Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

A Hospital Group Just Asked How Your AI Clinical Decision Support Tool Logs Its Decisions for Post-Market Surveillance: Answering the Article 20 Record-Keeping Questions

Published
7 min read
A
Ari Volcoff

A Hospital Group Just Asked How Your AI Clinical Decision Support Tool Logs Its Decisions for Post-Market Surveillance: Answering the Article 20 Record-Keeping Questions

The request came from the IT governance lead at a seven-hospital group in the Netherlands. Your AI clinical decision support platform had passed the clinical safety review. The procurement committee was the last gate before contract signature.

Section 8 appeared in the vendor questionnaire:

"Please describe how your AI system automatically logs its outputs and the data inputs that triggered those outputs. Include log retention periods, access controls, and how your logs support post-market surveillance and incident investigation. Reference the applicable EU AI Act provisions."

Six sub-questions. All in Section 8. Required before contract approval.

Here is exactly what Article 20 requires, how it applies to clinical decision support, and what documentation to send.

Why Hospital Procurement Teams Ask About Logs

Hospital procurement teams and IT governance leads are not asking about logs because they are curious about your architecture. They are asking because EU AI Act Article 20 makes automatic logging a mandatory requirement for providers of high-risk AI systems — and clinical decision support tools used to assist clinical decisions almost certainly qualify as high-risk under Annex III, point 5(a).

More practically: if your system is involved in a clinical incident, the hospital's incident investigation team will need logs. If those logs do not exist, are incomplete, or cannot be accessed, the hospital has a problem with their regulators and potentially their insurers. The procurement team is protecting the hospital from that scenario before it happens.

What Article 20 Requires

Article 20 of the EU AI Act establishes logging obligations for high-risk AI systems:

Article 20(1): High-risk AI systems shall technically allow for the automatic recording of events (logs) throughout the system's lifetime.

Article 20(2): Logging capabilities shall ensure a level of traceability appropriate to the intended purpose of the system. Specifically, logs shall enable the monitoring of the operation of the AI system and the identification of situations that may result in risk.

Article 20(3): For high-risk AI systems referred to in Annex III, point 1(a) — biometric systems — additional specific logging requirements apply. (Note: this specific provision applies to biometric systems, not clinical decision support.)

Article 20(4): Providers shall keep the logs generated by their AI systems to the extent this is within their control, and for the period necessary under applicable law. Deployers — the hospital in your case — are also required to keep logs generated during their use of the system under Article 29(5).

The core obligation is clear: the system must generate logs automatically, and those logs must be sufficient to support monitoring and incident investigation.

What "Automatically Generated Logs" Means in Practice

The phrase "automatically generated" is deliberate. Article 20 is not satisfied by asking clinical staff to manually document what the AI recommended. The system itself must record the event.

For a clinical decision support tool, an adequate automatic log entry typically captures:

  • A timestamp of when the AI recommendation was generated
  • The patient or case identifier (pseudonymized or anonymized depending on your data architecture)
  • The input data that triggered the recommendation (e.g., the specific data fields, lab values, or clinical notes processed)
  • The specific output generated (the recommendation, risk score, or alert)
  • The model version that generated the output
  • Whether a clinician reviewed and acted on the recommendation (if your system captures that feedback loop)

The log does not need to store the full clinical record. It needs to capture enough to reconstruct what the AI saw and what it said, for any given event.

Log Retention: How Long Is Long Enough?

Article 20 does not specify a universal retention period — it defers to applicable law. For healthcare AI in the EU, the relevant frameworks include:

  • EU Medical Device Regulation (MDR): Requires post-market clinical follow-up (PMCF) and incident reporting for at least 10 years after the last device placed on the market (15 years for implantable devices)
  • GDPR: Requires retention periods proportionate to purpose; patient data logs may be subject to local health data retention laws
  • EU AI Act Article 20(4): Providers must retain logs "for the period necessary under applicable law"

In practice, for clinical AI, a minimum 5–10 year log retention period is defensible and expected. Your response should state the retention period and the legal basis for it.

Access Controls: Who Can See the Logs

The hospital's IT governance team will want to know who can access the logs and under what conditions. Their concerns are:

  1. Clinical incident investigation: The hospital's risk management and clinical governance teams need to be able to access logs when a patient safety event occurs involving the AI system
  2. Post-market surveillance by the provider: You, as the provider, need access to aggregate performance data to fulfill your post-market surveillance obligations under Article 72
  3. Regulatory access: Competent authorities (such as the Dutch Health and Youth Care Inspectorate) may request access in the context of a market surveillance investigation

Your response should address:

  • Whether logs are stored at the hospital (on-premises or in their cloud tenant) or retained by you
  • What hospital staff roles can access logs and through what interface
  • How you, as the provider, access logs for post-market surveillance — and whether that access is to anonymized/aggregated data or to identifiable patient-linked records
  • Whether logs can be exported in a standard format for regulatory disclosure

How Logs Support Post-Market Surveillance

Article 72 of the EU AI Act requires providers of high-risk AI systems to establish and maintain a post-market monitoring (PMM) system. The connection to Article 20 is explicit: logs are the primary data source for post-market monitoring.

Your post-market surveillance system should use the logs generated under Article 20 to:

  • Track system accuracy over time (do recommendations maintain the accuracy documented in your technical file?)
  • Detect distributional shift (is the system being applied to patient populations or data inputs outside its validated scope?)
  • Identify patterns in clinician override behavior (frequent overrides can signal that the AI is generating recommendations that fail in practice)
  • Generate the data required for your annual Post-Market Surveillance Report under Article 72

When the hospital procurement team asks how your logs support post-market surveillance, they are checking whether you have connected Article 20 and Article 72 in a coherent way. A vague answer ("we monitor performance regularly") is not sufficient. A specific answer ("our system generates weekly aggregate performance reports from pseudonymized logs, which feed into our annual PMSR filed under Article 72, and we will provide you with a summary report annually under Section 6 of our contract") closes the section.

How to Answer the Six Sub-Questions

Q: What events are automatically logged? List them specifically: recommendation generated, input data fields processed, model version, timestamp, clinician review action (if captured), system errors.

Q: What input data triggers a log entry? Describe the event trigger — for example, "a log entry is generated each time the AI engine processes a patient data query and returns an output."

Q: What is the log retention period and its legal basis? State the period (e.g., 10 years) and cite the applicable frameworks (MDR, GDPR, Article 20(4)).

Q: Who can access the logs? Describe hospital-side access roles, your own provider access, and regulatory access provisions.

Q: How do logs support incident investigation? Walk through the workflow: "In the event of a clinical incident, [hospital role] can query the log system by patient encounter ID and timestamp to retrieve the specific AI recommendation and input data processed at that time."

Q: How do logs support post-market surveillance? Describe how aggregate log data feeds your PMM system and what reporting the hospital receives.

What to Send

Attach to your response:

  1. A written log specification describing what is captured in each log entry and where logs are stored
  2. Your data retention policy covering AI system logs
  3. An access control matrix showing who can access logs and under what conditions
  4. A brief description of how log data feeds your post-market monitoring process
  5. A sample anonymized log entry (optional but useful — it makes the abstract concrete)

Procurement teams that can see the log format will close this section faster than those reading narrative descriptions.

Try Complizo free at complizo.com

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts