The healthcare sector's dream of lightning-fast, error-free AI triage – where patients are automatically sorted and prioritized upon arrival – is now encountering a solid legal wall. The EU AI Act and GDPR together impose such strict requirements that fully automated solutions are practically ruled out. For Norwegian health enterprises, which are bound by EU regulations through the EEA Agreement, this is not a future prospect: it is current law.
What the Regulations Actually Say
The EU AI Act places AI systems used in healthcare in the high-risk AI category. This entails documentation requirements, technical robustness, transparency, and – crucially – meaningful human control. The regulations overlap with GDPR, which has already been in force since 2018.
Central here is GDPR Article 22, which generally prohibits decisions based solely on automated processing if they produce legal effects concerning the individual or similarly significantly affect them. According to research cited by Devdiscourse, most AI-driven triage systems fall into this category because they directly impact patients' access to treatment and prioritization order.
Exceptions exist – including where the patient has given explicit consent, where processing is necessary for contractual reasons, or where national law permits it – but these exceptions always require suitable safeguards, including the right to human intervention.
Human oversight must be meaningful and substantial – not a 'rubber stamp' approval of the algorithm's output
Human Control as a Legal Requirement
A key point in the regulations is that the 'human in the loop' requirement is not met merely because an employee formally approves a decision. The oversight must be real: the employee must have the time, competence, and actual ability to override the system.
Research on HITL (human-in-the-loop) solutions shows that this also yields practical benefits. In the financial sector, HITL validation has been shown to reduce erroneous capture of Personally Identifiable Information (PII) by as much as 42 percent in KYC workflows, according to data from a British financial company referenced in the research basis. The healthcare sector is at least as vulnerable to such errors – and the consequences are potentially far more serious.
Norwegian Healthcare Sector in the Crosshairs
Norway is not an EU member, but through the EEA Agreement, it is obliged to implement most of the EU's internal market regulations – including the EU AI Act once it is fully incorporated into the EEA Agreement. GDPR is already Norwegian law through the Personal Data Act.
This means that Norwegian health enterprises, private clinics, and providers of health IT systems cannot disregard these requirements. Organizations planning to introduce or further develop AI-based triage solutions are, in practice, already required to conduct a Data Protection Impact Assessment (DPIA) – a thorough assessment of privacy risks.
What the Industry Must Do
Experts are clear that AI can accelerate work processes but cannot understand regulations, legal nuances, or privacy principles. The responsibility for lawful and fair processing lies with the organization – not the algorithm.
For Norwegian actors, this specifically entails:
- Conduct DPIA before AI systems for triage are deployed or significantly altered.
- Document human oversight so that it can be verified by the Norwegian Data Protection Authority or other supervisory authorities.
- Ensure transparency towards patients: they must be informed that AI is part of the decision-making process and have the right to request human processing.
- Build audit trails into workflows, making it possible to document who made which decisions and on what basis.
The source Devdiscourse emphasizes that the regulations are not intended to halt AI in healthcare – but to ensure that the technology is used in a fair, lawful, and verifiable manner. For the Norwegian healthcare system, it is no longer a question of whether to comply with these requirements, but how.