ACE Journal

AI Clinical Decision Support and Liability Attribution

Abstract

AI-driven clinical decision support (CDS) systems are moving from narrow diagnostic aids - flagging diabetic retinopathy in fundus images, detecting sepsis onset from EHR data - toward broader workflow integration: differential diagnosis suggestion, medication dosing recommendations, and discharge risk stratification. As these systems move from narrow, FDA-cleared indication-specific tools toward general-purpose clinical reasoning assistants, the liability framework governing their errors grows increasingly incoherent. Existing medical malpractice doctrine assigns liability to the physician whose judgment was applied; when that judgment is materially shaped by an algorithmic recommendation the physician cannot fully interrogate, attribution becomes contested. This article examines the liability gap, the role of the FDA’s software-as-medical-device (SaMD) classification in shaping it, and the practical accountability mechanisms that hospital systems are beginning to adopt.

The SaMD Classification Problem

The FDA’s Digital Health Center of Excellence has developed a tiered risk framework for software as a medical device, distinguishing between tools that inform clinical judgment and those that drive it. CDS tools that display information for a clinician to interpret - laboratory trending dashboards, imaging viewers - are largely exempt from device regulation under the 21st Century Cures Act. Tools that provide specific treatment or diagnosis recommendations cross into regulatory territory requiring 510(k) clearance or De Novo authorization.

The practical boundary between “informing” and “driving” judgment is blurring rapidly. Large language model-based systems like tools built on GPT-4 and its successors, deployed as clinical reasoning assistants, can produce differential diagnoses, drug interaction alerts, and discharge summaries that clinicians review under cognitive load and time pressure. Studies in emergency medicine settings consistently find automation bias - clinicians accept algorithmic suggestions at rates that exceed the tools’ validated accuracy - but the legal framework still treats the clinician as the sole decision-maker.

Liability Attribution Under Current Doctrine

When an AI-recommended treatment decision results in patient harm, current tort doctrine routes liability through two channels. The treating physician faces standard malpractice liability for failing to exercise independent professional judgment. The hospital faces institutional liability for deploying a tool it knew or should have known was unreliable. The software vendor, insulated by contract terms and by the doctrinal principle that learned intermediary liability attaches to the prescribing physician, rarely faces direct liability.

This allocation is ethically problematic when the physician lacks the technical capacity to evaluate the system’s recommendations - which is the norm, not the exception. A cardiologist using an AI arrhythmia classifier integrated into an Epic EHR workflow has no practical means of assessing whether the model’s training distribution matches her patient population, whether the model is under distribution shift due to a recent EHR upgrade, or whether its confidence calibration is reliable. The learned intermediary doctrine was developed for pharmaceutical liability, where the physician has access to clinical trial evidence. It maps poorly onto black-box ML systems.

Emerging Institutional Responses

Several large hospital systems are developing internal governance mechanisms that pre-distribute liability risk by establishing documented review processes. Mayo Clinic, Partners HealthCare (now Mass General Brigham), and Kaiser Permanente have each published or described internal AI governance frameworks that include prospective algorithmic impact assessments, mandatory clinical validation against local patient populations before deployment, and ongoing post-deployment monitoring. These frameworks create a paper trail that matters in litigation even when liability doctrine has not formally shifted.

What is missing is a federal standard that would make such governance mandatory, auditable by external parties, and enforceable with meaningful penalties. The FDA’s action plan for AI/ML-based SaMD, updated in 2023, created a framework for predetermined change control protocols but did not establish liability standards. Until it does, the incentive for vendors is to invest in contract language limiting their exposure rather than in the transparency that would allow genuine clinical accountability.