Legal Considerations of Guidelines vs. Regulation Applied to AI-enabled Medical Devices

In response to society's exponentially rapid embrace of AI, the legal landscape of AI is rather disjointed and dis-uniform, as different regulatory bodies try to balance interests in promoting innovation and protecting sensitive data. This is reflected in the types of policies passed at different levels by different governing groups.

Too often, laws are created in response to something society deems a violation of an agreed-upon acceptable behavior. Given the sensitive nature of data in our information-driven climate, as well as the potential for discrimination through the misapplication of data, there is a greater urgency to begin building barriers and parameters that novel AI technologies must stay within.

Further, the stakes are raised when healthcare is involved. When a patient's health, care, and well-being is in a position to be jeopardized by avoidable harms in the healthcare space, there are additional incentives to protect individuals through legislative measures. However, there are considerations of how a paternalistic approach of over-regulating can limit treatment options and how practitioners can best serve their patients. This is particularly problematic when practitioners, AI engineers, biostatisticians, and bioethicists are not consulted in the legislative process. By including multiple voices at the table in crafting policy decisions, there is a greater chance that the potential harms are mitigated, and also that there is a balance in regulation to still ensure future innovation of healthcare.

Given the unknowns of the direction of artificial intelligence, there are different techniques for building these respective protections in healthcare. Some regulatory groups utilize ambiguous language to craft all-encompassing catch-all legislation with broad reach in an attempt to cover the bases and groups that are most vulnerable to discrimination from AI while allowing for sector-specific regulation according to the needs of the respective field2. Others have chosen to dive head-first into dissecting and addressing all different potential uses of AI regardless of its context, and further scaling the level of risk associated with AI to put additional levels of review around uses with higher associated dangers2. Moreover, this approach addresses multidiciplinary AI use that may fall across different sectors and therefore be subject to conflicting legislation2.

For governing entities most worried about managing the risk that can result from the misuse of AI, there can be a greater incentive to embrace a more restrictive and stringent attitude toward AI. By enacting legal safeguards, clear direction can be given toward what is allowed and what is prohibited by respective organizations and industries under the jurisdiction of a governing group. This is a proactive opportunity to protect rights deemed valuable by that group as a whole, and limits the instances when there could be permissible violations of those rights due to the necessary barriers not yet existing. However, there can be some drawbacks to this more risk-averse approach to AI legislation. By enacting a higher volume of laws, there is a creation of artificial limitations on the possibility of other technological advancements due to red-tape. In the AI space, this may relate to hampering medical innovation, as there can be a general de-incentivized attitude to creating new technology when the liability risks are too high1. Moreover, there is a possibility of unintended consequences from over-regulating, such as failing to compete with technology available elsewhere in the world and falling behind as a global health leader1. The potential to manage the push of technological progress too tightly so as delaying advancements in the standard of care for the population can be dangerously discriminatory.

In contrast, there are risks and benefits associated with looser regulation around artificial intelligence in medical devices. When regulations are less stringent, individuals using technology in these jurisdictions may be more likely to be subject to errors, biases, and discrimination by the respective AI algorithm. Moreover, there are likely added privacy concerns and a limited or non-existent informed consent process, so patients may not know what information they are granting to third parties or putting in jeopardy of cyberattacks. However, there are fewer barriers to patient use of medical devices for treatment options, which have the potential to bridge cost barriers and access limitations, as well as contribute to the improvement of many patients' quality of life1.

Both attitudes towards legislation have their respective ethical concerns, however how they enforce their laws and guidances also significantly influences what type of care patients can receive in each nation. To better understand the legal language, we have broken down the different classifications of policy mediums so that we can better understand which countries take a more liberal approach to policy, and which have more conservative legislation. Distinguishing these items can help determine important legal and compliance considerations for medical device entrepreneurs.

Frameworks:

• Outlined best practices with no legally binding obligations4.

Guidances:

• Statement of additional support on how to take future action regarding a specific issue or already active regulation, however with no regulatory obligations or actions5.

Standards:

• Documented guidelines with explicit criteria outlined for adherence. Not legally binding but can be adopted by law or regulation5.

Laws/ Acts:

• Statutes and rules passed by a governing body, with legal enforceability4,6.

Regulations:

• Specific and directive rules issued by a regulating body appointed by a state or federal government with detailed instructions on implementation and enforcement practices, with mandatory legal enforcement5.

As outlined, the array of policy vehicles lays the groundwork for multiple different means of communicating values in the regulatory space. The range of degrees of adherence required by which form of policy is utilized ultimately have the potential to shape respective regulatory landscapes and their corresponding societies.

One of the greatest barriers to date regarding integrating AI in healthcare is the variance in regulatory frameworks across different countries and nations1. The unclear guidances and laws operate at different levels of legal enforcement and further lack a uniform structure for crafting operational definitions and policies at different steps of the medical device development and testing processes1. Some countries have implemented more liberal and also more conservative approaches to this beyond any additional international guidances, and this has created barriers to ensuring patient safety across different global markets. With different interpretations of and parameters around accountability, risk management, data protection, and performance evaluation metrics, the medical device technology industry does not have a clear design protocol to follow when they aim to bring their devices to international markets1. Medical device trials take many years from the ideation and development process to the use in human subjects, and in the last decade/within a development lifecycle AI regulations continued to become less cohesive and more delineated. It is in the international medical community's best interest to work towards developing a more harmonized system of regulation1.

Citations:

1. Book, Adrien. 2024. "Should AI Be Regulated? The Arguments For and Against." WeAreDevelopers Magazine, November 19, 2024. https://www.wearedevelopers.com/magazine/eu-ai-regulation-artificial-intelligence-regulations.​

2. ​OECD. n.d. "How Countries Are Implementing the OECD Principles for Trustworthy AI." Accessed March 29, 2025. https://oecd.ai/en/wonk/national-policies-2.​

3. AI Collective. n.d. "Policy, Regulations, and Standards." https://www.aicollective.co/policy-regulations-and-standards.

4. U.S. Department of Commerce. n.d. "Guidance Documents." https://20172021.commerce.gov/guidance.html#:~:text=A%20guidance%20document%20is%20an,of%20a%20statute%20or%20regulation.

5. TrustCloud. n.d. "Standard vs Framework vs Laws vs Regulations: 6 Key Differences." Accessed March 29, 2025. https://community.trustcloud.ai/docs/grc-launchpad/grc-101/compliance/standard-vs-framework-vs-laws-vs-regulations/.

6. One Education. 2023. "Difference Between Laws, Regulations, Acts, Guidance & Policies." One Education, February 17, 2023. https://www.oneeducation.org.uk/difference-between-laws-regulations-acts-guidance-policies/.