Healthcare vertical · FDA TPLC · ONC HTI-1 · HL7 FHIR R4

AI shared responsibility for healthcare

FDA's 2025 TPLC draft guidance and final PCCP guidance establish a lifecycle accountability framework for clinical AI, but leave implementation mechanics to each organization. This schema fills that gap: 40 controls across five SRF layers, each with a named accountable persona, a measurable threshold, and an HL7 FHIR AuditEvent evidence pointer.

Experimental schema. This vertical is a proposed extension of the CoSAI Shared Responsibility Framework, developed independently to demonstrate the approach. It is not part of CoSAI SRF v1.0 and has not been endorsed by CoSAI, the FDA, or any regulator. Verify regulatory section references against the source documents before use.
40
Controls
5
SRF layers
4
Clinical lifecycle stages
7
Regulatory crosswalks

The FDA TPLC gap. The FDA's January 2025 draft guidance on lifecycle management for AI-enabled device software functions and the August 2025 final PCCP guidance establish what clinical AI systems must do across their lifecycle. They do not resolve how a hospital system, a medtech manufacturer, or a health IT developer implements those accountabilities under HIPAA, ONC certification requirements, and EU AI Act obligations simultaneously. FDA AI/ML SaMD resources ↗

What the schema provides. Each control maps an SRF layer to a specific clinical lifecycle stage (design and development, verification and validation, post-market surveillance, human oversight and review), names the accountable persona, and specifies the HL7 FHIR resource and attribute that proves the control is functioning. FHIR AuditEvent, MeasureReport, Provenance, and Device resources replace annual attestations with continuous, machine-readable evidence.

Agentic clinical AI coverage. All 40 controls apply to Agent-Clinical deployments, which carry the largest surface area under FDA TPLC and HIPAA minimum-necessary obligations. L3 and L4 controls address human-in-the-loop gates, SMART on FHIR scope enforcement, prompt injection defense, and agentic task boundary monitoring.

In this section

Schema design

Accountability plane
SRF layers and clinical personas

Each control names one accountable persona. Five layers map to the clinical AI lifecycle: governance, data, application, platform, and model. One accountable party per control, regardless of operating model.

Control plane
Safety thresholds and FDA tier parameters

Controls define the metric, operator, and parameter name. Organizations set values per SaMD risk tier (Class I, II, III). Zero-tolerance and verification controls carry fixed values by design.

Evidence plane
HL7 FHIR R4 resource pointers

Each threshold names the FHIR resource type and attribute that proves the control is operating: AuditEvent, MeasureReport, Provenance, Device, DeviceMetric. Continuous, machine-readable evidence; not annual attestations.

Regulatory crosswalks

FDA TPLC Guidance Total product lifecycle management for AI/ML SaMD (January 2025 draft)
FDA PCCP Predetermined Change Control Plan final guidance (August 2025); crosswalk follows the 2023 FDA, Health Canada, and MHRA guiding principles
ONC HTI-1 Algorithmic transparency for certified health IT (effective January 2025)
HIPAA Security Rule 45 CFR Part 164 Subpart C: PHI access control, audit, encryption
EU AI Act High-risk AI obligations for clinical AI (full compliance August 2026)
IEC 62304 Medical device software lifecycle processes (Edition 2 expected 2026)
ISO 14971 Risk management for medical devices: risk file and residual risk

Coverage by layer

L1
Governance and processes
SaMD risk classification policy, clinical AI system registry, ethics committee charter, governance review cadence, acceptable use policy, clinician override documentation, FDA filing currency, MDR reporting readiness, PCCP change governance. Accountable persona: clinical-ai-governance.
9 controls
L2
Data and training
Training data provenance and consent, demographic representation assessment, PHI isolation in non-production environments, external validation dataset independence, subgroup performance equivalence, input drift monitoring (PSI), real-world data quality, agent context store integrity. Accountable persona: clinical-data-steward.
8 controls
L3
Application and agent
Human-in-the-loop gate for high-stakes outputs, AI explanation coverage (ONC HTI-1), adversarial robustness testing, clinical workflow usability validation, prompt injection defense, clinician override rate monitoring, safety-critical output filter bypass rate, agentic task boundary enforcement. Accountable persona: clinical-application-developer.
8 controls
L4
Platform and infrastructure
SMART on FHIR authentication and scoped authorization, FHIR AuditEvent logging completeness, PHI encryption at rest and in transit, platform security assessment, clinical guardrail configuration verification, unauthorized access monitoring, platform availability SLA, runtime model artifact integrity. Accountable persona: health-platform-provider.
8 controls
L5
Model
Model card and SaMD definition statement, SOUP documentation (IEC 62304 §8), ISO 14971 pre-deployment safety evaluation, independent clinical validation, model artifact signing and supply-chain provenance, post-market performance monitoring plan (PCCP-aligned), CVE patch response SLA. Accountable persona: model-provider.
7 controls