10 Questions for Healthcare AI Procurement
| Question | What You're Testing | |
|---|---|---|
| 1. For any specific patient interaction, can you provide a tamper-evident trace showing which guardrails executed, with timestamps and pass/fail status? | Guardrail execution trace — proves controls ran, not just that they exist | |
| 2. Can you reconstruct the complete input context the model processed for any given output—including prompts, retrieved data, and applied redactions? | Decision rationale — enables root cause analysis when outputs are unexpected | |
| 3. Is your compliance evidence cryptographically signed and independently verifiable without access to your internal dashboards? | Independent verifiability — evidence third parties can validate | |
| 4. Can you prove that protected health information never left our infrastructure during AI inference? | Zero-egress architecture — reduces BAA scope and data residency risk | |
| 5. How do you demonstrate model version control—proving which exact code processed each request? | Configuration traceability — links incidents to specific model versions | |
| 6. What is your documented hallucination rate, and can you provide statistical confidence intervals based on production data? | Performance transparency — quantified risk, not marketing claims | |
| 7. How does your evidence map to specific control objectives in ISO 42001, NIST AI RMF, and EU AI Act Article 12? | Framework anchoring — accelerates audit and compliance assessment | |
| 8. What per-inference artifacts do you retain, for how long, and in what format are they available for audit? | Evidence retention — California ADMT requires 5+ years | |
| 9. If a patient files a complaint about AI-generated content, what evidence can you provide within 24 hours? | Incident response capability — operational readiness for investigations | |
| 10. Do your logs and attestations meet the evidentiary standards that would be required in regulatory proceedings or litigation? | Legal defensibility — admissibility in adversarial contexts |
