systems must automatically log operations to allow post-hoc review of decisions, detect anomalies, and support post-market surveillance. For healthcare AI, logs must typically capture when the system was used, what inputs were processed, what outputs were generated, and which human made the final clinical decision.
Transparency and User Information
Healthcare professionals using your AI must be informed of its nature, capabilities, limitations, and intended purpose. The system must be designed so clinicians can understand and appropriately override AI recommendations. Opaque 'black box' outputs without explanation mechanisms are problematic under the Act.
Human Oversight Design
The system must be designed to allow appropriate human oversight — including the ability to interrupt, override, or disregard AI output. For clinical AI, this means ensuring workflows are structured so clinicians remain the decision-maker and the AI is advisory. Fully automated clinical decisions (without human review) are high-risk and potentially prohibited in some healthcare contexts.
Conformity Assessment and EU Registration
Before placing a high-risk healthcare AI on the EU market, you must complete a conformity assessment. Depending on whether your system falls under MDR/IVDR, this may involve a Notified Body. Register the system in the EU AI Systems Database (operated under EUDAMED for healthcare AI).
EU Representative (if no EU establishment)
US companies without an EU establishment must designate an EU-based authorized representative before deploying high-risk AI in the EU. This representative has legal liability for compliance and is the contact point for EU market surveillance authorities.
What Is Prohibited (Not Just Regulated)
Beyond high-risk obligations, the EU AI Act outright prohibits certain AI practices. In healthcare contexts, watch especially for:
- AI that exploits patient vulnerabilities: Systems that exploit age, disability, mental health status, or other vulnerabilities to influence healthcare decisions in ways that harm patient interests are prohibited. AI-driven upselling of services to vulnerable patients is an example.
- Social scoring in healthcare access: Using AI-generated social or behavioral scores to restrict access to healthcare — similar to how credit scoring works — may constitute prohibited social scoring if applied to general-purpose life domains.
- Real-time biometric identification in public spaces: Relevant for health systems using AI-powered facial recognition in hospitals or clinics (e.g., for patient identification). Limited exceptions apply for law enforcement; general healthcare administrative use is a gray area requiring legal review.
Healthcare AI Compliance Checklist
Determine whether your AI system is high-risk under Annex III (clinical AI typically is)
Assess whether your system also requires MDR/IVDR compliance and map the overlap
Implement a documented risk management system covering the AI lifecycle
Audit training and validation data for representativeness and GDPR compliance
Prepare technical documentation per EU AI Act Annex IV requirements
Implement automatic logging for high-risk system operations
Design clinician-facing transparency features: outputs with explanations and confidence indicators
Ensure workflows enforce human oversight and override capability
Complete conformity assessment and register in EU AI Systems Database
Designate an EU authorized representative if no EU establishment exists
Establish a post-market monitoring plan and incident reporting process
Train clinical and product staff on EU AI Act obligations
Frequently Asked Questions
Does the EU AI Act apply if we only sell to EU hospitals, not directly to patients?
Yes. The Act applies to AI systems placed on the EU market or deployed within the EU — the end user's identity (hospital vs. patient) doesn't change the applicability. Selling to EU hospitals means you are placing the system on the EU market and must comply.
We're a small US health tech startup. Do we really need to comply?
If you have EU users or EU hospital customers, yes. The EU AI Act does provide some reduced obligations for small and micro enterprises regarding conformity assessment procedures and regulatory sandboxes, but the core high-risk obligations (risk management, documentation, human oversight) apply regardless of company size. Fines are calculated as a percentage of global turnover, so smaller companies face smaller absolute amounts — but the compliance obligations are not waived.
How does the EU AI Act interact with HIPAA?
They don't directly conflict, but they operate in parallel. HIPAA governs US-based protected health information. The EU AI Act governs AI system design and deployment risk. GDPR governs EU patient data. A US health tech company with EU operations likely needs to comply with all three frameworks simultaneously. The data governance and documentation requirements across these frameworks can be integrated, though the legal bases and enforcement mechanisms differ.
What if we're already CE-marked as a medical device?
CE marking under MDR/IVDR satisfies some EU AI Act requirements for AI systems embedded in medical devices, particularly around conformity assessment. The EU AI Act's Article 11 includes provisions to avoid duplication with sector-specific legislation. However, CE marking does not automatically satisfy all EU AI Act obligations — particularly around logging, human oversight design, and EU AI database registration. Consult a regulatory attorney to map the specific overlap for your device class.
Compare AI Compliance Tools for Healthcare
Several vendors offer AI governance, risk management, and compliance software built for regulated industries including healthcare. Compare them on RatedWithAI to find tools that support EU AI Act documentation, audit logging, and human oversight requirements.
Read: EU AI Act Compliance for SaaS Companies →Key Takeaways
- Healthcare AI is explicitly classified as high-risk under the EU AI Act, triggering the most stringent compliance obligations.
- US health tech companies with EU hospital customers or EU-based patients are in scope — location of incorporation is irrelevant.
- High-risk obligations include risk management systems, data governance, technical documentation, automatic logging, human oversight design, conformity assessment, and EU database registration.
- If your AI is also regulated as a medical device under MDR/IVDR, partial overlap exists but CE marking does not automatically satisfy EU AI Act requirements.
- Non-compliance fines reach €15M or 3% of global turnover for high-risk violations — act immediately if you have not started compliance work.