Clinical AI models governed: FDA-ready, HIPAA-enforced, and continuously monitored across the full care continuum.
The Challenge
Optum Health operates at a scale few healthcare organizations reach. Its clinical AI estate spans pharmacy benefit management, care management, diagnostic support, and prior authorization: models that influence treatment decisions for more than 100 million Americans. As the FDA expanded its oversight of Software as a Medical Device and CMS intensified scrutiny of automated prior authorization systems, Optum faced a fundamental governance gap: the clinical AI portfolio had grown faster than the infrastructure to govern it.
Validation records were inconsistent across product lines. Some models had rigorous documentation; others had been deployed under legacy processes that predated current FDA guidance and had never been updated. When the compliance team attempted to inventory which models qualified as SaMD under the FDA's updated framework, the exercise exposed 34 models with no current validation record and 19 more with documentation that did not meet the agency's performance monitoring requirements.
The prior authorization AI carried the highest regulatory exposure. CMS's 2024 rule requiring transparency and accuracy standards for automated prior authorization decisions created a new evidence burden the existing process had no mechanism to satisfy. A model making millions of coverage determinations annually needed a complete, auditable record of how it had been validated, how its performance was monitored, and how fairness across demographic groups was assessed.
The Solution
Thndr AI was deployed as the unified governance layer across Optum's clinical AI portfolio. Every model was onboarded into a structured registry capturing data sources, validation methodology, performance benchmarks, PHI handling controls, and the regulatory classification of each system under FDA and CMS frameworks. Models without current validation records were surfaced immediately as remediation priorities, with gap reports generated automatically from existing pipeline metadata.
The prior authorization models were instrumented for continuous fairness and accuracy monitoring, tracking approval rate disparities by demographic segment, geographic region, and diagnosis category in real time. Threshold breaches trigger an automated compliance escalation before the next business review cycle, creating the auditable detection-and-response record CMS requires. Clinical model owners receive weekly governance summaries; the compliance team receives a live dashboard rather than a quarterly evidence sprint.
FDA SaMD Classification and Evidence at Scale
The FDA's Software as a Medical Device framework requires manufacturers to maintain performance data, post-market surveillance, and change documentation for AI-driven clinical tools. The regulatory classification engine mapped each of Optum's 130+ models against the FDA's risk-based tiers, flagging those requiring predicate submissions or updated evidence. Validation artifacts: test datasets, performance benchmarks, intended-use documentation are now generated from pipeline metadata and maintained automatically, so the evidence package for any model is current by default rather than assembled on demand.
Prior Authorization Transparency Under CMS Scrutiny
CMS's prior authorization rule requires payers to demonstrate that automated coverage-determination models meet accuracy standards and do not produce disparate outcomes across protected classes. Each prior authorization model now runs under continuous fairness monitoring: approval rate parity across age, race, geography, and diagnosis is tracked at inference time, not audited retrospectively. When a disparity exceeds the defined threshold, the model is flagged for expedited clinical review before the next authorization cycle runs. The audit trail documents detection, escalation, and remediation, satisfying the CMS evidence standard without a manual compliance exercise.
PHI Governance Across a Distributed Clinical Network
Optum's clinical AI runs across a distributed infrastructure spanning owned and affiliated provider networks, third-party data partners, and cloud environments in multiple jurisdictions. PHI access policies are enforced at the pipeline level (data minimization, access logging, retention limits, and de-identification standards) rather than relying on application-layer controls that differ across environments. Every model's data lineage is documented automatically, so the answer to "what patient data does this model touch" is always current and auditable.
Results
Every model in the Optum portfolio is registered, classified, and continuously monitored, including 34 that had no current validation record at project start.
Automated evidence generation from pipeline metadata replaced manual documentation assembly across the portfolio.
Continuous fairness monitoring detected and resolved every disparity flag before the next authorization cycle.
Complete SaMD evidence packages for any model are generated on demand, previously a multi-week manual exercise.
See what Thndr AI can do for your team
Talk to our team about your specific AI governance challenges.
