The integration of Artificial Intelligence (AI) into healthcare is moving faster than ever. However, for European developers, this innovation comes with a formidable “dual-compliance” challenge. On one hand, AI-based Clinical Decision Support Systems (CDSS) are classified as high-risk under the EU AI Act, requiring strict safety and transparency controls. On the other, the cross-border exchange of this health data must satisfy the rigorous interoperability standards of the MyHealth@EU network.
Usually, these two requirements are treated separately – one legal, one technical. But neglecting either one can arrest deployment. To solve this, the ChatMED team has published a comprehensive new tutorial titled “AI Act Compliance Within the MyHealth@EU Framework” in the Journal of Medical Internet Research (JMIR).
Here is how this new blueprint ensures that AI-enabled clinical systems are compliant from “Day 1”.
The Challenge: Vertical Safety vs. Horizontal Transport
The core conflict lies in the directions of regulation. The AI Act is “vertical”, it regulates the functionality of the system (e.g., risk management, human oversight). MyHealth@EU is “horizontal”, it regulates the transport of data between member states via OpenNCP gateways to ensure semantic integrity.
The problem? Standard cross-border messages (like Patient Summaries) were not built to carry the complex metadata required to explain an AI’s decision to a doctor in another country.
The Solution: A Harmonized Framework
Our tutorial provides a practical, phase-oriented roadmap that translates legal obligations into engineering artifacts.
1. The Implementation Checklist. We developed a step-by-step checklist that aligns AI Act controls with MyHealth@EU conformance steps. It covers everything from Phase 0 (Project Framing), confirming clinical scope and establishing an Annex IV repository, to Phase 4 (Post-Market Monitoring), where model drift metrics are collected and serious incidents are reported to EU portals.
2. Minimal Technical Extensions. To ensure transparency without breaking existing systems, the paper proposes a “minimal extension set” for HL7 CDA and HL7 FHIR standards. These lightweight additions allow systems to flag:
- AI Contribution Status: Was this data generated by AI?
- Risk Classification: Is this a high-risk system?
- Explainability Rationale: Why did the AI make this decision?
- Technical File Link: A direct link to the Annex IV documentation for auditors.
3. Integrated Monitoring. The framework also harmonizes post-market surveillance. It aligns the AI Act’s requirement for continuous monitoring (e.g., detecting adversarial attacks or prompt injection) with MyHealth@EU’s existing incident aggregation system. This means that if a model fails or is attacked, the incident is reported through a single, unified pipeline that satisfies both regimes.
Why This Matters
This work represents a necessary shift in how we build medical software. By engineering AI Act safeguards and MyHealth@EU interoperability rules together from the start, developers can reduce duplication of effort and streamline conformance testing.
As stated in the paper: “AI-enabled clinical software succeeds only when AI Act safeguards and MyHealth@EU interoperability rules are engineered together from day 0”.
This tutorial is now available as a blueprint for developers, architects, and policymakers who are building the next generation of trustworthy, cross-border European healthcare.
The whole paper is available in the Knowledge Repository and at https://www.jmir.org/2025/1/e81184.
