Expert Interview: Healthcare & AI Compliance

A conversation with Daniel Kleiboldt, Legal Engineer for Healthcare AI Compliance

Max-Raphael Feibel met Daniel Kleiboldt during a discussion about the EU AI Act and immediately realized that he thinks differently from most people who write about compliance. No alarmism, no abstract references to legal provisions. Instead, concrete architectural decisions and a thesis that immediately piqued Max’s interest as a healthcare marketing specialist: that legally compliant AI systems not only prevent liability but actively strengthen patient trust. And in healthcare marketing, trust is the currency with the highest ROI.

Written by
Published on
Last modified on

Max-Raphael Feibel
April 28, 2026
May 5, 2026

To many practice owners, the EU AI Act sounds like the next bureaucratic blow—is this fear justified?

Daniel Kleiboldt: The fear is understandable, but it’s misdirected. The AI Act isn’t some new bureaucratic monster. It addresses a problem that has existed for a long time, but one that no one has brought to light until now.

Many medical practices are already using AI today— for writing patient reports, managing appointments, and interpreting test results. Very few are aware that, as of February 2025, this will be a specific legal requirement. Section 4 of the AI Act requires anyone using AI to ensure that their staff is adequately trained to interpret the results. This is current law, not a distant prospect.

And that's just the baseline. The AI Act distinguishes between general obligations that apply to all AI and a significantly expanded list of requirements for high-risk AI. In the healthcare sector, whether a system is classified as high-risk depends on a surprisingly simple threshold. As soon as the AI no longer merely documents but begins to independently provide diagnostic or therapeutic recommendations, it becomes a medical device, and thus the full catalog of operator obligations under Article 26 of the AI Act applies. The exact deadlines for this are currently being readjusted by the Digital Omnibus, but the political direction is clearly set.

There is a gap between the promises made in the pitch deck and the legal reality that no provider is able to bridge.

As the director of a medical practice, if I want to implement an AI solution for practice management tomorrow, why isn’t it enough to simply ask my IT service provider?

Daniel Kleiboldt: Because your IT service provider isn’t liable. You are. If the AI makes mistakes or processes patient data incorrectly, the regulatory authority won’t ask the software developer in San Francisco—it’ll ask the CEO in Mannheim.

That may sound harsh, but it is the legal reality. The AI Act clearly distinguishes between providers and operators. The provider develops the AI. The operator implements it in everyday clinical practice. As a medical practice or medical care center, you are the operator, and you are responsible for ensuring that human oversight is maintained, that patients are informed, and that the systems are logged and monitored.

Software providers in the healthcare sector sell their AI features as paid add-ons. The marketing is precise, and the promises are concrete. On the contract side, the wording is just as precise—only in the opposite direction. “The final decision rests with the user.” Disclaimers that clearly place the operator status with the physician. Both are understandable in and of themselves. But there is a gaping chasm between the promises in the pitch deck and the legal reality—one that no provider is bridging. No DSFA template, no training materials for the practice team, no checklist for implementing human oversight. The physician receives a product. And an FAQ. That is not the same thing.

Filling that gap is my job.

We often see that our healthcare clients view compliance as a hindrance. Do you understand why?

Daniel Kleiboldt: Absolutely. And I understand where that comes from. Someone wants to launch a campaign, gets a legal assessment after the fact, and receives a ten-page report saying “that won’t work.” No alternatives, no solutions—just a “no.” That’s a procedural problem.

I’m not starting at the end of the process, but at the beginning. If a system is designed in such a way that it doesn’t process certain data in the first place, the question of GDPR compliance no longer arises later on. The system resolves it technically.

AI software providers that address compliance by design answer legal questions before they are even asked.

This has a direct marketing impact, which you at Partner & Söhne are Partner & Söhne better equipped to measure than I am. A practice that can credibly assure patients that their data is technically secure—not just a contractual promise—has a different foundation of trust. In healthcare marketing, where trust is the most important currency, this isn’t just a nice bonus. It’s a competitive advantage that no Google Ads campaign can replace.

And the same applies to the providers themselves. The provider that is the first to offer a structured onboarding process for operators—one that automatically configures the compliance framework when the AI feature is activated—has a selling point that no competitor can replicate. "Our AI isn't just efficient; it can be used in compliance with the law right from the start." In a market where doctors are complaining about increased regulatory burdens, that’s a message that resonates.

What is the one step a private practice physician should take right now?

Daniel Kleiboldt: Figuring out what you’re actually doing. Sounds trivial. It isn’t.

Most medical practices are unaware of which of their software systems contain AI components. While AI features are offered as a deliberate opt-in—as add-ons that must be actively selected—in practice, it’s easy to lose track of which of these features are actually enabled, what data they process, and whether any of them include systems that generate diagnostic recommendations on their own, thereby falling under the category of high-risk AI.

An honest assessment answers three questions: What systems do I use? Which of them have AI capabilities? Which of them handle patient data? This isn’t a massive undertaking—it’s just an afternoon spent carefully reviewing the contracts. After that, you’ll know where you stand. And only then can you decide what to do next.

About the Expert

Daniel Kleiboldt is a legal engineer specializing in healthcare AI compliance. With a degree in law, an LL.M., and a background in software engineering, he supports medical practices and medical care centers from the initial assessment through the selection of appropriate AI tools to ongoing operational support, and advises health tech providers on designing their products in compliance with regulations.

kleiboldt.de