This website uses cookies to improve your browsing experience. By continuing to use this website you agree to our use of cookies. For more information on our use of cookies, click here to review the Cookies Policy.。
On May 29, 2026, the Ministry of Health and Welfare ("MOHW") issued, by Letter Wei-Bu-Yi-Zi No. 1151663164, the "Guidelines for the Application of Generative AI by Medical Institutions" ("Guidelines"), for reference by public and private hospitals and clinics that are preparing to adopt, or have already adopted, generative AI. The applicable use scenarios include assistance with medical-record drafting, clinical decision support, drafting of administrative documents, and patient-communication tools. AI Agent Systems, which feature autonomous decision-making and thus entail heightened patient-safety and liability risks, are not yet within the scope of the Guidelines.
Nature and spirit of the Guidelines: The Guidelines are issued pursuant to the authority conferred on competent authorities of the relevant target enterprises under the "Artificial Intelligence Basic Act," and constitute administrative guidance for the medical field rather than mandatory rules; medical institutions may still adopt appropriate measures according to their actual circumstances and applicable laws. The Guidelines are centered on "responsible innovation," and seek to give effect to the principles of being "human-centric," privacy protection, and risk governance.
Six categories of risk: The Guidelines remind medical institutions to identify and manage six categories of risk from a holistic system perspective (people, processes, technology, and external dependencies): foundation-model bias; external data-source risk; output "hallucination" (generating content that appears plausible but is in fact incorrect); cybersecurity attacks (such as prompt injection and data leakage); user over-reliance leading to degradation of clinical judgment; and the risk of disruption to external model or cloud services.
Five core implementation principles: At the institutional level, medical institutions should uphold five core principles: designating a responsible unit to identify risks; completing information-security and data-protection assessments prior to adoption; planning for system integration and operational continuity (including alternative processes and recovery procedures in the event of system failure); fostering a responsible organizational culture and personnel training; and continuous monitoring and improvement following adoption.
Three phases and nine matters requiring attention: The Guidelines further divide the adoption lifecycle into three phases, i.e., "pre-adoption assessment," "adoption and integration," and "post-adoption use and oversight", and set out nine specific matters, covering risk inventory and grading, regulatory-compliance review, performance and clinical-safety testing, phased rollout and rollback mechanisms, supplier-contract management (including requiring disclosure of the large language model used), and ongoing monitoring, bias management, allocation of responsibilities, and education and training.
Key compliance points: The manner of use should comply with the purpose-limitation requirements of the Personal Data Protection Act and the rules of the Medical Care Act regarding medical-record management and patient privacy; the practice scope and personal-performance requirements applicable to medical personnel should be reviewed; and where a system's functions involve the diagnosis, treatment, or prevention of disease, attention should be paid to whether it constitutes a medical device, with an application to the Food and Drug Administration for a classification determination where necessary. In any scenario involving clinical judgment, patient safety, or medical records, a duly qualified medical professional must remain responsible for final confirmation and accountability; and where generative AI interacts with the public or audio/video recording is conducted, patients or their family members should be informed of the purpose and limitations.
Although the Guidelines are not legally binding, they concretely outline the competent authority's governance expectations for medical AI and dovetail with existing legal regimes such as the Personal Data Protection Act, the Medical Care Act, and medical-device regulation. When adopting such systems, medical institutions are advised to establish internal governance structures, contract-management practices, and education-and-training mechanisms at an early stage, so as to balance medical quality, patient safety, and patient privacy. Our firm has a dedicated "Life Sciences & Healthcare Practice Group"; should you have any further questions regarding the Guidelines, compliance assessment, or vendor-contract planning, you are welcome to contact our specialists at any time.