Introducing AI, LLMs, and RPA in Belgian Hospitals: A Governance-Led Implementation Model

Abstract

Introducing Artificial Intelligence (AI), Large Language Models (LLMs), and Robotic Process Automation (RPA) in a Belgian hospital should not be treated primarily as an IT procurement exercise. It is a clinical, legal, organizational, and ethical transformation. AI can support diagnosis, triage, logistics, population health, and administrative optimization; LLMs can assist with documentation, translation, summarization, coding, and knowledge retrieval; and RPA can automate repetitive digital workflows such as data entry, report routing, claims preparation, and system monitoring. In Belgium, however, implementation must be aligned with the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, the European Health Data Space (EHDS) Regulation, Belgian health-data governance structures, and the hospital’s duty to preserve clinical safety, security and patient trust. The safest introduction model is therefore phased: establish governance, select low-risk high-value use cases, perform legal and clinical risk classification, validate locally, pilot under human supervision (HITL), scale through monitored deployment, and continuously audit outcomes.

1. Introduction

AI, LLMs, and RPA should be introduced in a Belgian hospital through a staged “sociotechnical” model: the hospital must redesign workflows, accountability structures, data governance, and clinical oversight at the same time as it deploys software. This is necessary because healthcare AI rarely creates value merely by producing predictions or text; it creates value only when embedded safely into real clinical and administrative systems. Li, Asch, and Shah argue that healthcare AI requires a “delivery science” that combines data science with design thinking, process improvement, implementation science, and workflow evaluation, rather than focusing only on model accuracy.

The Belgian context strengthens this argument. Belgium is already advancing health-system digitalisation, health-data governance, and interoperability. The OECD/European Observatory country profile reports that Belgium is moving forward with health-system digitalisation, has increased ICT spending in healthcare, and aligns its health-data governance with the eHealth Action Plan and the European Health Data Space (EHDS), with the Health Data Agency (HDA) involved in accessibility, security, and interoperability. The Belgian Health Data Agency also describes its role as reshaping the Belgian health-data landscape around FAIR principles and strong, transparent, secure data governance.

Note: There is no single, direct legal equivalent to the European Health Data Space (EHDS) in the United States, as the EHDS is a comprehensive, centralized regulation aimed at both primary care (patient access) and secondary use (research/innovation) across multiple nations. However, the U.S. approach to health data is governed by a patchwork of federal and state laws and initiatives that mirror the goals of the EHDS. While the EHDS is a new law, it rests on the foundation of the GDPR. In the US, the primary legal framework for health data is the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA is generally more narrow than the EHDS/GDPR as it only applies to specific "covered entities" (providers, insurers) rather than all data collectors.

Note: HIPAA (Health Insurance Portability and Accountability Act) is a 1996 U.S. federal law setting national standards to protect sensitive patient health information from disclosure without consent. The European Health Data Space (EHDS) is a proposed EU regulation creating a unified framework for sharing and reusing electronic health data across Europe for treatment and research. HIPAA (U.S.) and EHDS (EU) both safeguard health data but differ in scope: HIPAA strictly regulates Protected Health Information (PHI) within U.S. healthcare entities. In contrast, the EHDS (built upon GDPR) mandates a standardized, cross-border digital infrastructure for sharing data, prioritizing patient access and research, whereas HIPAA focuses on privacy compliance.

2. Conceptual Clarification: AI, LLMs, and RPA

AI is the broad category: systems that learn from data to make predictions, classifications, recommendations, or decisions. In a hospital, AI may support radiology prioritization, sepsis-risk prediction, appointment no-show prediction, bed-capacity planning, pharmacy surveillance, coding assistance, or clinical trial matching.

LLMs are a specialized form of AI focused on language and, increasingly, multimodal content. WHO defines generative AI as systems trained on datasets to generate new content such as text, images, or video; it describes large multimodal models as models that can accept multiple input types and produce diverse outputs, with likely uses in healthcare, research, public health, and drug development. In hospitals, LLMs are most appropriate initially for controlled, assistive tasks: summarizing discharge letters, drafting non-final patient instructions, translating standard communications, searching internal protocols, generating first drafts of administrative documents, and supporting help-desk workflows. They should not independently diagnose, prescribe, or communicate final clinical advice without professional review (HITL).

RPA is different: it is process automation rather than cognitive modeling. RPA bots mimic human digital actions across user interfaces and can automate repetitive, rule-based tasks. A 2025 JMIR Medical Informatics study found that RPA bots in a hospital EMR environment could simulate end-user interactions, identify delays and failures, and provide end-to-end monitoring that reflected real user experience more closely than component-level technical metrics. Another 2025 proof-of-concept study combined machine learning and RPA to extract follow-up dates from unstructured colonoscopy reports and update structured EHR fields, illustrating how ML and RPA can be orchestrated to reduce documentation burden and improve structured data capture.

3. Regulatory and Ethical Conditions in Belgium

A Belgian hospital must treat these technologies as regulated healthcare infrastructure, not optional productivity tools. The EU AI Act entered into force on 1 August 2024 and creates obligations for AI developers and deployers, especially where AI affects health, safety, or fundamental rights.The European Commission’s healthcare AI page states that the AI Act gives developers and deployers requirements and obligations for specific AI applications, with full applicability generally two years after entry into force and product-embedded AI rules later.

The GDPR remains central because hospital AI systems process health data, a special category of personal data. The Belgian Data Protection Authority’s AI-and-GDPR brochure emphasizes security, technical and organizational measures, human oversight, transparency, accountability, and the need for DPOs, legal professionals, architects, and developers to understand how GDPR principles apply across the AI lifecycle.  This makes the hospital’s Data Protection Officer (DPO), ethics committee, medical board, information security officer, and clinical leadership indispensable from the start.

The European Health Data Space Regulation adds a further strategic layer. It entered into force in March 2025 and establishes a framework for electronic health-data exchange, patient access and control, and secondary use of health data for research, innovation, policy-making, and regulatory purposes. For Belgian hospitals, this means AI implementation should be designed around interoperability, data minimization, auditability, and future reuse rules, rather than around isolated departmental tools.

Note: Human-in-the-Loop (HITL) is a governance and safety principle in which humans remain meaningfully involved in AI-assisted decisions. Its importance lies in preserving safety, accountability, ethical judgment, contextual reasoning, trust, and regulatory compliance. In high-risk environments such as healthcare, HITL is essential because AI should support human expertise, not silently replace professional responsibility. HITL is important, but it is not a complete solution by itself. It can fail if humans are overloaded, poorly trained, or too trusting of AI outputs. This is called automation bias, where people accept AI recommendations without sufficient critical review.

Note: Safety and security are complementary, yet distinct, concepts focused on protecting people and assets. Safety is protection against accidental hazards, risks, and unintentional harm (e.g. accidents). Security is protection against intentional threats, such as theft, vandalism, and violence. Together, they ensure a stable, risk-mitigated environment.

4. A Phased Implementation Model

Phase 1: Establish Strategy and Governance Before Procurement

The hospital should create an AI, LLM, and automation governance board before buying or deploying tools. This board should include clinical departments, nursing, hospital management, IT, cybersecurity, data protection, legal, procurement, quality and safety, the medical ethics committee, patient representation, and employee representatives. Its first task is to define what the hospital will and will not automate.

The governance board should adopt a risk-management framework. The National Institute of Standards and Technology AI Risk Management Framework (NIST AI RMF) is voluntary but explicitly designed to improve trustworthiness across the design, development, use, and evaluation of AI products and services. ISO/IEC 42001:2023 is also relevant because it specifies requirements for establishing, implementing, maintaining, and continuously improving an AI management system within organizations using or providing AI. These frameworks do not replace EU or Belgian law, but they provide a practical operating model for accountability, documentation, roles, risk registers, and continuous improvement.

The board should classify proposed use cases into risk tiers. Low-risk candidates may include appointment reminders, inventory workflows, administrative report generation, help-desk routing, and internal policy search. Medium-risk candidates may include clinical documentation support, coding suggestions, referral triage support, and patient-facing communication drafts. High-risk candidates include diagnostic decision support, treatment recommendations, emergency triage, predictive deterioration models, and systems that materially influence access to care.

Note: The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, flexible, and non-sector-specific guide released on 26 January 2023, designed to help organizations manage risks associated with artificial intelligence. It promotes trustworthy AI by fostering dialogue between AI developers and users, focusing on fairness, accountability, transparency, and robustness.

Note: ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS). Published in December 2023, it provides a structured framework for organizations to develop, deploy, and use AI technologies responsibly and ethically

Phase 2: Select Use Cases Based on Value, Risk, and Workflow Fit

The hospital should avoid beginning with the most glamorous technology. It should begin with high-volume, measurable, low-to-moderate-risk workflows. A practical first portfolio could include:

  1. RPA for repetitive administrative workflows such as copying structured data between systems, insurance or billing preparation, waiting-list updates, and monitoring EMR availability.
  2. LLMs for internal summarization, draft generation, translation support, and protocol retrieval, with mandatory human review.
  3. Predictive AI for operational planning, such as bed demand, theatre scheduling, and supply-chain forecasting.
  4. Carefully governed clinical AI pilots, for example radiology worklist prioritization or second-reader support, only after local validation.

This portfolio aligns with the evidence that real-world workflow integration is difficult. A 2024 systematic review and meta-analysis of AI in medical imaging found that many studies reported time reductions, but meta-analyses did not show consistent significant effects, and the authors warned that heterogeneity limits robust conclusions about overall effectiveness.A 2025 systematic review of AI implementation in routine medical imaging found that successful implementation depends not only on technical performance but also on workflow fit, human-centered design, evaluation, and clinician outcomes.

Phase 3: Perform Legal, Data, and Clinical Risk Assessments

Before any pilot, each use case should undergo four assessments:

  1. First, the hospital should perform a GDPR assessment, including lawful basis, purpose limitation, data minimization, retention, processor/subprocessor mapping, cross-border transfers, and whether a Data Protection Impact Assessment (DPIA) is required. This is especially important for LLM tools because prompts may contain identifiable clinical information and vendor systems may store, reuse, or transfer data.
  2. Second, the hospital should perform an AI Act classification. Some hospital uses may be high-risk, especially when AI is part of medical devices, safety-related clinical systems, employment decisions, or access-to-service decisions. For high-risk systems, deployer obligations include using the system according to instructions, assigning competent human oversight, ensuring relevant input data, monitoring operation, keeping logs, and informing affected workers where applicable.
  3. Third, the hospital should perform clinical safety assessment. This includes defining intended use, contraindicated use, failure modes, escalation procedures, acceptable error thresholds, and the person accountable for final decisions.
  4. Fourth, the hospital should perform cybersecurity and vendor due diligence. Contracts should cover data location, encryption, access controls, audit logs, incident notification, model updates, subcontractors, training-data use, deletion rights, service continuity, liability, and exit plans.

Phase 4: Local Validation and Controlled Piloting

No AI or LLM system should move directly from vendor demonstration to clinical deployment. The hospital should validate the system on local Belgian hospital data, local languages, local workflows, and local patient populations. This is essential because performance can degrade when tools move across institutions, EHR configurations, specialties, and patient demographics.

The National Academy of Medicine’s (NAM) 2025 report on generative AI in health and medicine emphasizes skill generation, model testing, implementation and monitoring, resources, infrastructure, standardized oversight, local validation, and ongoing monitoring.WHO’s regulatory guidance similarly emphasizes safety, effectiveness, stakeholder dialogue, and governance when AI is used for health.

Pilots should therefore be time-limited, logged, and evaluated against pre-defined endpoints. For RPA, endpoints may include hours saved, error reduction, cycle time, staff satisfaction, and exception rates. For LLMs, endpoints should include factual accuracy, omission rate, hallucination rate, privacy incidents, clinician editing burden, patient readability, and language quality in Dutch, French, German, and English as relevant. For clinical AI, endpoints should include sensitivity, specificity, false positives, false negatives, alert fatigue, time-to-action, patient outcomes where measurable, and equity across demographic groups.

Note: Generative AI is a branch of AI that creates new, original content by learning from vast amounts of existing data. Unlike traditional AI, which is primarily designed to analyze or classify information, generative AI focuses on producing novel outputs that mimic human creativity.

Phase 5: Training, Human Oversight, and Cultural Adoption

Successful implementation depends on trust, but trust must be earned through transparency and competence. Staff should be trained to understand what each tool can do, what it cannot do, when it fails, and who remains accountable. LLMs are particularly risky because fluent output can appear authoritative even when incorrect. The National Academy of Medicine warns that generative AI outputs should be treated as possible but not certain and should not supplant clinical judgment.

The hospital should define “human-in-the-loop”(HITL) rules precisely. A vague statement that “a doctor remains responsible” is insufficient. The policy should specify who reviews the output, what must be checked, how disagreements are handled, whether output may enter the EHR, and how errors are reported. For example, an LLM-generated discharge summary should require clinician validation against the medical record before signature; an RPA bot updating structured fields should require exception queues and audit trails; and a diagnostic AI alert should be visibly labeled as decision support rather than a final conclusion.

Training should also address staff fears. RPA and AI may be perceived as labor substitution. The implementation strategy should frame automation as task redesign: removing repetitive clerical work, improving reliability, and allowing nurses, physicians, administrative staff, and pharmacists to spend more time on higher-value work. Belgium’s hospital workforce pressures make this especially relevant: the 2025 Belgium Country Health Profile reports ongoing hospital staffing challenges, including difficulties recruiting and retaining enough nursing staff  (demographics, workforce depletion).

Phase 6: Scaling, Monitoring, and Algorithmovigilance

After successful pilots, scaling should occur only through change control. Each new department, workflow, patient group, language setting, or EHR change may alter system performance. The hospital should create an “algorithmovigilance” program analogous to pharmacovigilance: monitoring errors, drift, bias, adverse events, near misses, user overrides, patient complaints, and vendor updates.

Monitoring must be continuous because AI systems can change when models, data distributions, interfaces, or clinical practice patterns change. For LLMs, monitoring should include hallucinations, unsafe recommendations, inappropriate tone, privacy leakage, and unsupported references. For RPA, monitoring should include bot failure, interface changes, duplicated actions, silent data-entry errors, and exception backlog. For predictive AI, monitoring should include performance drift, subgroup fairness, alert fatigue, and unintended changes in clinician behavior.

Note: Algorithmovigilance is the disciplined, continuous surveillance of AI algorithms after implementation. Algorithmovigilance is modeled on pharmacovigilance, which monitors the safety of medicines after they enter real-world use. Its purpose is to make sure AI systems remain safe, accurate, fair, effective, and trustworthy in real-world use. In healthcare, it is essential because clinical environments change, AI systems can drift, and even small algorithmic errors can affect patient care. Human-in-the-loop (HITL) and algorithmovigilance are complementary. HITL helps prevent immediate unsafe decisions; algorithmovigilance helps detect broader, recurring, or emerging problems over time.

Note: AI hallucinations are instances where an AI system generates information that is factually incorrect, nonsensical, or entirely fabricated, yet presents it with high confidence as if it were true. This phenomenon primarily occurs because large language models (LLMs) function by predicting the most statistically probable next word in a sequence based on patterns in their training data, rather than by reasoning or verifying facts against an external reality.

5. Recommended Initial Use-Case Roadmap

A Belgian hospital should begin with a balanced portfolio:

  • First 6 months: establish governance, inventory current AI/RPA/LLM use, prohibit unsanctioned use of public LLMs with patient data, create procurement rules, train leadership, and select 3–5 low-risk pilots.
  • Months 6–12: pilot RPA in administrative processes, deploy LLMs only in controlled non-final drafting or summarization workflows, and begin local validation of one clinical AI use case. Evaluate time saved, safety, accuracy, user experience, and privacy compliance.
  • Months 12–24: scale successful RPA workflows, integrate approved LLM tools into secure hospital environments, deploy clinical AI only where validation shows benefit, and publish internal transparency reports to staff and patients.
  • After 24 months: connect automation strategy to the hospital’s data strategy, EHDS readiness, research governance, and quality-improvement program.

6. Risk Management

The major risks are privacy breaches, automation bias, hallucination, discrimination, deskilling, cybersecurity vulnerabilities, unclear liability, vendor lock-in, and workflow disruption. The WHO ethics guidance on AI for health stresses that AI must put ethics and human rights at the heart of design, deployment, and use. These risks are not reasons to avoid AI, LLMs, and RPA; they are reasons to govern them rigorously.

A practical control framework should include: approved-use policies, secure environments, DPIAs, model cards or system documentation, vendor due diligence, local validation reports, human oversight protocols, audit logs, incident reporting, periodic bias testing, multilingual testing, patient information notices, staff consultation, and sunset criteria for underperforming systems.

7. Conclusion

AI, LLMs, and RPA can improve Belgian hospital operations and care delivery, but only when introduced as governed clinical infrastructure. The recommended model is not “technology first” but “governance, workflow, safety, and trust first.” RPA should be used early for repetitive, measurable administrative and monitoring tasks. LLMs should be introduced cautiously for assistive drafting, summarization, translation, and knowledge retrieval, with strict privacy controls and human validation (HITL). Clinical AI should be deployed only after risk classification, local validation, workflow testing, staff training, and continuous monitoring.

The central principle is proportionality: the higher the clinical or fundamental-rights risk, the stronger the evidence, oversight, documentation, and human control required. In a Belgian hospital, successful implementation means aligning innovation with GDPR, the EU AI Act, the European Health Data Space, Belgian health-data governance, and the ethical duty to improve care without weakening patient safety, professional accountability, or public trust.

Bibliography

Belgian Data Protection Authority. (2024). Artificial intelligence systems and the GDPR: A data protection perspective. Belgian Data Protection Authority.

European Commission. (2024). AI Act enters into force. Directorate-General for Communication.

European Commission. (2025). European Health Data Space Regulation. Directorate-General for Health and Food Safety.

European Commission. (2026). Artificial intelligence in healthcare. Directorate-General for Health and Food Safety.

Feldman, S. S., Buchalter, S., & Hayes, L. W. (2018). Health information technology in healthcare quality and patient safety: literature review. JMIR medical informatics, 6(2), e10264.

GZA (2022), GZA Ziekenhuizen zet robot in voor repetitieve administratieve taken: "vermindert de kans op fouten én de workload voor medewerkers"

Health Data Agency Belgium. (2026). Homepage: Healthcare of the future. Belgian Health Data Agency.

ISO. (2023). ISO/IEC 42001:2023 Artificial intelligence management systems. International Organization for Standardization.

Li, R. C., Asch, S. M., & Shah, N. H. (2020). Developing a delivery science for artificial intelligence in healthcare. NPJ digital medicine, 3(1), 107.

National Academy of Medicine. (2025). Generative artificial intelligence in health and medicine: Opportunities and responsibilities for transformative innovation. National Academies Press.

NIST. (2023). Artificial Intelligence Risk Management Framework. National Institute of Standards and Technology.

OECD & European Observatory on Health Systems and Policies. (2025). Belgium: Country Health Profile 2025. State of Health in the EU.

Olawade, D. B., David-Olawade, A. C., Wada, O. Z., Asaolu, A. J., Adereni, T., & Ling, J. (2024). Artificial intelligence in healthcare delivery: Prospects and pitfalls. Journal of Medicine, Surgery, and Public Health, 3, 100108.

Park, A., Jung, S. Y., Yune, I., & Lee, H. Y. (2025). Applying robotic process automation to monitor business processes in hospital information systems: mixed method approach. JMIR Medical Informatics, 13, e59801.

Reddy, S., Fox, J., & Purohit, M. P. (2019). Artificial intelligence-enabled healthcare delivery. Journal of the Royal Society of Medicine, 112(1), 22-28.

Stevens, E. R., Hartman, J., Testa, P., Mansukhani, A., Monina, C., Shunk, A., ... & Szerencsy, A. (2025). Leveraging Machine Learning and Robotic Process Automation to Identify and Convert Unstructured Colonoscopy Results Into Actionable Data: Proof-of-Concept Study. JMIR Medical Informatics, 13, e73504.

Wenderott, K., Krups, J., Zaruchas, F., & Weigl, M. (2024). Effects of artificial intelligence implementation on efficiency in medical imaging - a systematic literature review and meta-analysis. NPJ Digital Medicine, 7(1), 265.

Wenderott, K., Krups, J., Weigl, M., & Wooldridge, A. R. (2025). Facilitators and barriers to implementing AI in routine medical imaging: systematic review and qualitative analysis. Journal of medical Internet research, 27, e63649.



Popular posts from this blog

Hervorming van de Belgische ziekenhuisfinanciering - struikelblokken & mogelijke hervormingsscenario's en hun voor- en nadelen

Inleiding De hervorming van de Belgische ziekenhuisfinanciering is al decennia onderwerp van debat. Hoewel de noodzaak tot hervorming breed wordt erkend -o.a. omwille van toenemende zorgkosten, vergrijzing en ongelijkheden - zijn er verschillende structurele en politieke obstakels die echte verandering bemoeilijken. De belangrijkste struikelblokken zijn: Complex institutioneel landschap België is een federale staat met bevoegdheden die onevenwichtig verspreid zijn over: Federale overheid (o.a. ziekenhuisfinanciering, RIZIV) Gemeenschappen en gewesten (o.a. preventie, infrastructuur) Deze versnippering leidt tot: Gebrekkige beleidscoördinatie (initiatieven, implementatie en organisatie) Trage besluitvorming Conflicten tussen bevoegdheidsniveaus (geen hiërarchie in bevoegdheden) Structurele versnippering: De financiering en bevoegdheden zijn verdeeld over het federale en regionale niveau (6e staatshervorming), wat hervormingen politiek complex maakt. Ziekenhuizen worden g...
Read more

De ontwikkeling van het marktaandeel van Belgische ziekenhuizen - externe en interne factoren

De ontwikkeling van het marktaandeel van een Belgisch ziekenhuis wordt beïnvloed door zowel externe als interne factoren. Deze kunnen positief of negatief uitwerken, afhankelijk van hoe ze worden beheerd of hoe de context evolueert. Externe factoren (buiten de organisatie) Positieve invloeden: Vergrijzing en verzilvering van de bevolking - Meer vraag naar zorgdiensten, vooral geriatrie, chronische (multidisciplinaire, transmurale) zorg en revalidatie. Technologische vooruitgang - Door samenwerking met competente technologie-partners kan het ziekenhuis zich profileren als innovatief, wat verwijzingen door huisartsen bevordert en patiënten aantrekt. Samenwerking binnen goede georganiseerde zorgnetwerken (bv. ziekenhuisnetwerken) -Toegang tot bredere patiëntpopulaties (geografisch, demografisch) en effectievere en efficiëntere zorgstructuren. Reputatie in de regio -Positieve mond-tot-mondreclame door huisartsen en patiënten, samen met goed gefundeerde en wetenschappelijk onderbouwde...
Read more

Organisatie van acute, niet-planbare zorg en electieve geplande zorg in een Belgisch ziekenhuis - invloed op het zorgproces en het Budget Financiële Middelen (BFM)

Inleiding Hieronder doe ik een bescheiden poging om de impact te bespreken van acute, niet-planbare zorg (vb. cardiologie/oncologie in een acute setting) en electieve, planbare zorg (vb. schouder-, knie-, heupingrepen) op de zorgprocessen én op het Budget Financiële Middelen (BFM) van een Belgisch algemeen ziekenhuis. Acute, niet-planbare zorg: proces- én BFM-impact Acute zorg (spoed, AMI, CVA, traumatologie, urgente oncologische trajecten, INZO, ...) vereist 24/7-beschikbaarheid, korte doorlooptijden, “stand-by” capaciteitsbuffers en sterke interdisciplinaire coördinatie en organisatie. Operationeel vertaalt dit zich in continu bemande teams (spoed, cathlab call-rondes, interventionele radiologie, INZO, ...), observatie-/short-stay-bedden en snelle (klinische) diagnostiek. Financieel rust een groot deel van de vaste kostenlast op het BFM (A- en B-onderdelen): investeringen/kapitaal (A), algemene werkingsmiddelen (B1), en dienst-/case-mix-afhankelijke verdelingen (B2). het KCE schetst ...
Read more