BUY SIDE · HEALTHTECH DILIGENCE

AI due diligence for HealthTech acquisitions.

Prior authorization AI, clinical decision support, and PHI-routing tools create Annex III exposure most HealthTech buyers never discover before close.

SECTION 01

Why HealthTech is different.

Clinical decision support and prior authorization systems fall under EU AI Act Annex III §5(a). Conformity assessment is a hard requirement, not a recommendation.

Most HealthTech targets route PHI through one or more AI vendors. A BAA gap with any one of them is a HIPAA exposure that survives close.

Privacy policy v4.1 of an average HealthTech Series C lists 6 sub-processors. IRON reliably finds 2 to 4 additional AI vendors active in production but not disclosed there.

IRON EXCERPT SAMPLE

IRON · HealthTech sample

Series C · Prior Authorization AI

OpenAI API · BAA chain unverified

EU AI Act Art. 28 obligation unmet

Annex III §5(a) clinical AI

No conformity assessment on file

PHI routing · processor chain

HIPAA §164.514 issue

AWS Bedrock change-of-control

Contract voids at close

SECTION 02

What IRON finds in HealthTech deals.

OpenAI BAA gaps

Detected via job postings; not listed in privacy policy sub-processors. EU AI Act Art. 28.
Annex III classification

Clinical decision support meets the Annex III definition. Conformity assessment required.
PHI routing

GitHub repos reference patient data preprocessing. Potential HIPAA §164.514 issue.
CMS coverage determination AI

Automated coverage determinations require human review pathway under CMS guidance.

SECTION 03

Frameworks that apply.

Framework	Trigger	Obligation
EU AI Act	Art. 6, Annex III §5(a)	Conformity assessment, post-market monitoring, Art. 13 transparency
HIPAA	§164.502, §164.514	Minimum-necessary use of PHI, de-identification, BAA chain
GDPR	Art. 22	Right to human review of automated decisions affecting EU patients

Questions about a HealthTech deal?

Book a 20-minute call →