Model Design by Kelly Emrick, DHSc, PhD, MBA

Loading Healthcare AI Governance Dashboard… If this message remains visible, check that the plugin JavaScript file is loading.

Expanded Model

AI & Governance

Healthcare AI Governance Dashboard

Multi-framework governance spanning HAIRA, PPTO, RUAIH, NIST AI RMF, and HEAAL — with maturity scoring, lifecycle tasks, and an action-plan generator.

Curated by Kelly Emrick, DHSc, PhD, MBA, RT(R)

Why Healthcare AI Governance Matters Now

Healthcare AI has moved well past the pilot stage. Predictive sepsis models, ambient documentation, imaging triage, scheduling optimization, and revenue-cycle automation all interact with protected health information and clinical decision-making in ways traditional software does not. Standard security risk assessments were not designed to catch algorithmic bias, performance drift, opaque decision logic, or vendor data-use risks — yet these are exactly the risks AI introduces.

This dashboard brings together five complementary, peer-reviewed and accreditor-issued frameworks so a healthcare delivery organization can self-assess across maturity, capability, compliance, risk, and equity — and produce a tiered action plan from the gaps.

The Five Frameworks

Maturity Model

HAIRA

Healthcare AI governance Readiness Assessment. A 5-level maturity model across 7 governance domains, designed to scale from small practices to academic health systems.

npj Digital Medicine, 2024 · Levels 1–5 · 7 domains

Capability Model

PPTO

People, Process, Technology, Operations. A practical capability framework for establishing AI governance, validated in U.S. (Duke) and Canadian hospital systems.

npj Digital Medicine, 2025 · 4 domains · capability gap analysis

Accreditor Guidance

RUAIH

Responsible Use of AI in Healthcare. Joint Commission and Coalition for Health AI guidance organized into seven core elements that will shape future AI accreditation.

Joint Commission & CHAI, Sept 17, 2025 · 7 elements

Risk Framework

NIST AI RMF 1.0

The U.S. federal voluntary AI risk management framework. Four core functions — GOVERN, MAP, MEASURE, MANAGE — that map cleanly to existing HIPAA Security Rule requirements.

NIST AI 100-1, Jan 2023 · 4 functions

Equity Framework

HEAAL

Health Equity Across the AI Lifecycle. Five equity assessment domains evaluated across eight key decision points in the AI adoption lifecycle, from problem identification through decommissioning.

PLOS Digital Health, 2024 · 5 × 8 matrix

Operational Tasks

Lifecycle Workbench

An 8-phase, task-level workbench for tracking governance work across the AI lifecycle — from problem identification through monitoring, update, and decommissioning.

8 phases · ~32 governance tasks

How to Use This Dashboard

Move through the framework tabs (HAIRA → PPTO → RUAIH → NIST → HEAAL).
Score your organization honestly. Charts and KPIs update live.
Use the Lifecycle tab to track operational tasks for a specific AI tool or program.
Review the Scorecard tab for a composite view across all five frameworks.
Open the Action Plan tab. Identified gaps are auto-grouped into Quick Wins, Foundational, and Transformational tiers.

All inputs save to your browser only (localStorage). Nothing is transmitted.

What This Dashboard Is — and Is Not

It is a structured self-assessment tool that helps governance committees, compliance leaders, and clinical informaticists locate gaps and build a defensible roadmap aligned with current published frameworks.

It is not a substitute for legal review, accreditation preparation, FDA regulatory analysis, or formal validation studies. Use the outputs as the starting point for a structured conversation with counsel, compliance, and clinical leadership.

Regulatory landscape note: The Joint Commission and CHAI plan a voluntary Responsible Use of AI certification building on the RUAIH framework, available to TJC-accredited and certified organizations. Even where current accreditation does not require AI-specific controls, RUAIH is widely expected to inform future accreditation expectations and procurement standards.

HAIRA — Healthcare AI governance Readiness Assessment

HAIRA is a five-level maturity model that lets a healthcare delivery organization benchmark its current AI governance capabilities and set realistic advancement targets across seven domains: organizational structure, problem formulation, external algorithm evaluation, algorithm development, model evaluation, deployment integration, and monitoring & maintenance.

Source: Advancing healthcare AI governance through a comprehensive maturity model based on systematic review — npj Digital Medicine (2024).

Composite Maturity

—

Not yet assessed

Domains Scored

Score each on the 5-level scale

Maturity Levels

L1–L5

Initial → Leading

Maturity Radar by Domain

HAIRA Maturity Levels

Level	Profile	Typical Setting
L1 Initial	Ad hoc, undocumented practices	Small practice exploring AI
L2 Developing	Repeatable but inconsistent	Community hospital, early adopter
L3 Defined	Documented and standardized	Mid-size health system
L4 Managed	Quantitatively measured & controlled	Large integrated system
L5 Leading	Continuously optimized; sets standards	Major academic health system

Score Each Governance Domain

Pick the level that best reflects current state. Your selections save automatically and update the radar chart and KPI in real time.

Interpretation tip: Composite maturity below 2.5 is common for organizations beginning their AI governance journey. The seven HAIRA domains are designed to be advanced incrementally — jump straight to the Action Plan tab once scored to see which gaps cluster as quick wins versus transformational efforts.

PPTO — People, Process, Technology, Operations

PPTO is a capability framework for establishing AI governance in healthcare delivery organizations. It extends the classic People-Process-Technology model with a fourth Operations domain that covers the practical management and sustainment of governance itself — executive sponsorship, budget, metrics, and policy/feedback cycles.

Source: People, process, technology and operations framework for establishing AI governance in healthcare organizations — npj Digital Medicine (2025); applied at Duke and a large Canadian hospital system.

Composite Capability

—

Average across domains (0–4)

Capability Items

5 per domain × 4 domains

Domains

People · Process · Technology · Operations

Capability by Domain

What Each PPTO Domain Covers

Domain	What It Specifies
People	Personnel needed for AI governance — committee structure, areas of expertise, defined roles & responsibilities, and membership management over time.
Process	Governance process balancing innovation with risk — key decision points across the AI lifecycle and the documentation required at each.
Technology	Infrastructure and technical capabilities to oversee AI tools throughout their lifecycle — inventory, monitoring, security, integration, validation environments.
Operations	The organizational scaffolding to operationalize and sustain governance — executive sponsorship, accountability, budget, and effectiveness metrics.

Score Your Capabilities

Score each capability on a 0–4 scale. Domains average to a domain-level score; the four domains average to your composite.

Practitioner note: Organizations that score well on People and Process but weak on Technology and Operations often have a chartered governance committee with no infrastructure to actually monitor models in production. The reverse pattern — strong technical monitoring with weak governance roles — tends to leave critical decisions in IT rather than at the clinical and ethical leadership level where they belong.

RUAIH — Responsible Use of AI in Healthcare

On September 17, 2025, The Joint Commission and the Coalition for Health AI (CHAI) released the first joint, non-binding guidance for healthcare organizations adopting AI: the Responsible Use of AI in Healthcare framework. It defines seven core elements that delivery organizations should put in place when deploying or managing AI tools, and it is widely expected to inform a forthcoming voluntary AI certification program available to TJC-accredited and certified organizations.

Source: The Responsible Use of AI in Healthcare (RUAIH), The Joint Commission & CHAI, 2025.

Compliance Coverage

—

Yes = 1.0 · Partial = 0.5 · No = 0 · N/A excluded

Core Elements

Pillars of responsible use

Future Certification

TJC

Voluntary AI certification planned

Overall Coverage

Coverage by Pillar

The Seven RUAIH Elements

#	Element	Focus
1	AI Policies & Governance Structures	Multidisciplinary governance, board reporting, lifecycle policy
2	Patient Privacy & Transparency	Disclosure when AI influences care; transparent data use
3	Data Security & Data Use Protections	Encryption, minimum-necessary, re-identification ban, audit rights
4	Ongoing Quality Monitoring	Post-deployment performance, drift, local validation
5	Voluntary Blinded AI Safety Event Reporting	Confidential adverse-event reporting, integration with PSO/sentinel processes
6	Bias & Equity Assessment	Subgroup performance, ongoing bias monitoring, remediation pathway
7	Education & Training	AI literacy, onboarding, competency assessment

Self-Assessment Across All Seven Elements

Mark each item Yes / Partial / No / N/A. Items marked N/A are excluded from your coverage score.

Procurement implication: Even before TJC’s voluntary certification launches, RUAIH is becoming a de facto procurement reference. Counsel can pull governance, privacy/security, monitoring, and bias-assessment language directly from RUAIH into RFPs and Business Associate Agreements with AI vendors.

NIST AI RMF 1.0 — Risk Management Framework

The NIST AI Risk Management Framework (NIST AI 100-1, January 2023) is a voluntary, sector-agnostic framework for managing AI risk. It is built around four core functions — GOVERN, MAP, MEASURE, and MANAGE — with GOVERN as the cross-cutting function that sits over the other three. NIST has published Healthcare AI RMF implementation guidance that maps these four functions to existing HIPAA Security Rule requirements.

Source: NIST AI 100-1, AI Risk Management Framework 1.0 (Jan 2023). Note: NIST AI RMF 1.0 itself does not provide a maturity model — the 0–4 scale below is a self-assessment overlay for this dashboard.

Composite Maturity

—

Average across functions (0–4)

Core Functions

GOVERN cross-cuts the other three

HIPAA Mapped

Yes

Aligns with Security Rule expectations

Maturity by Core Function

NIST AI RMF ↔ HIPAA Security Rule Mapping

NIST Function	What It Does	HIPAA Mapping
GOVERN	Cross-cutting culture, accountability, policies, oversight across the AI lifecycle.	HIPAA Administrative Safeguards (workforce, sanctions, oversight)
MAP	Establish context; identify and document AI risks, intended use, stakeholder impacts.	HIPAA Required Risk Analysis
MEASURE	Analyze and track AI risks using quantitative and qualitative methods.	HIPAA Required Evaluation Standard
MANAGE	Treat, monitor, and respond to AI risks; appeal/override, decommissioning, change management.	HIPAA Sanction Policies & Incident Response

Score Each NIST Function

Use the same 0–4 capability scale. NIST AI RMF 1.0 itself does not prescribe a maturity model, so this is your team’s judgment about how mature each function is in practice.

Compliance leverage: NIST AI RMF maturity work generally counts toward HIPAA Security Rule documentation requirements when the AI in question handles ePHI. Counsel and security can usually share evidence rather than building two parallel programs.

HEAAL — Health Equity Across the AI Lifecycle

HEAAL is a process-oriented framework developed by the Health AI Partnership (HAIP) and co-designed with clinical, operational, technical, and regulatory leaders across U.S. healthcare delivery organizations. It evaluates how the use of AI may affect health equity by assessing five domains across eight key decision points in the AI adoption lifecycle.

Source: Kim JY et al., Health Equity Across the AI Lifecycle (HEAAL) — PLOS Digital Health (2024).

Equity Coverage

—

Click each cell to cycle status

Matrix Cells

5 domains × 8 decision points

Procedures (Reference)

37 / 34

Existing AI / new AI in HEAAL

The Five Equity Assessment Domains

Domain	What It Asks
Accountability	Who is responsible for equity outcomes? Are escalation and remediation pathways named?
Fairness	Does the AI perform equitably across demographic and clinical subgroups? Are disparities monitored?
Fitness for Purpose	Is the AI appropriate for the local population and use case? Does the deployment context match the validation context?
Reliability & Validity	Is performance evidence local, recent, and methodologically sound? Does it hold up under real workflow conditions?
Transparency	Are model facts, limitations, and equity considerations disclosed to clinicians, patients, and oversight bodies?

Equity-by-Lifecycle Heat Matrix

Click any cell to cycle through statuses: — not assessed · ! gap identified · ~ partially addressed · ✓ addressed.

Practical use: Apply HEAAL to one specific AI tool at a time — not the entire AI portfolio. The framework is process-oriented and works best when a named clinical or operational AI use case is at the center of the conversation. Patterns of unaddressed equity questions across decision points usually point to a missing stakeholder, missing data source, or missing review step rather than a single technical fix.

AI Lifecycle Workbench

This is the operational tracker. Where the framework tabs measure organizational maturity, this tab tracks the actual governance work for a specific AI tool or program — phase by phase, task by task. The eight phases align with the HEAAL decision points and reflect the operational reality of moving an AI tool from idea through retirement.

Lifecycle Completion

Done = 1.0 · In Progress = 0.5 · Not Started = 0

Phases

Identify → decommission

Tracked Tasks

~32

4 governance tasks per phase

How to use this: Pick one specific AI tool or initiative. Walk the eight phases in order. Mark tasks Not Started, In Progress, Complete, or N/A. Tasks marked N/A are excluded from the percentage. Status saves automatically per device.

Composite Governance Scorecard

This view normalizes each of the five frameworks (and the lifecycle workbench) to a 0–100% scale and overlays them. It is intended as a leadership-level snapshot — a way to communicate to a board, executive committee, or fiduciary body where the program is strong and where the work remains.

Composite Score

—

Run assessments to populate

Frameworks Combined

5 + 1

HAIRA, PPTO, RUAIH, NIST, HEAAL + Lifecycle

Score Bands

Foundational → Leading

Cross-Framework Coverage

Coverage by Framework

HAIRA scaled from L1–L5 to 0–100%; PPTO and NIST scaled from 0–4 to 0–100%; RUAIH already a 0–100% coverage measure; HEAAL coverage from cell statuses; Lifecycle from task statuses.

Score Bands

Band	Composite Score	Profile
Foundational	0–19%	AI in use without formal governance scaffolding. Highest-priority focus: charter the committee and inventory AI in production.
Developing	20–39%	Some structures exist but are inconsistent. Focus on standardization and documentation.
Defined	40–59%	Policies and processes are documented. Focus shifts to measurement and monitoring.
Managed	60–79%	Quantitative oversight and equity assessment in place. Focus on continuous improvement and external benchmarking.
Leading	80–100%	Optimized program; positioned for voluntary AI certification and external thought leadership.

Auto-Generated Action Plan

Based on your assessments across HAIRA, PPTO, RUAIH, NIST AI RMF, and HEAAL, this tab groups identified gaps into three execution tiers. Quick wins are typically 30 to 90-day efforts. Foundational items are 3 to 12-month build-out work. Transformational items are 12 to 24+ month organizational change initiatives.

Complete the framework tabs to populate this plan.

Tier 1 Quick Wins

RUAIH items currently marked “No” — small policy or documentation moves with outsized compliance impact. Target 30–90 days.

Complete the RUAIH tab to populate this section.

Tier 2 Foundational Build-Out

PPTO and NIST capabilities scoring at the lowest two levels, plus RUAIH partials. These typically need cross-functional ownership, budget, and 3–12 months.

Complete the PPTO, NIST, and RUAIH tabs to populate this section.

Tier 3 Transformational

HAIRA domains at the lowest two maturity levels and HEAAL equity gaps — multi-year organizational change requiring executive sponsorship and sustained investment.

Complete the HAIRA and HEAAL tabs to populate this section.

How to use this with leadership: Quick wins are easiest to execute but rarely move the maturity needle by themselves. The honest sequence is usually quick wins to build credibility, then foundational work to establish the operating model, then transformational work to embed equity and continuous monitoring as default behaviors. Pair this output with the Composite Scorecard when presenting to a board or fiduciary committee.