Navigating the EU AI Act: Is Your Documentation Software a High-Risk Device?
In modern hospitals, AI in hospitals and medical documentation automation promise efficiency. Yet under the new EU AI Act even admin tools can be deemed high-risk. We examine how KIS integration and unstructured data analysis fit into this regulatory framework, and how secure on premise medical AI like Olingo Medical addresses compliance.
Is AI-powered documentation software high-risk under the new EU rules?
In the EU AI Act, an AI system is high-risk if it directly supports medical decisions (www.complyone.io). This typically covers diagnostic or treatment tools. By contrast, purely administrative tools alone generally are not labeled high-risk. For example, a speech transcription tool by itself isn’t automatically high-risk. But if it feeds into patient care processes or billing predictions, it may qualify. Any AI that influences patient care or is part of a regulated medical device is treated as high-risk (www.complyone.io). Even seemingly innocuous tools should be reviewed for hidden risk, especially if they handle clinical data.
How do I know if my software is ‘high-risk’?
If the AI affects diagnosis, treatment or clinical coding, treat it as high-risk under the AI Act (www.complyone.io). If it’s purely administrative (scheduling or basic note-taking) with no patient impact, it’s likely low-risk.
How do the AI Act and Medical Device Regulation overlap?
MDCG guidance clarifies that medical software with AI must satisfy both laws. Any AI component of a CE-marked device automatically meets the AI Act’s high-risk criteria (www.jdsupra.com). At the same time, high-risk AI status doesn’t change your device’s MDR class – it just adds extra rules. In practice, if an AI feature is part of a CE-certified medical system, treat it as high-risk under the AI Act (www.jdsupra.com). The recommendation is to integrate compliance: fold the AI Act’s requirements into your existing MDR processes rather than starting new ones.
For example, manufacturers should add the AI Act’s data governance, logging and transparency controls into their existing MDR Quality Management System (www.jdsupra.com). Both regulations demand continuous risk management, so you can build AI-specific tests into your safety protocols. The key is to extend your current MDR procedures with AI Act rules (www.jdsupra.com), capturing data lineage and human oversight in the same QMS.
Does our ISO 13485 QMS cover this?
It covers the basics, but you must add AI-specific steps. Document how your AI was trained and validated, how biases are prevented, and ensure post-deployment monitoring. In other words, integrate AI data logs and review checkpoints into your existing quality system (www.jdsupra.com).
Key compliance deadlines: August 2026 and 2027
The EU AI Act phases in over time. The first deadline is 2 August 2026. By then, the AI Act’s Article 50 transparency requirements take effect: you must document your AI’s purpose, performance metrics, and human oversight measures (fontvera.eu). The full high-risk regime follows by late 2027: any covered AI needs complete CE marking and a validated technical file under the AI Act (fontvera.eu). Mark your calendar: transparency documentation is due Aug 2026, and full high-risk compliance by Dec 2027 (fontvera.eu).
| Deadline | Requirement |
|---|---|
| Aug 2, 2026 | Article 50 transparency obligations – provide documentation on AI scope, accuracy, training data and human oversight. |
| Dec 2, 2027 | Annex III high-risk obligations – full compliance (risk management, testing, CE marking for medical AI). |
What exactly happens Aug 2026?
By that date, you must publish basic information about your AI tool (purpose, design, accuracy). It’s like adding an AI fact sheet to your document file. Full safety and audit compliance (the heavy work) kicks in after Dec 2027.
Preparing for full AI compliance: quality and risk management
Putting an AI tool into a hospital requires thorough documentation. High-risk AI demands a continuous risk management process much like MDR devices (www.jdsupra.com). Every algorithm update or data change must trigger a review. You also need detailed technical files: include model accuracy, validation results, and defined failure modes. The AI Act emphasizes data quality. For example, you must show that your training datasets are representative and bias-free (www.jdsupra.com). Keep exhaustive records of your AI’s development and performance – it’s mandated by the new rules (www.jdsupra.com).
- Maintain a documented AI risk management plan (reanalyze safety with each software update).
- Use only high-quality, representative data for training and testing (www.jdsupra.com) to avoid unintended bias.
- Keep detailed logs: record training datasets, model versions, validation results and performance metrics.
- Implement incident reporting: monitor how the AI performs in practice and log any problems or unexpected outcomes.
Why document every AI update?
The AI Act requires traceability. Every new model version or data addition is treated like a new ‘device version’, triggering risk review. Keep a change log so you can quickly answer auditor questions.
Why on premise deployment is crucial
An important way to cut risk is running AI on premise. That way, all patient data and AI processing stay inside the hospital IT. On premise AI means patient data never leaves the firewall, satisfying strict GDPR/DSGVO and NIS2 security requirements. Olingo Medical is designed for on-premise inference: we install the software on your servers, not in a public cloud. We extract and convert notes into standard FHIR/HL7 records internally, and our in-house LLM generates reports without sending data outside. This eliminates cloud data leaks and gives your IT team full control of AI logs. The result is both compliance and efficiency: clinicians see speed gains knowing their data is secure, and IT avoids regulatory traps. For example, Olingo’s OCR pipeline digitizes admissions and discharge letters to FHIR format immediately, and our automated coding engine suggests ICD-10/OPS (G-DRG) codes to prevent revenue loss.
How does on premise inference help us?
By keeping all computation on site, your hospital maintains control over patient data (GDPR) and follows cybersecurity rules (NIS2). In other words, it’s a trusted zone with built-in audit logs – much easier than managing cloud risk.
Need a secure AI strategy? For advice on KIS integration or safe on-premise deployment, contact info@ollsoft.ai.
How Olingo Medical addresses these challenges
- Olingo Speech: Fully automated on premise transcription of doctor-patient conversations. Doctors speak naturally (ward rounds, ER, even ambulances) and the AI writes structured notes directly into the KIS via FHIR/HL7. This saves up to 60% of documentation time.
- Olingo OCR: High-fidelity text extraction from referral letters, PDFs and handwritten forms. We convert paper records into structured data (FHIR/HL7) automatically, so no manual data entry and no more lost referrals.
- Olingo LLM (Medical Intelligence Engine): A fine-tuned local language model. It generates discharge summaries and clinical answers, and summarizes long histories – all on your own servers. Patient data never goes to public clouds or ChatGPT.
- Automated Coding & Analytics: Our AI reads clinical text to suggest precise ICD-10 and OPS codes for billing. It helps prevent missed reimbursement (MDK-safe claims) and lets analysts mine thousands of records for bottlenecks or risk predictions.
All these modules run fully on your premises in Munich or Prague. All of these modules run fully on your premises (Munich/Prague), delivering EU-compliant AI without external data exposure. For a demo or integration plan, email info@ollsoft.ai.
Conclusion
Automated medical documentation brings big gains but new compliance work. You must convert loose data into structured records (using FHIR/HL7), and update your QMS to cover AI. Olingo Medical is specifically built for this: it transforms chaotic notes and scans into standardized data on site, and manages privacy by design. Our teams in Munich and Prague know both MDR and the AI Act inside out. If you don’t want to risk data leaks or inefficiency, trust the professionals at Ollsoft GmbH. Contact us at info@ollsoft.ai.
FAQ
1. Q: What makes an AI system 'high-risk' under the EU AI Act? A: A high-risk AI is one used for individual diagnosis, treatment or critical hospital decisions. If the AI could affect patient health or is a component of a certified medical device, it’s high-risk and must meet strict rules (www.complyone.io).
2. Q: Does an administrative documentation tool really need AI Act compliance? A: If it only automates paperwork (scheduling, basic notes) without touching patient care data, it’s usually not “high-risk.” However, if it integrates with clinical decision data or billing codes, you should treat it as high-risk. When in doubt, consult the experts at Ollsoft (info below) to assess your case.
3. Q: When do we have to comply with the AI Act? A: Article 50 transparency rules start 2 Aug 2026 (document your AI’s purpose and accuracy) (fontvera.eu). Full high-risk compliance (risk management, CE mark, etc.) will be required by Dec 2027 (fontvera.eu). It’s best to start updating your QMS now. For planning help, email info@ollsoft.ai.
4. Q: What is on premise inference and why is it important? A: On premise AI runs entirely on your hospital’s servers, not in the cloud. This way all patient data–including model training and logs–stays inside your firewall. That approach is crucial for GDPR/DSGVO and NIS2 compliance. Ollsoft specializes in on premise deployment to keep data safe.
5. Q: How can Ollsoft’s Olingo Medical help us? A: We provide modular medical AI that meets both AI Act and MDR needs. We integrate speech-to-text, OCR, coding AI and a local LLM directly into your KIS (via HL7/FHIR), all running on site. This approach secures patient data and solves the admin burden. Contact info@ollsoft.ai for a tailored solution and demo.