Skip to content

Board pack · Healthcare

The AI questions for your next board meeting.

Six questions for the boards of health and care providers, with the regulators and duties they answer to. Table it, ask each question, and note which answers your organisation could evidence today.

The six questions.

  1. Where is AI already supporting care across triage, monitoring, clinical documentation and administration, and for each, has anyone confirmed whether it is a medical device the MHRA regulates?
  2. For any AI touching a clinical or care decision, can we evidence a documented human clinical judgement, a clear accountable clinician, and a safety case proportionate to the risk?
  3. Have we completed a Data Protection Impact Assessment and satisfied DSPT and UK GDPR before special category health data goes near an AI tool or third-party model?
  4. How have we tested these tools for safety and bias against the vulnerable groups we serve, and who is accountable for that testing at board level?
  5. Can we explain to CQC, to a clinician and to a patient how an AI-supported decision was reached, including inside third-party vendor systems?
  6. What board-level oversight, policy and risk reporting do we hold for AI, and how does it map to CQC Regulations 12 and 17 and our clinical governance framework?

What your board answers to.

  • Care Quality Commission (CQC)

    Regulates providers under Regulation 12 (safe care and treatment) and Regulation 17 (good governance). Its position is that AI in regulated care must still meet those outcomes with evidenced board oversight and risk management.

  • Medicines and Healthcare products Regulatory Agency (MHRA)

    Where a tool is intended to inform diagnosis, prognosis or treatment it may be Software as a Medical Device. The MHRA's programme tightened post-market surveillance duties in 2025, so confirm a tool's classification before deployment.

  • ICO, UK GDPR and Data Protection Act 2018

    Health records are special category data. Processing them through AI needs a lawful basis, a completed Data Protection Impact Assessment and Article 22 safeguards where a decision is solely automated.

  • NHS DSPT and DTAC

    Where you connect to NHS systems or contract with the NHS, the Data Security and Protection Toolkit and the Digital Technology Assessment Criteria set the data security, clinical safety and interoperability bar an AI tool must clear.

  • GMC and NMC professional duties

    Where AI assists a clinical decision, the registered doctor or nurse remains personally accountable for it. The board must ensure clinicians can exercise, and evidence, meaningful professional judgement over any AI output.

Want to know how your board would answer before the meeting? The Board AI Scorecard scores the five areas these questions test, in about two minutes.