The EU AI Act regulates AI by risk. Which risk category a tool that drafts clinical notes falls into depends on the specific use and is not finally settled for medical documentation AI. Transparency is central in any case: it must be clear that the content was produced with AI, and the authorised practitioner must review and approve the draft. The AI Act does not replace GDPR - it adds requirements on top. The requirements are rolled out in stages towards 2026-2027.
What is the EU AI Act?
The EU AI Act is the EU's common regulation for artificial intelligence. It entered into force in August 2024. The requirements apply in waves towards 2026-2027. The regulation divides applications into four risk levels:
- Unacceptable risk - prohibited (for example social scoring).
- High risk - stricter requirements for risk management, data quality, documentation and human oversight.
- Limited risk - transparency requirements, among them that the user knows AI is being used.
- Minimal risk - no special requirements.
The greater the risk to people, the more requirements apply. Where a documentation tool that drafts under human control sits depends on the specific use and is not finally settled for medical documentation AI. Follow the authorities' guidance - in Denmark, Digitaliseringsstyrelsen collects guidance at digst.dk. Transparency is a central requirement in any case.
The regulation does not replace GDPR. The two sets of rules apply side by side. GDPR regulates the processing of personal data - in a clinic typically under Article 6 and Article 9 on health data, plus a data processing agreement under Article 28. The AI Act adds requirements on top, on the AI system itself: how it is built, documented and monitored. The clinic must address both.
Does the EU AI Act apply to AI documentation?
Yes. The AI Act applies to AI systems placed on the market or put into use in the EU - including in the healthcare sector. A tool that transcribes a consultation and writes a draft clinical note is an AI system under the regulation. Which specific requirements apply depends on which risk category the use falls into.
Which risk category a pure documentation tool falls into depends on the specific use and is not finally settled for medical documentation AI - follow the authorities' guidance. Transparency is a central requirement in any case: it must be clear that AI is being used. That aligns with the record-keeping rules. The authorised practitioner still bears responsibility for the record under the record-keeping order, whether a note is written by hand or produced with AI. The note must be read through and approved before it stands as a record. More on the legal framework in the guide on lawful AI documentation.
Is AI for documentation a high-risk system?
It depends on what the tool does. The AI Act's high-risk category (Annex III) covers, among other things, systems used to make or support decisions about people. A system that makes diagnoses, prioritises patients or recommends treatment may fall here - often together with the rules on medical devices (MDR), which can pull a tool into high risk along a separate track. High risk triggers stricter requirements for risk management, data quality, technical documentation, logging and human oversight.
A tool that makes a draft the practitioner reads through, corrects and approves differs from a system that makes independent clinical decisions. The first is documentation support under human control. The second is clinical decision support. The classification cannot be settled in general - it follows from the system's purpose and function and from the authorities' guidance. The Danish authority responsible for AI oversight collects guidance at digst.dk. Follow the updated guidance for the specific use.
Who bears responsibility when AI is used?
The authorised practitioner. Responsibility for the record follows from the record-keeping order and is not moved by an AI tool or a vendor. An AI draft is a draft until the practitioner has read it through, corrected it and approved it. Only then does it stand as a record, and the responsibility is the practitioner's.
Responsibility is distributed across three levels. The vendor of the AI system must meet the AI Act's requirements for the system itself. The clinic is the data controller under GDPR and must have a data processing agreement under Article 28 in place. The individual practitioner bears the professional record responsibility for each note. The roles do not replace one another - they apply at the same time.
What should the clinic be aware of?
Four requirements recur when AI is used for documentation:
- Transparency - the patient is informed that an AI tool is being used.
- Human oversight - the practitioner reads the draft through, corrects and approves it before it is saved as a record.
- Documentation - the clinic can account for how the tool is used and how data is processed - in practice through the data processing agreement and a record of processing activities.
- Data minimisation - only necessary information is collected, and it is not kept longer than necessary.
Choose a vendor that processes data within the EU and can provide a data processing agreement under GDPR Article 28. At People's Clinic, data is processed within the EU (Frankfurt), the authorised practitioner retains professional responsibility for the record, and the transcription is deleted after up to 90 days. See more under data and security or integrations.
This guide is general orientation about the rules - not legal advice. If you are in doubt about your clinic's situation, seek specific advice. The relevant authorities are Datatilsynet and Styrelsen for Patientsikkerhed, and guidance on the AI Act is collected at digst.dk.