Clinical Staff Are Using AI on Patient Data.
Here's the Annex III Exposure.
Patient data is not ordinary data. Under GDPR, it is Special Category. An AI system that processes it is High-Risk under EU AI Act Annex III. Most clinical teams using ChatGPT for administrative or clinical tasks know neither of these things.
"A nurse types a patient's symptoms — including psychiatric history — into ChatGPT to help draft a clinical note more quickly. The response helps. The note is filed. No one logs that the patient's mental health data was processed by an external US server. No consent was obtained for this automated processing. No audit trail exists. This is a GDPR Article 9 violation and an EU AI Act compliance failure — on the same tool call."
AI Use Cases Creating Legal Exposure in Healthcare
These behaviors are common. Most clinical and administrative teams do not know they are regulated.
AI-assisted clinical note drafting
Using LLMs to draft or summarize clinical notes involving diagnoses, medications, or psychiatric history processes Special Category data under GDPR Article 9.
AI triage or symptom guidance
Any AI system that influences or recommends patient triage priority is High-Risk under Annex III Category 5. No autonomous triage decision can stand without human sign-off.
Patient record summarization
Uploading or pasting patient records into a public LLM for summarization means Special Category data is processed by a third party without a valid data processing agreement or consent.
Benefits and care eligibility AI
AI that influences access to healthcare benefits or essential services is explicitly covered by Annex III. Denying or delaying care based on AI output without human review is prohibited.
Two Frameworks. One Tool Call.
GDPR Article 9 and EU AI Act Annex III activate simultaneously.
Patient data is Special Category
Health data, mental health history, and genetic data are Special Category under GDPR. Processing requires explicit consent or a legal basis under Article 9(2). Informal ChatGPT usage by clinical staff almost never satisfies this.
Health AI is explicitly High-Risk
AI used in medical diagnosis support, patient triage, or management of essential health services is explicitly listed in Annex III Category 5. This mandates audit trails, human oversight, and documented risk management.
Embedded AI gets until 2027
If your AI is embedded in a medical device (as defined by MDR 2017/745), you have until August 2, 2027 for full EU AI Act compliance. However, GDPR Article 9 obligations apply NOW, regardless of device classification.
Compliant Clinical AI
AI can accelerate care. It cannot replace accountability.
Classify your AI tools by category
Clinical note assistance, triage support, and benefits eligibility AI are all Annex III Category 5. Administrative scheduling or general information retrieval may fall outside High-Risk. Classify before deploying.
Implement a DPIA for all health AI
A GDPR Data Protection Impact Assessment is required before processing Special Category data at scale. This includes a description of the AI system, the risks, and the mitigations.
Deploy PII scrubbing at the boundary
Patient identifiers must never leave your network unprotected. SupraWall's PII Shield automatically redacts names, NHS numbers, dates of birth, and medical record identifiers before any external API call.
Gate consequential decisions with HITL
Any AI output that influences patient care — triage priority, benefit eligibility, diagnostic suggestions — must route through a Human-in-the-Loop approval step before action.
Activate the Healthcare Compliance Template
SupraWall's healthcare template implements Annex III Category 5 controls: automatic PII scrubbing, HITL gating on consequential decisions, and immutable audit logging of all clinical AI tool calls.
Two Ways to Solve This
Whether you want to implement it yourself or speak to an expert.
Business Path (C-Suite)
For CMOs, Hospital Administrators, and Data Protection Officers.
Technical Path (Developers)
Annex III Category 5 + GDPR Article 9 controls.