Regulating the use of AI in healthcare (Bouderhem 2022, 2023) and its challenges at the national, regional and international levels is a complex and crucial topic. AI systems have the potential (Davenport and Kalakota 2019) to improve health outcomes, enhance research and clinical trials, facilitate early detection and diagnosis for better treatment, empower both health employees and patients who can rely on health monitoring in remote areas or developing countries. However, AI also poses ethical, legal, and social risks (Jiang et al. 2021), such as data privacy, algorithmic bias, patient safety, and environmental impact (Stahl et al. 2023). The WHO has published two reports on the use of AI systems in healthcare, respectively in 2021 and 2023 (WHO 2021, 2023). The WHO’s reports outline key considerations and principles for the ethical and responsible use of AI systems. AI for health should be indeed designed and used in a way that respects human dignity, fundamental rights and values. AI systems should promote equity, fairness, inclusiveness, and accountability. The WHO’s reports also highlight the challenges, legal and ethical gaps and voids that exist today on AI for health. There is currently a lack of harmonization and coordination between states and key stakeholders with few harmonized standards such as data privacy. It is extremely difficult for regulatory authorities to keep up with the rapid pace of innovation; AI models and generative AI such as ChatGPT are a clear illustration with unknown results and difficulties to predict the impact of such technologies on healthcare systems. The WHO considers that there is a need for capacity building and collaboration among different sectors and regions. The WHO is trying to address these challenges and to develop a global framework for the governance of AI systems for health. Also, the WHO is providing technical assistance and support for the implementation of its principles and recommendations at the national and regional levels. The WHO also encourages the development of innovative and inclusive approaches to the regulation of AI for health, such as co-regulation, self-regulation (Schultz and Seele 2023), and adaptive regulation, that can balance the benefits and risks of AI, and that can foster trust and confidence among the public and the health sector. However, these rules are only a guidance for WHO Members and do not create any legal obligations. Therefore, the WHO should adopt legally binding rules on AI in healthcare as it is the right authority to monitor global health and specifically digital health. The International Health Regulations (IHR) adopted by the 58th World Health Assembly in 2005 through the Resolution of the World Health Assembly (WHA) 58.3 (WHO, IHR 2005) should be amended to reflect the current state of AI systems in healthcare. Also, the importance of regional regulations such as EU regulations should not be minimized (Bourassa Forcier et al. 2019). The EU General Data Protection Regulation (GDPR) (EU Official Journal 2016), Data Act (EU Commission 2022a) and Artificial Intelligence (AI) Act (EU Commission 2021) could serve as a law model for WHO Members in adopting new legally binding rules for ethical and responsible AI systems in healthcare. The objective of the EU Data Act is to harmonize rules relating to a fair access to data and its use by public and private actors. As its predecessor the GDPR, the EU Data Act will help patients to keep control over their health data more efficiently. EU authorities have proposed a comprehensive legal framework for the regulation and promotion of ethical and responsible AI systems in healthcare and other fields. Such AI systems should be based on the principles of human-centricity, trustworthiness and sustainability (Sigfrids et al. 2023). The AI Act ensures that all AI systems are safe, reliable, and respect fundamental human rights such as the right to privacy; another fundamental aspect for EU authorities is to develop innovation and competitiveness. Also, the AI Act aims to enhance cooperation and coordination among EU Member States and stakeholders. The AI Act legal framework also takes into consideration the global nature of AI. It is expected that the AI Act will promote the EU’s leadership and influence in the international field of data protection regulation as it was the case with the GDPR which inspired several regions and countries (Bentotahewa et al. 2022). Expectations for the AI Act are very high as observers believe that the new regulation will provide legal certainty and trust for all AI stakeholders. A provisional agreement has been reached on 8 December 2023 (European Parliament 2023), which suggests that the AI Act could enter into force in 2024. On 24 January 2024, the European Commission adopted a decision establishing the European Artificial Intelligence Office which is intended to become a key body responsible for overseeing ‘the advancements in artificial intelligence models, including as regards general-purpose AI models, the interaction with the scientific community, and [which] should play a key role in investigations and testing, enforcement and have a global vocation’ (EU Commission 2024). On 2 February 2024, the AI Act was unanimously approved by the Council of EU Ministers (EU Council 2024). On 13 February 2024, the AI Act has passed the last legislative stage as it has been approved following discussions on a compromise deal between the European Commission, the Council of EU Ministers and the Joint committee on Internal Market and Consumer Protection and committee on Civil Liberties, Justice and Home Affairs (European Parliament 2024). The AI Act has now to be finally approved by the European Parliament in a plenary session scheduled for 10 and 11 April 2024 (Gibney 2024). EU regulations usually specify a transitional period of two years for their entry into force which means that the AI Act will be fully applicable by 2026. Compliance with the AI Act should start now as the regulation identifies different levels of risks and obligations. Regarding the necessity to adopt harmonized and new legally binding rules for AI in healthcare, it can be argued that states have a general obligation of cooperation under the United Nations (UN) Charter, including in health matters. Therefore, the WHO should be granted coercive powers to ensure compliance with the IHR which need to be amended by states parties to take into consideration the implementation of AI in healthcare.


This research focuses on publicly available data up to February 2024. Data collected and articles were first screened according to title and abstract and then the full texts of eligible articles were evaluated. Using the same search query, a gray literature research was performed in English on the Google Scholar search engine, retrieving articles focusing on the use of AI in healthcare with particular attention to regulations, policies and guidelines implemented by the EU or the WHO. I also searched for articles relating to the concrete applications of AI in healthcare to determine the technical, legal and ethical challenges posed by AI. Finally, I searched WHO’s institutional repositories for additional information. I combined the results from the different sources to outline the insufficient current legal framework applicable to the use of AI in healthcare – mostly soft law rules – emphasizing the necessity to adopt new legally binding rules under the WHO. AI-generated medical advice such as the GPT chatbot is an illustration of concrete threat to patients’ safety (Haupt and Marks 2023). Therefore, a coordinated and global answer response should be privileged by the international community under the auspices of the WHO. This move will ensure that all WHO Members are legally bound by the same international standards and best practices as there is no universal agreement on the use of AI in healthcare.

Concrete applications of AI in healthcare

As discussed previously, AI in healthcare encompasses a broad range of opportunities and applications. AI systems and generative AI can improve health outcomes, efficiency, and quality of care. The main purpose of such innovative applications and digital health tools is to enhance patients’ experience and democratize access to healthcare worldwide, in line with the UN Sustainable Development Goals (SDGs). If used correctly, AI systems will eliminate human bias (Abbey 2023). Some concrete examples of AI in healthcare are mentioned above in a non-exhaustive list (see Table 1) in an effort to delineate the topic of the study and help to the elaboration of a comprehensive legal framework in the field of AI regulation.

Table 1 Examples of AI applications in healthcare.

The use of AI in healthcare will offer better care patient and reduce costs (Sunarti et al. 2021). AI can also reduce errors from human negligence for instance; innovation provided by AI models is expected to improve care management (Klumpp et al. 2021).

Regarding medical imaging analysis, it has been demonstrated that AI systems can help radiologists and other medical professionals interpret images from computed tomography (CT), magnetic resonance imaging (MRI), ultrasound, and other modalities (Hosny et al. 2018). AI can detect anomalies, measure features, and provide diagnoses based on the images. For example, AI can help diagnose lung cancer from chest X-rays or brain tumors from MRI scans (Chiu et al. 2022).

Researchers and pharmaceutical companies are relying on AI for the development and discovery of new drugs; AI systems can also be used for drug repurposing (Paul et al. 2021). AI systems can indeed analyze considerable amounts of data (Quazi 2022) from genomic (Chafai et al. 2023), molecular, and clinical sources; such capabilities allow AI systems to generate novel hypotheses and predictions. AI has already been used for drug repurposing or repositioning in precision medicine. Researchers discussed how AI systems could be used for repurposing or repositioning existing drugs which can help design new drug molecules or identify potential treatments for COVID-19 for instance (Zhou et al. 2020; Mohanty et al. 2020; Floresta et al. 2022).

AI can help predict the risk of chronic kidney disease and its progression in patients (Zhu et al. 2023; Schena et al. 2022). By processing large amounts of health data from electronic health records, lab tests, and other sources, AI systems can identify risk factors and provide personalized recommendations. Researchers have been exploring the use of AI in the detection of chronic kidney disease as AI systems can help forecast kidney function decline or prevent acute kidney injury (Tomašev et al. 2019).

Another concrete application of AI is cancer research and treatment (Chen et al. 2021). AI can help researchers but also cancer patients in different areas of cancer care such as diagnosis, prognosis, medical treatment, and follow-up. Following Horizon Europe which is the research and innovation programme of the EU for the period 2021–2027, the European Health and Digital Executive Agency (HaDEA) launched several research projects using AI to improve cancer treatment and patients’ quality of life (HaDEA 2023). Researchers used AI to enhance cancer treatment and predict lung cancer prognosis (Johnson et al. 2022). AI can also analyze genomic, histopathological, and clinical data to provide insights and guidance. AI systems can be used as new tools in digital oncology for diagnosis (Bera et al. 2019). Another illustration in cancer detection is the use of AI for breast cancer analysis (Shah et al. 2022) or in radiation oncology (Huynh et al. 2020).

Precision medicine is another field where AI is used extensively by researchers for its benefits as it can help deliver personalized care and advice for each patient. As demonstrated by researches, ‘[P]recision medicine methods identify phenotypes of patients with less-common responses to treatment or unique healthcare needs’ (Johnson et al. 2021). In a recent study, researchers described their ‘vision for the transformation of the current health care from disease-oriented to data-driven, wellness-oriented and personalized population health’ (Yurkovich et al. 2023). Another important illustration is the use of AI to predict drug response or optimize drug dosing for epilepsy (de Jong et al. 2021).

As discussed, the use of AI in healthcare seems limitless. AI can make a positive impact in telemedicine, mental health, public health and health education. However, numerous challenges need to tackled through coordinated action and effective regional and international cooperation between states.

Challenges posed by the use of AI in healthcare

There are several challenges (see Table 2 above) posed by the use of AI in healthcare ranging from health equity, fairness, access to healthcare to technical (Devine et al. 2022) issues such as the development of AI-based diagnostic algorithms to ethical and regulatory gaps.

Table 2 Challenges posed by the use of AI in healthcare.

It is necessary to look beyond the hype and assess the pros and cons of AI in healthcare today. AI in healthcare poses new challenges such as bias (Parikh et al. 2019) or accountability in situations where patients’ medical reports have been shared or stolen (Naik et al. 2022). Additionally, the technical concept of AI is also source of controversy and a clear and precise definition poses difficulties although researchers believe that the advantages of AI to power up the economy are considerable (Kundu 2021). The AI Act proposal is the first comprehensive attempt to legally regulate AI but European authorities and all stakeholders involved in consultations struggled to agree on a definition of AI as different disciplines are impacted (Ruschemeier 2023). Research (Lau et al. 2023) and recent regulatory challenges such as the surge of ChatGPT-4 as a chatbot (Meskó and Topol, 2023) potentially used in medicine (Lee et al. 2023) that may threaten public health (De Angelis et al. 2023) confirm my hypothesis statement following which there is no adequate regulation of the use of AI systems in healthcare (Loh 2023). Data (Azodo et al. 2020) accuracy is also a concern acknowledged by all stakeholders as physicians or lay people need precise data to be able to rely on it and monitor their health (Smith et al. 2023). Data security (Dinh-Le et al. 2019) and privacy (Banerjee et al. 2018) are other crucial challenges to be addressed. Inaccurate data (Xue 2019) is an important obstacle to health monitoring. From a scientific perspective, the use of AI (Sui et al. 2023) in health research could be a limitation as data may not be accurate and lead to errors and misdiagnosis. Developers need to design algorithms which take into consideration a wide range of situations and all groups of a given population. Biased AI algorithms will necessarily cause discrimination and misleading predictions. Some authors proposed an Ethics Framework for Big Data in Health and Research in order to ensure that best practices and international standards in developing AI models are implemented efficiently (Xafis et al. 2019; Lysaght et al. 2019). Another crucial point for developers is to implement performance indicators to measure AI success (Chen and Decary, 2020) as it will allow healthcare providers to detect errors or potential biases in AI models and algorithms that could lead to medical malpractice liability (Banja et al. 2022) or issues related to ethical design of pathology AI studies (Chauhan and Gullapalli 2021). The same applies to AI as a medical device: here, the scope of performance transparency and accountability has to be clearly defined by a set of rules (Kiseleva 2020). As noted by some authors, ‘personalization of care, reduction of hospitalization, and effectiveness and cost containment of services and waiting lists are benefits unquestionably linked to digitalization and technological innovation but that require a review of the systems of traceability and control with a revolution of traditional ICT systems’ (Dicuonzo et al. 2022). Traditional ICT systems need to evolve drastically in order to allow healthcare systems to rely massively on AI and robotics. Data analysis has become a fundamental skill which has to transform consolidated data from existing fragmented data sources into valuable information for business decision-makers. However, the technical challenges of the use of computational models and AI algorithms in healthcare pose new risks and problems such as fairness (Chen et al. 2023) and need to be carefully addressed by sufficient and adequate regulations. Some authors recommend new quality improvement methodologies prior to AI models and algorithms development: ‘[A]ligning the project around a problem ensures that technology and workflows are developed to address a genuine need’ (Smith et al. 2021). Such approach will ensure that AI is efficient and that all potential errors have been addressed by all stakeholders such as developers and physicians; AI algorithms in healthcare should be constantly updated and monitored (Feng et al. 2022). Methodologies and protocols elaborated by developers shall first take into consideration the safety of patients as ‘the technological concerns (i.e., performance and communication feature) are found to be the most significant predictors of risk beliefs’ (Esmaeilzadeh 2020). Indeed, issues related to patient behaviors and perceptions need to be addressed as they may be reluctant to rely only on AI devices for diabetes detection for instance. As pointed out by some authors, AI is today in a renaissance phase with the successful application of deep learning (Yu et al. 2018). Another challenge that researchers have to tackle is related to affordability of AI enabled systems (Ciecierski-Holmes et al. 2022). Some authors also argued that AI ethics is needed in medical school education as part of the curriculum offered to future practitioners (Katznelson and Gerke 2021). Also, AI’s financial cost has to be limited and reasonable. States need to adopt specific regulations and all stakeholders involved in this new healthcare system based on computational models have to elaborate a new ‘AI delivery science’ with dedicated protocols, process improvement, machine learning models, design thinking and adequate tools (Li et al. 2020).

Explainability (Holzinger et al. 2019) is also an important challenge. Indeed, AI systems are criticized for their opacity (Durán and Jongsma 2021) as observers and researchers do not know how these ‘black boxes’ reach their results or decisions. Public confidence in digital health could be threatened as individuals may be reluctant to rely on such services. This situation necessarily raises trustworthiness, reliability and ethical issues in a very sensitive field which is healthcare. It is fundamental for healthcare providers and patients to clearly understand how AI systems work. AI systems’ limitations and uncertainties have to be determined to allow patients make informed decisions and give informed consent, including in emergency medicine (Iserson 2024). Providing explainable AI methods (Nauta et al. 2023) will allow for more transparency (Hassija et al. 2023) and accountability (Arrieta et al. 2020) for responsible AI systems.

Data quality and availability are also key issues (Sambasivan et al. 2021). As mentioned, AI systems rely on large amounts of data to learn from and perform different tasks. Collecting, processing and sharing health data can be extremely difficult, due to its sensitive nature and confidentiality but also ethical challenges and privacy regulations such as the GDPR or the Health Insurance Portability and Accountability Act (HIPAA) 1996 (Edemekong et al. 2023). In addition, health data can be biased (Grzybowski et al. 2024) which will affect the performance and fairness (Wu 2024) of AI systems. Healthcare providers need to ensure that all data used by AI systems is representative (Suárez et al. 2024) of a given population, accurate, and secure.

Implementation and adoption (Mouloudj et al. 2024) constitute a challenge for public authorities. AI systems can be important additions to healthcare systems worldwide but they need to be wisely and consistently integrated into the existing healthcare systems. This can be a source of technical and organizational barriers in developing countries where there is no or little digitalization of healthcare. As demonstrated, some countries may need a digital revolution (Nithesh et al. 2022) to achieve noticeable results in the implementation of AI systems in healthcare. AI systems require appropriate technical resources and trained professionals. Awareness campaigns and educational programs are needed to address fears (Scott et al. 2021) and potential resistance from both healthcare employees (Abdullah and Fakieh 2020) who may believe that AI will replace (Loong et al. 2021) them and patients who may believe that AI systems could harm them. This is part of public confidence and building trust in AI systems (Kumar et al. 2023a).

AI regulation and governance are of paramount importance (Zhang and Zhang 2023). AI systems in healthcare need to comply with various laws and policies that regulate their design, development, deployment, and evaluation. However, the current regulatory frameworks may not be sufficient or appropriate for the fast-paced and complex nature of AI. There is a need for more collaboration and dialogue among stakeholders, such as governments, regulators, developers, healthcare providers, and patients, to establish clear and consistent standards and guidelines for AI in healthcare such as the use of ChatGPT which lacks regulation (Wang et al. 2023). Data privacy (Kapoor et al. 2020) illustrates the need for regulation as health data is sensitive and confidential by nature (da Silva 2023). All stakeholders have to coordinate their efforts to find a consensus and an acceptable balance between regulation and innovation (Thierer 2015). Technical, ethical and regulatory challenges such as data collection (Huarng et al. 2022), data quality, security (Barua et al. 2022), interoperability between different operating systems (OS) (Lehne et al. 2019), health equity, and fairness (Canali et al. 2022) need to be addressed. Concrete regulations should be developed such as the implementation of quality standards, conditions to access health data, interoperability, and representativity. Most importantly, compliance with key regulations such as the GDPR, HIPAA, AI Act or Data Act is a requirement. Self-regulation should also be encouraged as it will help to build public confidence in AI-based applications as important volumes of personal data are processed. Companies operating in this field are making efforts (Chikwetu et al. 2023) and want to be seen as actors caring about personal health data and its processing, storing and sharing. Guidelines and voluntary codes of conduct developed by the private sector are concrete illustrations (Paul et al. 2023). Despite the existence of such challenges, AI is an opportunity as it could become a substantial addition to the everyday healthcare practice (Powell and Godfrey 2023). Indeed, AI could save lives by allowing healthcare providers to adjust to patients’ needs and situations; AI can also be an important tool for people living in remote areas or far from hospitals or physicians (Canali et al. 2022). As observed, there is today a global consideration for the development of AI-based solutions in a wide range of fields ranging from education to healthcare; this trend demonstrates that individuals are now ready to embrace AI which could help monitoring people’s health condition (Loucks et al. 2021). However, a balance between the use of AI and data privacy is a necessity from a regulatory and ethical perspective (Boumpa et al. 2022). Different measures can be adopted to ensure privacy and global public health security.

Ensuring the privacy of personal health data

Different measures can be taken to ensure the privacy and security of personal health data (Pirbhulal et al. 2019). All stakeholders – regulatory authorities, companies, healthcare providers – have to ensure patient privacy and data confidentiality (see Table 3 below).

Table 3 Measures to ensure privacy and security of personal health data.

It has been demonstrated (Hughes-Lartey et al. 2021) that most data breaches are attributable to human errors. Adequate training and education should be provided by healthcare institutions to their personnel. Employees have to be well-aware of all risks associated with the processing of personal health data and security issues. Risk assessments on a regular basis are a requirement (Khan et al. 2021) as they could help to identify intrinsic limitations – such as data security breaches – of any healthcare institution and help to their resolution. Health personal data can also be protected and secured with a virtual private network (VPN) (Prabakaran and Ramachandran 2022). A VPN allows users to encrypt and mask their digital footprint. Healthcare institutions could protect themselves from data breaches and cyber-attacks such as ransomwares. Access to patients’ health records has to be limited to certified personnel and restricted (Javaid et al. 2023) for better data security and confidentiality. Healthcare institutions could implement improved authentication processes such as two-factor authentication. Based on the confidential and sensitive nature of health data, healthcare providers should implement role-based access control systems (Saha et al. 2023); employees should only have access to a specific assigned system-level.

In the US, the Health Insurance Portability and Accountability Act (HIPAA) 1996 regulates health data and ensures its security and confidentiality. As such, when physicians assign health devices relying on AI to their patients for instance, all data collected is considered as protected health information (PHI). According to US federal regulations, all data collected, processed and shared must be protected and secured at all times (Jayanthilladevi et al. 2020). Companies commercializing services of AI-based solutions for healthcare should consider first data privacy and security issues to be reliable alternatives to healthcare providers. This could be achieved through the adoption of international standards for devices using AI in sport and processing large amount of personal data for instance (Ash et al. 2021). Health data privacy requires not only built-on security features, but also guarantees that the network is safe as well as third party applications available on the App Store or Google Store. Transparency (Kapoor et al. 2020) is a key aspect of data privacy as users should know who can access their data, whether it is a third party or the healthcare provider itself. Here, some gaps exist in the US legal framework applicable to health data and its handling. Indeed, HIPAA only targets specifically health data and not all services or solutions available today on the market such as OpenAI’s ChatGPT which also collects health data. However, US authorities could provide a regulatory answer if such companies start dealing with health data and promote their products as health devices or solutions.

The complexity to regulate AI systems

The regulation (Iqbal and Biller-Andorno 2022) of AI in healthcare is a complex issue but potential solutions exist (see Table 4 below).

Table 4 Solutions to adequately regulate the use of AI in healthcare.

As stated, there is a need for clear guidelines and standards (Espinoza et al. 2023) to ensure that AI is used to build better healthcare systems worldwide based on the principles of fairness and health equity. National, regional and international guidelines and recommendations should be detailed as much as possible considering some important challenges such as accuracy, transparency, security, informed consent, data privacy as well as ethics (Leese et al. 2022) in the use of health data collected (Taka 2023). Unauthorized access by third parties is also an ethical issue and a violation of data privacy and informed consent (Segura Anaya et al. 2018). Potential threats such as cybersecurity need to be tackled as well, self-adaptive AI systems could be a solution (Radanliev and De Roure 2022). Public authorities will need to create new regulatory bodies or give new powers and attributions to existing Watchdogs (Korjian and Gibson 2022). Throughout audits and inspections, regulatory bodies such as the Food and Drug Administration (FDA) in the US and the Medicines and Healthcare Products Regulatory Agency (MHRA 2022) in the UK play a crucial role by monitoring all stakeholders and ensuring that they comply with their obligations in terms of privacy, efficiency, safety and quality. The promotion of transparency and accountability (Tahri Sqalli et al. 2023) is fundamental as Tech companies know that they might face severe consequences such as financial sanctions regarding their sharing (Banerjee et al. 2018) practices. They should also be held accountable for any breaches of data privacy or security. Self-regulation should be encouraged as codes of conduct can help to promote international standards such as data protection (Winter and Davidson 2022). As mentioned, states and international organizations need to cooperate, harmonize their national regulations and promote the safe and ethical use of AI systems (Colloud et al. 2023).

EU law offers today detailed rules and guidelines relating to privacy and the handling of personal data. The GDPR is indeed a key regulation and a law model which offers a comprehensive legal framework with stringent obligations and duties for service providers and manufacturers (Mulder and Tudorica 2019). Recently, the European Union Commission made a proposal (EU Commission 2022b) for a European Data Act for adequate regulation of data specifically processed, stored or shared, including health data. In June 2023, the Council presidency and the European parliament came to a consensus and adopted the European Data Act as a provisional agreement (EU Council 2023a). On 9 November 2023, the European Parliament adopted the text of the European Data Act (European Parliament 2023). A few days later, on 27 November 2023, the European Council formally adopted the European Data Act (EU Council 2023b). The last step in the process took place on 22 December 2023 when the Council of the European Union published in the Official Journal of the European Union Regulation (EU) (2023) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act). The Data Act entered into force on 11 January 2024. However, the main provisions of the Data Act will only be applicable from 12 September 2025. The objective of the Data Act is to harmonize rules relating to a fair access to data and its use by public and private actors. As its predecessor the GDPR, the Data Act will help patients to keep control over their health data more efficiently. It could also serve as a guideline or law model for the rest of the world and enshrine key international standards relating to health data privacy and security. The AI Act is another fundamental addition to the EU legal framework as it deals with AI explicitly. This EU Regulation is the first world’s AI law as European authorities want to establish clear rules and guidelines for the development and implementation of AI. After years of debate, the European Commission proposed the first EU regulatory framework for AI in April 2021 which is expected to enter into force in April 2024 as explained. This proposal acknowledges the potential of AI in our daily lives and says that AI systems can be used in different applications such as healthcare, education or transportation. The main advantages of AI are affordability and better services through a democratized access to some vital sectors. However, the European Commission also noted that AI is not free of threats and risks posed to users. To this effect, the European Commission classified AI systems based on different levels of risks requiring more or less regulation. The AI Act establishes different rules for service providers based on the level of risk from the implementation of AI. Stringent rules are applicable to AI-based solutions posing the greatest threats such as privacy issues or confidentiality ranging from a ban to compliance with key standards and obligations upon service providers (see Table 5 above for a summary).

Table 5 The different levels of risks posed by AI systems under the AI Act.

At the multilateral level, the WHO released in October 2023 a new publication listing key regulatory considerations on AI for health (see Table 6 above). The WHO emphasizes the importance of establishing AI systems’ safety and effectiveness, rapidly making appropriate systems available to those who need them, and fostering dialogue among stakeholders, including developers, regulators, manufacturers, health workers and patients.

Table 6 The WHO’s guiding principles adopted in October 2023.

Autonomy ensures that human values and rights are respected and that people can make informed decisions about their health and well-being. The second principle – safety – ensures that AI systems are reliable, robust, and do not cause harm or errors. The third principle – transparency – ensures that AI systems are understandable, explainable, and accountable, and that their limitations and uncertainties are communicated. Responsibility is the fourth principle proposed by the WHO and ensures that AI systems are designed, developed, and deployed in a responsible and ethical manner, and that there are mechanisms for oversight and redress if needed – it could be through the establishment of dedicated Watchdogs. The fifth principle – equity – ensures that AI systems are inclusive, accessible, and do not discriminate or exacerbate existing inequalities. The last principle – sustainable AI – ensures that AI systems are environmentally and socially sustainable, and that they align with the health needs and priorities of the population.

The WHO developed these principles to help states and regulatory authorities develop new guidance and regulations or adapt existing ones on AI at both national or regional levels. The main purpose of the WHO is to provide a legal framework for determining and assessing the benefits and risks of AI for healthcare. Also, the WHO elaborated a checklist for evaluating the quality and performance of AI systems. The WHO acknowledges the potential of AI in healthcare but notes that many challenges affect AI systems such as unethical data collection, cybersecurity threats, biases or misinformation. Therefore, the WHO calls for a better coordination and cooperation between states and all stakeholders to ensure that AI is increasing clinical and medical benefits for patients. These principles developed by the WHO can help all stakeholders to develop ethical and responsible AI systems based on five different themes (see Table 7 below).

Table 7 Themes for ethical and responsible AI based on the WHO’s core principles.

Complying with core principles – human autonomy, promoting safety, ensuring transparency, fostering responsibility (Trocin et al. 2023), ensuring equity (Gurevich et al. 2023), and promoting sustainability (Vishwakarma et al. 2023) – can help align AI systems with human values and human rights (Kumar and Choudhury 2023b), such as the right to privacy or the right to health. When developing AI systems, stakeholders need to assess any trade-offs and impacts based on various aspects, such as data quality and availability, regulation and governance, implementation and adoption, and accountability (Andersen et al. 2023). These aspects can affect the performance (Farah et al. 2023), reliability (Yazdanpanah et al. 2023), and trustworthiness (Albahri et al. 2023) of AI systems, and require careful evaluation and management. AI ethics and responsibility can also be developed through collaboration and dialogue (Tang et al. 2023) among all stakeholders for better inclusiveness, participation and responsiveness to the needs and preferences of different groups. A true ‘AI culture’ can be built on awareness campaigns, trainings, education of all stakeholders involved in the development of AI systems (Jarrahi et al. 2023). By educating people (Alowais et al. 2023) on the risks associated with AI systems, we can achieve a better commitment to ethical and responsible AI systems. As mentioned, appropriate tools and methods such as risk mitigation (Harrer 2023), assessment (Schuett 2023), data privacy regulations (Dhirani et al. 2023) and monitoring tools (Prem 2023) can help implement ethical and responsible AI systems.

AI ethics and governance under the WHO

The WHO has a constitutional mandate to regulate global public health. Bump et al. note that: ‘WHO is a manifestation of the advantages of cooperation and collaboration, and it consistently leads member states in ways that uphold its mission to advance the highest standard of health for all. In the pandemic, WHO has shown leadership in sharing information and in co-launching the Access to COVID-19 Tools (ACT) Accelerator, a global collaboration to accelerate development and equitable access to diagnostic tests, treatments, and vaccines’ (Bump et al. 2021). Efforts made by the WHO during the COVID-19 pandemic could be duplicated in digital health and the use of AI systems. How can the international community address the risks associated with the use of AI in healthcare? What can the WHO do to guarantee equal access to new technologies and protect fundamental rights such as privacy (Murdoch 2021) and data protection? According to the WHO, “[e]quitable access to health products is a global priority, and the availability, accessibility, acceptability, and affordability of health products of assured quality need to be addressed in order to achieve the Sustainable Development Goals, in particular target 3.8” (WHO 2019). AI creates an unprecedented situation in interstate relations since the end of the World War II in 1945. AI has always been a crucial issue for the international community (Pesapane et al. 2021) and developing countries (Wahl et al. 2018). However, the current legal framework applicable to global public health does not protect sufficiently personal data and privacy (Duff et al. 2021). A new paradigm is an absolute necessity in order to reshape global health and move towards a dedicated legal framework for AI in healthcare. This new paradigm is the adoption of a global answer throughout the implementation of legally binding rules by WHO Members in the field of AI. The IHR (2005) could be used by States Parties to improve the degree of response to potential threats such as privacy. WHO Members could rely upon the IHR and EU regulations – GDPR, AI Act, Data Act – in efforts to negotiate new legally binding rules. Today, under the IHR, one of the limitations is that bilateral and multilateral cooperation are only encouraged. Healthcare is traditionally recognized as a global public good (Chen et al. 2003). Therefore, it can also be argued that AI systems constitute global public goods (Haugen 2020). As acknowledged by the WHO, all stakeholders should ensure that AI systems are rapidly made available to those who need them. Here again, a parallel could be made with the COVID-19 pandemic and the necessity to regulate more efficiently global public health (Phelan et al. 2020). AI (Banifatemi 2018) systems could be considered as global public goods which is in line with the Goal 3 of the UN SDGs: ‘Ensure healthy lives and promote well-being for all at all ages’ (UN SDGs 2016).

Under the UN Charter, States Parties have a legally binding obligation to cooperate in all matters representing a threat to international peace and security, including in the field of economic and social matters (United Nations Charter 1945). This duty of cooperation is at the core of international law. Some authors argue that such obligation can be assimilated to a hard law principle of international law (Delbrück 2012). The UN International Law Commission listed the obligation to cooperate among states’ obligations (Dire 2018). To support such position, research and traditional concepts demonstrate that the obligation to cooperate is hard law in international water law (Oranye and Aremu 2021). Our postulation is that such a duty to cooperate should necessarily be transposed into the field of global public health and be implemented in situations where the use of AI in healthcare may pose new risks or threats to patients. AI should not create any further inequalities. Coordinated actions between the General Assembly of the UN and the WHO could be implemented in order to conduct a global answer through the duty to cooperate which is a hard law principle. Here, the WHO will guide and ensure that its Members do comply with their obligations such as implementing a defined set of international standards in order to guarantee the respect of fundamental rights and ensure the development of accessible, affordable and responsible AI systems. To this effect, the UN General Assembly may adopt a new Resolution and refer to the general duty to cooperate for an effective implementation of AI in healthcare and call for a coordinated answer that will be led by the WHO. Efforts to modify the IHR should be made as they will create new obligations for states and create a truly global response to mitigate risks associated with the use of AI in healthcare. The existing international legal framework allows us to consider that the WHO can monitor the implementation of this general obligation of cooperation.

The WHO has no enforcement powers and its inability to enforce its guidelines and act of its own reflects the shortcomings of international law. Obviously, legal tools exist and written rules akin to codes of conduct allow states with gaps in their health regulations to adopt a number of international standards. However, this is only a mitigative measure subject to the goodwill of states. The limitations of the WHO have been addressed by researchers (Youfa et al. 2006). The WHO has also been criticized by commentators for its ‘rather restrained role in creating new norms under its Constitution’ (von Bogdandy and Villarreal 2020). Despite the fact that the WHO has a recognized expertise and a constitutional mandate to regulate global health and therefore AI systems, it only provides soft rules such as guidelines and recommendations to its members. The WHO’s reports released in 2021 and 2023 are examples of such non legally binding rules. As noted by Gostin et al., ‘[t]he WHO’s most salient normative activity has been to create ‘soft’ standards underpinned by science, ethics, and human rights. Although not binding, soft norms are influential, particularly at the national level where they can be incorporated into legislation, regulation, or guidelines’ (Gostin et al. 2015). In international law, soft rules are necessary as they allow the international community to reach a consensus on certain matters, and they simplify the adoption of a formal treaty. However, strong answers are essential in specific situations as states may decide not to actively cooperate with each other. Consequently, the WHO should be granted a real normative power. The IHR have been considered as a fundamental development in international law (Fidler and Gostin 2006). These regulations are an existing legal tool that can provide the WHO outstanding attributions to regulate AI systems in healthcare. Article 2 WHO IHR, which is related to purposes and scope of the WHO – one of the most important provisions – states that ‘the purpose and scope of these Regulations are to prevent, protect against, control and provide a public health response to the international spread of disease in ways that are commensurate with and restricted to public health risks, and which avoid unnecessary interference with international traffic and trade’ (WHO IHR 2005). It is also worth referring to Part II – Articles 12 and 13 (WHO IHR 2005) – of the IHR related to ‘Information and Public Health Response’. These provisions give important powers to the WHO but there are no enforcement powers in situations where WHO members refuse to cooperate nor coercive measures that can be taken against such states. The international community acknowledged that there is a correlation between international economic law and development since decades (UN Conference on the Human Development 1972). The same should apply to global public health: economic and sustainable development cannot be achieved without a fair access to healthcare and by regulating adequately AI systems. The duty to cooperate in health matters is a fundamental component of the new international economic order.


The current legal framework shows us the limitations of global public health, and the somewhat limited role played by the WHO. This international organization has been designed as the key player in the regulation of global public health with legal tools negotiated for decades. However, it is time to acknowledge that a new paradigm is necessary due to the emergence of Tech companies expanding globally. There is indeed a shift in how we can access healthcare and how data can be processed, stored or shared. The WHO shall have new coercive and normative powers to address issues (Council of Europe 2020) related to the use of AI in healthcare. AI should ultimately facilitate access to healthcare and provide better health systems (Santosh and Gaur 2021) according to the UN SDGs, especially in the least developed countries (Wakunuma et al. 2020). Ethical and regulatory challenges posed by the novelty of AI systems in healthcare such as bias, data protection or explainability have to be addressed by states. European regulations – GDPR, Data Act, and AI Act – can provide reliable legal frameworks and established standards to be implemented by all stakeholders for ethical and responsible AI systems. WHO Members need to actively cooperate and elaborate new guidelines and legally binding rules under the IHR.