U.S. Healthcare AI Governance Framework Agreed by 200 Hospitals: Insights for Chinese Hospitals

The Launch of the World’s First Systematic

Healthcare AI Governance Framework In the realm of U.S. healthcare AI, the long-awaited “rulebook” has finally arrived. Spearheaded by renowned medical institutions such as Mayo Clinic, Cleveland Clinic, Massachusetts General Hospital (Mass General Brigham), MD Anderson Cancer Center, Stanford Health Care, and UCLA Health, the Coalition for Health AI (CHAI) has partnered with approximately 200 healthcare institutions and technology companies to unveil the “AI Governance Playbooks.” This is being hailed as the world’s first and most comprehensive operational manual that systematically defines the implementation of AI in healthcare. Spanning 228 pages, this framework is not the unilateral product of government or a single industry body but rather the outcome of a consensus reached among a diverse group of stakeholders directly involved in clinical practice. It aims to serve as a practical guide for balancing “the swift adoption of accurate AI” with “the early cessation of flawed AI” in the rapidly evolving landscape of healthcare AI.

The Four Pillars and Five Sub-Domains of the

Framework The CHAI framework is based on the international standard for AI management systems, ISO/IEC 42001. What sets this framework apart is its adaptation of this general global standard into actionable steps tailored to the specific needs of the healthcare sector. The governance structure is organized into four main domains: - AI Policy: This domain goes beyond abstract ideals like “responsible AI use.” It specifies operational details such as whether generative AI (GenAI) and AI features embedded in electronic health records (EHRs) should fall under governance, what approval processes should be in place, and who is responsible for updating policies. - Organizational Structure: The establishment of an AI Governance Committee (AIGC) is mandatory. Whether as an independent entity or as part of an existing data governance committee, its absence is not an option. Furthermore, this committee must be substantive, with clearly defined roles for who is responsible, accountable, consulted, and informed (RACI matrix). This underscores that AI governance is fundamentally an organizational issue rather than merely a technical one. - Organizational Resources: This domain outlines the allocation of human, technical, and financial resources to support governance activities. - Organizational Processes: This is the most practical domain, further divided into five sub-domains: 1. AI Lifecycle Management 2. Risk and Impact Assessment 3. Responsible Data Management 4. Third-party (Vendor) Management 5. Education and Training This structure enables hospitals to objectively assess their current state of AI adoption, identify gaps, and determine where they stand in the governance landscape.

Governance Is Not About “More Is Better”—The

Logic of Risk-Based Approaches A standout feature of this report is its “risk-based approach,” which avoids treating all AI solutions uniformly. This approach adjusts the intensity of governance based on the risk level of each AI application, thereby helping healthcare institutions focus their limited resources on the most critical issues. In practical terms, all AI solutions under consideration must pass through three risk-based gates: - Gate 1: Risk Categorization All AI solutions are initially categorized into three risk levels—low, medium, and high. This classification itself serves as the first decision-making checkpoint. - Gate 2: Risk Assessment Only solutions identified as “high risk” in the first gate proceed to this stage. Here, a detailed evaluation of the likelihood and impact of potential harm is conducted. - Gate 3: AI System Impact Assessment Beyond technical risks, this stage evaluates factors such as clinical workflow integration, patient experience, fairness, financial incentives, and even the impact on organizational culture. This step emphasizes the integration of AI not merely as a tool but as an integral part of the organization. This phased process provides simplified onboarding pathways for low-risk AI applications while focusing governance resources on supervising and evaluating high-risk solutions. The report also tackles the emerging issue of “shadow AI” in healthcare, where employees use AI tools like ChatGPT without formal approval. CHAI recommends practical measures to address this, advocating for official, streamlined approval pathways for low-risk tools to ensure compliance and discourage unauthorized use.

Three Challenges and Insights for Chinese

Hospitals This U.S.-based framework could serve as a reflective tool for Chinese hospitals, which are rapidly adopting AI. In particular, it offers valuable insights in the following three areas:

Governance Quality Over AI Quantity Many

Chinese hospitals have implemented multiple AI systems. However, mechanisms to regularly evaluate how these systems function with their specific patient populations are still lacking. The CHAI framework dedicates a sub-domain (4.1 AI Lifecycle Management) to defining each stage of AI implementation, from specifying intended use and pre-deployment testing to pilot verification, continuous monitoring, and eventual decommissioning. These are not merely questions of “if” but “when” hospitals should start implementing such processes.

Clear Guidelines for Contracts with

Third-Party AI Vendors A significant portion of healthcare AI comes from external technology providers, making vendor management a focal point for institutional oversight. CHAI’s sub-domain 4.4 lays out detailed requirements for third-party AI vendors, including obligations to disclose known limitations and risks of their models, clarify data usage rights and training restrictions in contracts, and introduce audit rights and data return clauses. These checklists offer practical legal advice for Chinese hospitals when drafting cooperation agreements with AI vendors.

Ethical Gaps in Patient Transparency and

Informed Consent The most critical and glaring gap in China lies in AI transparency and patients’ right to know. CHAI’s sub-domain 4.5 mandates that hospitals using AI for clinical decision-making must inform patients, at their first visit, about how their health data may be used by AI systems and provide opt-out options where appropriate. This is not an overly advanced U.S. standard—it is a fundamental ethical baseline for patient-centered care. Chinese regulators are likely to implement similar requirements in the future to protect patients’ rights.

Governance Is Not About Slowing AI,

But Getting It Right The 228-page CHAI framework is far from a mere theoretical document. Each control item is accompanied by implementation guidance, step-by-step tasks, tool templates, and differentiated implementation paths for institutions of various sizes. Whether a small regional hospital or a large medical center like the Mayo Clinic, the framework is designed with the flexibility to accommodate different scales and scopes of implementation. The report also cites numerous case studies of failures and near-misses in healthcare AI. These examples frame governance not as a “decorative” or “costly” endeavor but as the “minimum risk standard” necessary for healthcare organizations. AI governance is not about stifling innovation; it is about creating mechanisms to implement the right AI solutions faster and halt flawed ones earlier. The “rulebook” agreed upon by 200 U.S. healthcare institutions poses a universal challenge to healthcare organizations worldwide: to responsibly harness the power of AI as a transformative tool.