---
title: "AI Medical Record Summarization: MDR, FDA SaMD, GDPR Article 9 | Impetora"
description: "Compliance map for AI medical record summarization under EU MDR, FDA SaMD, GDPR Article 9, MHRA guidance and the EHDS, with a defensible deployment design."
url: https://impetora.com/answers/ai-medical-record-summarization
locale: en
datePublished: 2026-04-28
dateModified: 2026-04-28
author: Impetora
---

# AI medical record summarization: where it sits in EU and US rules

> Medical record summarisation is the highest-leverage AI use case for clinicians. A discharge summary that takes a junior doctor twenty minutes can be drafted in thirty seconds. The regulatory question is whether the summarisation engine is "just an editor" or a clinical-decision-support tool. The answer determines MDR class, FDA SaMD class, the depth of validation required and the procurement path [1].

*Updated 2026-04-28. By Impetora.*

## What does medical-record summarisation cover?

Two distinct workflows. Clinician-facing summarisation drafts handover notes, discharge letters, referral letters and case reviews from existing records. Patient-facing summarisation produces lay-language summaries for the patient portal. The clinical risk profile of the two is different even though the underlying technology is similar. Inputs are protected health data: clinical narrative, lab results, imaging reports, medication history. Outputs are derived clinical documents intended for human review and onward use. The human-review step is what keeps most deployments out of high-risk MDR territory.

## Is summarisation a medical device under MDR?

MDR Article 2(1) and MDCG 2019-11 frame the question. Software is a medical device if it is intended for diagnosis, monitoring, prediction, prognosis, treatment or alleviation. Pure paraphrasing of existing documentation is not. Summarisation that introduces new clinical conclusions, flags conditions the original record did not mention, or recommends treatments crosses into MDR [2]. Class IIa is the likely class for any summariser whose output materially informs clinical decisions, under MDR Annex VIII Rule 11. CE marking via a notified body is then required. Class I (self-certification) is reserved for software that does not provide information used for diagnosis or therapeutic decisions.

## How does FDA SaMD treat summarisation?

The FDA's framework, aligned with IMDRF, classifies SaMD by the significance of the information provided to the healthcare decision (inform, drive or treat / diagnose) and the seriousness of the condition (non-serious, serious, critical). A summariser whose output informs treatment of a serious condition is at least SaMD Class III in the IMDRF framework [3]. FDA's 2023 guidance on Clinical Decision Support Software clarified which CDS functions remain outside Section 520(o)(1)(E) of the FD&C Act and therefore unregulated. The four-prong test asks whether the software is intended for healthcare professional use, displays the basis of the recommendation, and supports independent review. Summarisation tools that meet all prongs avoid SaMD classification.

## What does GDPR Article 9 require?

Health data is special-category. Processing requires Article 6 lawful basis and Article 9 condition (typically 9(2)(h) healthcare provision plus Member State health-data law). Patient-facing summaries reuse the existing healthcare basis; clinician-facing summaries extend it to AI processing. The Article 28 data-processing agreement with the AI vendor is the operative instrument. It must include the standard processor obligations, audit rights, sub-processor controls, security measures aligned with Article 32 and breach-notification cooperation. ENISA guidance on health-data processing gives the working baseline for technical measures.

## How does the European Health Data Space affect AI deployments?

Regulation (EU) 2025/327 establishes the European Health Data Space, with primary use (healthcare provision) and secondary use (research, policy, regulatory) regimes. AI summarisation is primary use within the institution. Where summarised data flows into the secondary-use system, the EHDS Article 50 onward rules on permits and data altruism apply [4]. The EHDS does not create new AI-specific obligations beyond MDR and the AI Act, but it standardises data-format and access expectations that AI vendors must meet. Procurement teams should require EHDS-aligned data interfaces in vendor contracts.

## What does a defensible design look like?

Six elements. Narrow intended-purpose statement (paraphrasing of clinician-authored content, no new clinical conclusions). Mandatory clinician sign-off before document goes to record. Visible source-attribution showing which sentence came from which note. Hallucination-prevention controls (retrieval-grounded generation, no out-of-source claims). Article 28 data-processing agreement with audit rights and EU-residency commitments. Performance monitoring including factual-faithfulness evaluation against source records.

## Frequently asked questions

### Does an AI summariser need a CE mark under MDR?

It depends on the intended purpose. Pure paraphrasing of existing physician-authored content arguably stays outside MDR (Class I or non-device). Summarisation that introduces new clinical conclusions or recommendations is a medical device, typically Class IIa under Annex VIII Rule 11. Documenting the intended purpose narrowly is the design choice that determines class.

### What about hallucinations?

Hallucination prevention is a design and validation problem. Production deployments use retrieval-grounded generation with source attribution and apply factual-faithfulness scoring against the source record. Mandatory clinician sign-off is the human-oversight backstop. Hallucinations are also why most production summarisation tools restrict the model to extractive or strictly-grounded abstractive output.

### Can patient-facing summaries skip clinician review?

No. Released summaries that reach the patient need clinician sign-off. The risk of an unreviewed summary giving the patient incorrect information is a clinical-safety issue regardless of MDR classification. Deployments either send the summary to the clinician's queue or restrict patient-facing output to verified template content.

### Is on-premise deployment required?

Not by EU rules in general, but national health regulators sometimes add data-residency requirements. The default is cloud with EU-residency commitments, full processor agreement, encryption and audit rights. On-premise is a procurement-led choice driven by security posture or specific national rules.

### How is summarisation performance measured?

Three axes. Factual faithfulness (does every claim trace back to the source). Coverage (are the clinically relevant facts present). Style (length, tone, format). Production deployments run automated evaluation against held-out gold-standard summaries on each model update, plus manual review on a sampled basis.

## Sources cited

1. Regulation (EU) 2017/745 (Medical Device Regulation). European Union, Official Journal, 2017-04-05. https://eur-lex.europa.eu/eli/reg/2017/745/oj
2. MDCG 2019-11 Guidance on qualification and classification of software. European Commission MDCG, 2019-10. https://health.ec.europa.eu/document/download/2c81f5fc-c1ab-4b3a-8a42-08c5fbcd3bdb_en
3. Clinical Decision Support Software - FDA Final Guidance. US Food and Drug Administration, 2022-09. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software
4. Regulation (EU) 2025/327 European Health Data Space. European Union, Official Journal, 2025-02-05. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32025R0327
5. Regulation (EU) 2016/679 (GDPR). European Union, Official Journal, 2016-04-27. https://eur-lex.europa.eu/eli/reg/2016/679/oj