AI in healthcare: The HAS and the CNIL publish a draft guide to provide practical support for professionals

CNIL/HAS Guide: ‘Supporting the proper use of artificial intelligence systems in healthcare’

Due to their particularly sensitive nature, the processing of health data is subject to enhanced regulation, at the intersection of the GDPR, health law and, now, the European Regulation on Artificial Intelligence (RIA). The implementation of the first obligations relating to high-risk systems under the AI Regulation could, moreover, be postponed from 2 August 2026 to 2 December 2027 following a provisional political agreement reached last May between the Council and the Parliament.

The rise of artificial intelligence (AI) systems in healthcare practice further emphasises this requirement. Today, out of 110 healthcare establishments surveyed, nearly 65% of them already use AI tools for tasks such as diagnostic support, medical imaging, the organisation of care pathways or assistance with medical documentation.

It is against this backdrop that the French National Authority for Health (HAS) and the CNIL published, last March, a draft joint guide on the ‘proper use of artificial intelligence systems in healthcare settings’. This guide was then put out for public consultation until 16 April, meaning it may be subject to further development or additions in the future.

An integrated approach combining quality of care and data protection

The guide’s main contribution lies in the articulation of two approaches that have until now often been treated separately. On the one hand, the HAS traditionally focuses on quality, safety and the organisation of care. On the other, the CNIL regulates the processing of personal data through the principles of the GDPR, notably: lawfulness, transparency, data minimisation, security and accountability.

The guide explicitly combines these two approaches and sets out a key principle: an AI system used in healthcare can only be considered acceptable if it is both medically relevant and legally compliant.

This approach encourages healthcare stakeholders to take a holistic view of their AI projects from the outset, developing the technical aspects whilst fully integrating regulatory requirements.

A responsibility that remains entirely human

By default, the GDPR prohibits any fully automated medical decision that would have a significant effect on an individual (such as an impact on the implementation of treatment or the prioritisation of care, for example). Significant human intervention in the decision-making process is therefore required.

However, the guide points out that no autonomous liability regime applicable to medical AI currently exists. Liability therefore continues to be assessed according to the traditional rules of medical law and general law. In practice, the healthcare professional remains responsible for their decisions, even when relying on an AI system.

The document thus emphasises the need to maintain effective human supervision. AI can assist, guide or partially automate certain tasks, but it cannot replace the healthcare professional’s clinical judgement.

The guide recommends, in particular, that results produced by an AI system and incorporated into the medical record should be systematically reviewed by the healthcare professional themselves. It also specifies that an AI-generated report should not be validated by a person who did not participate in the consultation or the medical procedure in question.

Towards operational governance of AI systems

The guide adopts an operational approach to the compliance of AI systems in healthcare. This is not envisaged as a mere documentary or declaratory process, but as a continuous process of governance and risk management.

The document thus covers the entire lifecycle of AI systems: acquisition, contracting, deployment, use, performance monitoring, maintenance and decommissioning. In line with this, the two authorities recommend the establishment of a structured governance framework involving, in particular, an AI lead, a DPO, a CIO and quality and risk management functions.

One of the guide’s most practical contributions lies in the creation of a mapping of the AI systems deployed within healthcare organisations. This should enable, amongst other things, the identification of the tools used, their risk level in accordance with the classification set out in the European AI Regulation, their criticality for the organisation of care and patient management, the categories of data processed, and the monitoring procedures (indicators, incidents, traceability, feedback, etc.).

The guide thus reflects a genuine approach to technology governance in healthcare, inspired by established mechanisms in the fields of cybersecurity and data governance.

Transparency and patient information: the relationship between the GDPR and medical law

The guide also reinforces transparency requirements towards patients.

The requirement for transparency goes beyond the information obligations set out in the GDPR: the HAS and the CNIL explicitly link the protection of personal data with the requirements of medical law and informed consent.

Patients must therefore be informed:

  • the use of an EHR in their care;
  • the processing of their personal data;
  • any secondary re-use of the data;
  • and, where applicable, the fact that they are interacting directly with an AI system.

The guide also provides an important clarification: in a healthcare context, the use of an AI system does not generally rely on the patient’s consent within the meaning of the GDPR. The processing of health data is most often based on the medical care itself and on the exceptions provided for in Article 9 of the GDPR for healthcare purposes.

This clarification helps to avoid a common confusion between the patient’s medical consent to their care and consent as the legal basis for the processing of personal data.

A benchmark for healthcare stakeholders

Although this guide is not legally binding, it is intended to become a benchmark for healthcare organizations and professionals wishing to deploy an AI system.

Beyond reiterating existing obligations, the document emphasises above all that AI in healthcare requires a genuine approach to governance, supervision and continuous risk management.