AI governance for healthcare in Aotearoa that protects patients and practitioners.
Healthcare AI carries patient safety, practitioner liability, health information privacy, and hauora Māori health equity together in a single decision. We help New Zealand healthcare organisations comply with the Health Information Privacy Code 2020, Medsafe SaMD requirements, Privacy Act 2020, and clinical governance obligations.
Research from Waitematā Healthcare published in Nature Digital Medicine found that international governance frameworks are inappropriate for Aotearoa New Zealand's healthcare context. Governance needs to be context-specific, population-appropriate, and grounded in local regulatory and cultural realities.
Built for
Three governance pressures in NZ healthcare AI.
Healthcare AI adoption is accelerating across Aotearoa New Zealand, from Te Whatu Ora to private hospitals and primary care. Governance has not kept pace with the technology, the regulatory requirements, or the cultural obligations that make healthcare in this country unique.
- 01Classification risk
Is our AI software a regulated medical device?
Medsafe regulates software as a medical device (SaMD) under New Zealand law. Classification is not always straightforward. Clinical decision support tools, AI scribes with diagnostic features, and predictive analytics may all require registration depending on their intended use. Getting classification wrong creates serious legal exposure for healthcare organisations and the practitioners who rely on these tools.
- 02Practitioner liability
What are practitioners' obligations when using AI?
Practitioners remain personally responsible for AI used in their clinical practice. Checking scribe accuracy against clinical judgement, understanding bias risks that affect different patient populations, ensuring proper informed consent under the Code of Health and Disability Services Consumers' Rights. Many clinicians across New Zealand are using these tools without understanding the governance and liability obligations attached to their use.
- 03Data exposure
How do we protect patient data in AI systems?
Health information receives extra protection under the Health Information Privacy Code 2020, which operates alongside the Privacy Act 2020's 13 Information Privacy Principles. AI scribes process consultation recordings. Models may be trained on patient data. Where does the data go? Who can access it? How long is it retained? What happens to the data if the AI vendor is acquired or goes out of business?
Hauora Māori and health equity in AI governance.
Healthcare AI governance in Aotearoa New Zealand cannot be separated from the imperative to improve hauora Māori health outcomes and address the persistent health inequities experienced by Māori communities. AI systems deployed without cultural governance risk perpetuating or deepening these disparities through biased algorithms, unrepresentative training data, or decision-making processes that do not account for the social determinants of health that disproportionately affect Māori whānau.
Te Tiriti o Waitangi creates obligations for the health system to actively protect Māori health and wellbeing. When healthcare organisations deploy AI, these Treaty obligations extend to the governance of those systems: Māori health data governed according to Māori data sovereignty principles, algorithms tested for bias against Māori populations specifically, clinical AI tools validated for effectiveness across diverse New Zealand populations, and Māori communities given meaningful input into how AI is used in the delivery of their healthcare.
We help healthcare organisations build AI governance that centres hauora Māori and health equity alongside clinical safety, privacy compliance, and regulatory requirements. Not a separate workstream, but an integral dimension of responsible healthcare AI governance in Aotearoa.
Healthcare AI sits under multiple regulators.
No single framework covers healthcare AI in New Zealand. Organisations must satisfy Medsafe, the Health Information Privacy Code 2020, the Privacy Act 2020, the Code of Health and Disability Services Consumers' Rights, and Treaty of Waitangi obligations simultaneously.
Medsafe
Medical device regulation
- Software as a Medical Device (SaMD) classification under New Zealand regulations.
- Clinical decision support tools may require formal registration and ongoing monitoring.
- AI scribes with diagnostic or recommendation features under regulatory review.
HIPC 2020
Health Information Privacy Code
- Stricter requirements than the Privacy Act for health information processing.
- Additional informed consent requirements when AI processes patient data.
- Cross-border transfer restrictions for overseas AI vendors processing health data.
Privacy Act 2020
Baseline privacy requirements
- All 13 Information Privacy Principles apply to health data processing by AI.
- Automated decision-making transparency required under Privacy Commissioner guidance.
- Individual rights to access, correct, and understand how their information is used.
Clinical & Treaty
Patient safety and cultural safety
- Clinical validation of AI diagnostic and decision support tools for NZ populations.
- Hauora Māori health equity assessment and algorithmic bias monitoring.
- Practitioner competency, incident reporting, and quality monitoring for AI systems.
Where healthcare organisations use AI.
Each use case has a different risk profile, regulatory pathway, and governance need. We tailor the approach to each category.
Use case
Clinical decision support
AI tools that assist diagnosis, treatment planning, or clinical decision-making. May require Medsafe registration depending on intended use and the degree to which the tool influences clinical outcomes.
Use case
AI medical scribes
Consultation recording and clinical note generation. Raises HIPC 2020 consent questions, data residency concerns, and practitioner verification obligations under New Zealand clinical standards.
Use case
Medical imaging AI
Radiology interpretation, pathology analysis, and diagnostic imaging. Requires clinical validation for New Zealand populations, quality monitoring, and ongoing assessment of accuracy across diverse patient groups.
Use case
Predictive analytics
Patient risk stratification, readmission prediction, and resource planning. Needs bias monitoring for hauora Māori equity, clinical oversight, and validation of predictive accuracy for New Zealand populations.
Why international AI frameworks fail in NZ healthcare.
Research published in Nature Digital Medicine from Waitematā Healthcare found that internationally developed AI governance models are inappropriate for Aotearoa New Zealand's healthcare context. The study identified several critical gaps: international frameworks do not account for Te Tiriti o Waitangi obligations, they lack provisions for the cultural safety of Māori and Pacific patients, and they do not address the specific regulatory environment created by the Health Information Privacy Code 2020 and the Code of Health and Disability Services Consumers' Rights.
Healthcare organisations in New Zealand need context-specific and population-appropriate governance that addresses questions international frameworks never ask. What happens to patient data if the AI vendor is sold or acquired? Who bears responsibility for ongoing monitoring and audit of clinical AI accuracy? How are conflicts of interest managed when the same organisation develops, deploys, and evaluates AI tools? What specific provisions exist for intellectual property sharing and commercialisation of AI insights derived from patient data? We help organisations address these challenges with governance designed for the Aotearoa healthcare system.
How we help healthcare organisations.
Tailored AI governance services for New Zealand healthcare, from Te Whatu Ora through to private practices and healthtech businesses.
Regulatory compliance assessment
We assess your AI systems against Medsafe medical device requirements, Health Information Privacy Code 2020, Privacy Act 2020, and the Code of Health and Disability Services Consumers' Rights. Compliance gaps identified, remediation strategies provided, Treaty of Waitangi requirements for hauora Māori equity in AI deployment included.
Clinical governance frameworks
Clinical governance frameworks for AI that integrate with your existing quality and safety processes. Practitioner training on AI obligations, clinical validation protocols for New Zealand populations, incident response procedures, accountability frameworks for AI failures, and monitoring systems that track bias, accuracy, and equity outcomes over time.
Privacy Impact Assessments
PIAs for AI systems processing health information, ensuring compliance with the Health Information Privacy Code 2020 and the Privacy Act 2020's 13 Information Privacy Principles. Documented privacy safeguards and evidence of compliance that satisfies the Privacy Commissioner and supports clinical governance requirements.
Frequently asked questions.
Does our AI medical scribe require Medsafe registration?
It depends on the intended use. If the scribe only documents what the practitioner says and generates clinical notes for review, it is likely not classified as a medical device. If it provides diagnostic suggestions, clinical recommendations, or alerts based on the consultation content, it may require Medsafe registration as a Software as a Medical Device. We help you assess classification and determine your regulatory obligations under New Zealand law.
What are practitioners' governance obligations when using AI?
Practitioners remain responsible for the accuracy of clinical notes and decisions generated or informed by AI. Under the Code of Health and Disability Services Consumers' Rights, they must review and verify AI-generated content, understand the tool's limitations, obtain appropriate informed consent from patients, and ensure HIPC 2020 compliance. Healthcare organisations have a responsibility to train practitioners on these obligations and establish clinical governance processes that support safe AI use.
Can we use overseas AI vendors for health data processing?
The Health Information Privacy Code 2020 restricts the overseas transfer of health information. You need to assess whether the overseas AI vendor has privacy safeguards comparable to those required under New Zealand law, and document your assessment thoroughly. The Privacy Commissioner expects organisations to understand precisely where health data goes and what protections are in place. We help you evaluate AI vendors and implement appropriate contractual and technical protections for cross-border health data flows.
How do we handle patient consent for AI processing?
The Health Information Privacy Code 2020 requires informed consent for health information processing. Patients need to understand that AI will be used, what it does, where their data goes, and how it is protected. The Code of Health and Disability Services Consumers' Rights reinforces the right to be fully informed. We help healthcare organisations develop consent processes and patient information materials that meet legal requirements and build patient trust in how AI is used in their care.
How does hauora Māori health equity factor into AI governance?
Te Tiriti o Waitangi obliges the health system to actively protect Māori health and address health inequities. When AI is deployed in healthcare, these obligations extend to the governance of those systems. Testing algorithms for bias against Māori populations, validating clinical AI tools for Māori patients, incorporating Māori data sovereignty principles through kaitiakitanga and mana, and engaging with Māori communities about how AI affects their healthcare. We integrate hauora Māori equity assessment into every aspect of healthcare AI governance.
Ready to build governance for your healthcare AI?
A governance assessment maps your AI systems against Medsafe SaMD, HIPC 2020, the Privacy Act 2020, clinical governance obligations, and hauora Māori health equity in a single integrated review.