AI Act Compliance within the MyHealth@EU Framework: A Tutorial.

Abstract

Unstructured: Background: The integration of AI into clinical workflows is advancing even before full compliance with the MyHealth@EU framework is achieved. While AI-based Clinical Decision Support Systems (CDSS) are automatically classified as high-risk under the EU AI Act, cross-border health data exchange must also satisfy MyHealth@EU interoperability requirements. This creates a dual-compliance challenge: vertical safety and ethics controls mandated by the AI Act, and horizontal semantic-transport requirements enforced through OpenNCP gateways, many of which are still maturing toward production readiness. Objective: This paper provides a practical, phase-oriented tutorial that enables developers and providers to embed AI Act safeguards before approaching MyHealth@EU interoperability tests. The goal is to show how AI-specific metadata can be included in HL7 CDA and FHIR messages without disrupting standard structures, ensuring both compliance and trustworthiness in AI-assisted clinical decisions. Regulatory foundations: We systematically analysed Regulation (EU) 2024/1689 (AI Act) and the MyHealth@EU/OpenNCP technical specifications, extracting a harmonised set of overlapping obligations. AI Act provisions on transparency, provenance, and robustness are mapped directly onto MyHealth@EU workflows, identifying the points where outgoing messages must record AI involvement, log provenance, and trigger validation. Walkthrough: To operationalise this mapping, we propose a minimal extension set, covering AI contribution status, rationale, risk classification, and Annex IV documentation links, together with a phase-based compliance checklist that aligns AI Act controls with MyHealth@EU conformance steps. Illustrative example: A simulated International Patient Summary (IPS) transmission demonstrates how CDA/FHIR extensions can annotate AI involvement, how OpenNCP processes such enriched payloads, and how clinicians in another Member State view the result with backward compatibility preserved. Discussion: We expand on security considerations (e.g., OWASP GenAI risks such as prompt injection and adversarial inputs), continuous post-market risk assessment, monitoring, and alignment with MyHealth@EU's incident aggregation system. Limitations reflect the immaturity of current infrastructures and regulations, with real-world validation pending the rollout of key dependencies. Conclusions: AI-enabled clinical software succeeds only when AI Act safeguards and MyHealth@EU interoperability rules are engineered together from "day zero." This tutorial provides developers with a forward-looking blueprint that reduces duplication of effort, streamlines conformance testing, and embeds compliance early. While the concept is still in its early phases of practice, it represents a necessary and worthwhile direction for ensuring that future AI-enabled clinical systems can meet both EU regulatory requirements from day one.