AI is disrupting the traditional governance frameworks healthcare organizations have relied on. As AI adoption accelerates, the governance structures built to protect patient data are being tested in ways they were never designed for. However, that also means there is an opportunity to build governance frameworks that match how AI actually operates.
In this episode of #shifthappens, Jenn Johnson, Partner and Executive Vice President of Privacy and Security at Kuma, discusses what changes and what stays the same when AI enters healthcare environments. What’s clear throughout the conversation is that the path forward is maximizing AI while governing it in a way that keeps patient trust intact.
A Framework Under Pressure
For years, The Health Insurance Portability and Accountability Act (HIPAA) has given healthcare privacy and security professionals a reliable foundation: minimum necessary access, role-based controls, consent, transparency, and structured data exchange. Codified in 1996, these principles have become standard practice, and Jenn sees them as the standard that most organizations can afford to implement.
However, AI is stretching that framework. As Jenn puts it, “The technology is outpacing the governance and the understanding of the guardrails that need to be put in place.” Organizations that once operated within well-defined compliance boundaries are now navigating territory where the rules are still being written when it comes to AI.
Some organizations have responded by defaulting to refusal, blocking AI adoption entirely until leadership feels ready. Jenn describes this as a “blinders approach”, cautioning that avoidance will not improve privacy, security, or governance. Instead, it delays the visibility leaders need to govern effectively and keeps AI usage outside the organization’s line of sight.
The organizations moving forward effectively are the ones treating this as a reason to break down silos. That means connecting privacy and security teams with engineers, clinicians, chief medical officers, and product teams to see what is happening with AI across the organization.
The Complexities of Vendor Risk and Clinical Decision Making
Governance gets more complicated when AI touches patient data in ways that are harder to control and harder to explain. Two areas in particular came up in the conversation: vendor risk and AI-driven clinical decision-making.
First is vendor risk. Healthcare organizations can develop strong internal AI governance – such as permitted use cases, prohibited data types, and governance committees – but the due diligence process for third-party AI tools must be equally rigorous. Before any vendor tool or external platform touches production patient data, organizations must vet it thoroughly against the security and privacy standards set by HIPAA as well as applicable state and federal regulations. Vendor risk, Jenn notes, has always been one of the biggest concerns in healthcare privacy and security, and it is now amplified by the rise of AI.
Second is the complexity of AI-driven clinical decision-making. When AI accesses electronic health records, pulls data from clinician notes, or informs treatment recommendations, the workflows become difficult to explain both internally and to patients. Jenn flags that being able to describe what AI does with patient data may be just slightly beyond the reach of many organizations right now. That is where due diligence becomes critical: vetting tools, understanding algorithms, and assessing their risk of harm or bias before they reach patients.
This complexity also surfaces in the distinction between consent and authorization — two concepts with a clear legal delineation in healthcare. Standard consent covers treatment, payment, and operations. But when AI introduces multi-party workflows, research applications, or complex data exchanges, explicit authorization may be triggered: time-bound, descriptive, and more demanding of organizational clarity.
Regulate the Speed, Not the Car
Jenn frames the AI governance question with a car analogy. Rather than regulating the technology itself, she points out that the focus should be on how it operates — the way driving is regulated.
Speed limits represent governance frameworks, a driver’s license represents vendor due diligence, and a speeding ticket represents accountability. And just as road infrastructure needs to be maintained so that drivers can move safely, secondary and tertiary governance structures need to support the systems AI interacts with — from interoperability standards to data retention requirements.
The goal, as Jenn frames it, is to ensure that data moves safely and efficiently for patients, providers, and payers, and that everyone involved can continue to operate responsibly.
Where Healthcare Leaders Can Start
The next step is turning that awareness into something actionable. Jenn lays out a practical framework drawn from her experience working with healthcare organizations as they incorporate AI into their workflows.
Anchor Governance to Real Use Cases
Before building policy, organizations need to understand where AI is actually being used. That includes internal-facing use cases, such as developers using AI as a coding tool and meeting transcription in clinical settings. This AI usage can also cover external-facing applications, such as tools that parse data elements from patient records for clinical recommendations. Mapping these use cases creates the visibility that governance depends on. As Jenn puts it, “Know your use cases. It’s just like having a data inventory. Know where your data is.”
Formalize Policy People Can Follow
A healthcare organization’s governance policy is only effective if it is documented, approved by management, and staff are trained on how to put the policy into practice. Jenn has seen well-written AI governance policies drafted by legal teams that then need to be deconstructed and rebuilt once they reach the privacy officer. Often, certain provisions simply do not reflect what the organization actually does.
Build Due Diligence into the Process
Every AI use case or vendor tool should go through a structured review before it reaches production, whether that means approving, adjusting, or rejecting it. Patient data is sensitive and unique to individuals, and in healthcare, that demands a higher standard of diligence. A structured review process helps organizations make that call.
Treat Vendors as Part of Your Risk Surface
AI vendors do not sit outside healthcare’s regulatory obligations. When a third-party tool accesses patient data, the healthcare organization remains accountable for how that data is used and governed. That accountability holds whether the tool is built in-house or sourced externally.
AI Trust Is Built Before It Is Tested
Patient trust is earned when governance is consistently practiced. The governance decisions healthcare leaders make now will determine whether that trust holds as AI adoption grows: how they vet tools, formalize accountability, and respond to what AI enables. That is the work ahead, and it starts with what healthcare organizations choose to do today.
Soundtrack of Shift
Jenn’s Soundtrack of Shift, “Believer” by Imagine Dragons, reflects how she navigates change — through resilience, positive reframing, and leaning on the right people. From an unexpected career leap into privacy and security to personal health challenges, the song captures her belief that growth comes from pushing through and adapting to the hardest moments.
Explore more soundtracks shaping how leaders approach change and transformation today.
Episode Resources
#shifthappens Research: The State of AI Report
#shifthappens Insights:
#shifthappens Podcasts:
Dux Raymond Sy on LinkedIn
Dana Simberkoff on LinkedIn
Jenn Johnson on LinkedIn
Kuma website
