WHAT THIS BILL REGULATES · 4 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
The legislature finds that the State continues to face severe physician, nurse, and dentist shortages, with over thirty-five per cent of the State's population residing in federally designated health professional shortage areasHealth professional shortage area"Health professional shortage area" has the same meaning as defined in the Public Health Service Act of 1944.HRS § 432E-__ (Definitions, new Part added by Section 2)--the highest percentage in the nation. The legislature further finds that the university of Hawaii health research center found that forty-two per cent of surveyed physicians reported patient harm or serious adverse events attributable to prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) delays or denials, emphasizing a need for streamlined insurance processes. The legislature also finds that recent increases in claims denials, particularly those driven by automated or artificial intelligence (AI)-based systems, underscore the necessity for greater transparency, specialist review, and patient-friendly appeals mechanisms.
The legislature recognizes that the original Hawaii Patients' Bill of Rights and Responsibilities Act, enacted over twenty-five years ago, now requires substantial updates to address modern challenges, such as AI-driven health insurance claim denials, telehealth accessibility, data-offshoring risks, and persistent network inadequacies on the neighbor islands and in rural areas. The legislature finds that patients, health care providers, and cybersecurity experts cite the need for robust data protection measures that accommodate legitimate offshoring services while maintaining safeguards compliant with the Health Insurance Portability and Accountability Act of 1996, timely breach notifications, and strong enforcement.
Accordingly, the purpose of this Act is to modernize and strengthen the Hawaii Patients' Bill of Rights and Responsibilities Act to reflect developments and improvements in prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2), telehealth, data protection, and enforcement standards.
Section 1 sets out the legislative findings motivating the bill, including physician shortages, patient harm from prior authorization delays, and the rise of AI-driven claim denials. It establishes the legislature's intent to modernize the Hawaii Patients' Bill of Rights and Responsibilities Act. This section creates no compliance obligations.
As used in this part: "Automated decision systemAutomated decision system"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.HRS § 432E-__ (Definitions, new Part added by Section 2)" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.
"Health professional shortage areaHealth professional shortage area"Health professional shortage area" has the same meaning as defined in the Public Health Service Act of 1944.HRS § 432E-__ (Definitions, new Part added by Section 2)" has the same meaning as defined in the Public Health Service Act of 1944.
"Prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2)" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2)" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.
"Telehealth servicesTelehealth services"Telehealth services" or "telehealth" has the same meaning as defined in section 431:10A-116.3.HRS § 432E-__ (Definitions, new Part added by Section 2)" or "telehealth" has the same meaning as defined in section 431:10A-116.3.
This section establishes the key defined terms for the new Part governing automated decision systems, prior authorization, and telehealth. The definition of automated decision system is notably broad, covering any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision. This section creates no independent compliance obligations.
(a) Enrollees in health professional shortage areasHealth professional shortage area"Health professional shortage area" has the same meaning as defined in the Public Health Service Act of 1944.HRS § 432E-__ (Definitions, new Part added by Section 2) shall have timely access to primary and specialty care.
(b) Telehealth servicesTelehealth services"Telehealth services" or "telehealth" has the same meaning as defined in section 431:10A-116.3.HRS § 432E-__ (Definitions, new Part added by Section 2), if legally permissible within a provider's scope of practice, shall be covered at parity with in-person services to mitigate access barriers.
(c) Prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) procedures in health professional shortage areasHealth professional shortage area"Health professional shortage area" has the same meaning as defined in the Public Health Service Act of 1944.HRS § 432E-__ (Definitions, new Part added by Section 2) shall not unduly limit provider productivity or delay critical patient care.
(d) 1 A health carrier shall submit quarterly reports to the commissioner detailing provider-to-patient ratios, average wait times, and referral outcomes, disaggregated by region or island.
This section imposes access and reporting obligations on health carriers operating in health professional shortage areas. Telehealth services must be covered at parity with in-person services, and prior authorization procedures must not unduly limit provider productivity or delay critical care. Health carriers must submit quarterly reports to the insurance commissioner detailing provider-to-patient ratios, average wait times, and referral outcomes disaggregated by region or island. These obligations are primarily healthcare-access requirements rather than AI-specific provisions.
(a) 2 A health carrier shall issue prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) decisions within the following timeframes: (1) For urgent requestsUrgent request"Urgent request" means a request for health care services for which a delay in decision could reasonably be expected to seriously jeopardize the life or health of the enrollee or the enrollee's ability to regain maximum function.HRS § 432E-__ (Prior authorization, new Part added by Section 2), a determination shall be made within one business day of receipt; and (2) For non-urgent requestsNon-urgent request"Non-urgent request" means any prior authorization request that does not meet the definition of an urgent request.HRS § 432E-__ (Prior authorization, new Part added by Section 2), a determination shall be made within three business days of receipt.
(b) 3 If an automated decision systemAutomated decision system"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.HRS § 432E-__ (Definitions, new Part added by Section 2) initiates a health insurance claim denial, that denial shall be reviewed and co-signed by a board-certified specialist in the relevant field before being finalized. Enrollees and providers shall be notified in writing when an automated decision systemAutomated decision system"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.HRS § 432E-__ (Definitions, new Part added by Section 2) is used at any stage of the coverage determination.
(c) 4 A health carrier shall compile and submit monthly data to the commissioner on prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) approval or denial rates, average processing times, and the percentage of automated decision systemAutomated decision system"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.HRS § 432E-__ (Definitions, new Part added by Section 2)-based denials overturned on appeal.
(d) For the purposes of this section: "Urgent requestUrgent request"Urgent request" means a request for health care services for which a delay in decision could reasonably be expected to seriously jeopardize the life or health of the enrollee or the enrollee's ability to regain maximum function.HRS § 432E-__ (Prior authorization, new Part added by Section 2)" means a request for health care services for which a delay in decision could reasonably be expected to seriously jeopardize the life or health of the enrollee or the enrollee's ability to regain maximum function. "Non-urgent requestNon-urgent request"Non-urgent request" means any prior authorization request that does not meet the definition of an urgent request.HRS § 432E-__ (Prior authorization, new Part added by Section 2)" means any prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) request that does not meet the definition of an urgent requestUrgent request"Urgent request" means a request for health care services for which a delay in decision could reasonably be expected to seriously jeopardize the life or health of the enrollee or the enrollee's ability to regain maximum function.HRS § 432E-__ (Prior authorization, new Part added by Section 2).
This is the bill's central AI provision. It requires prior authorization decisions within one business day for urgent requests and three business days for non-urgent requests. The core AI obligation is in subsection (b): when an automated decision system initiates a health insurance claim denial, that denial must be reviewed and co-signed by a board-certified specialist in the relevant field before finalization. This is a human-oversight requirement squarely within the HC-01 framework. In addition, enrollees and providers must receive written notification whenever an automated decision system is used at any stage of the coverage determination. Health carriers must also submit monthly data to the commissioner on prior authorization approval and denial rates, average processing times, and the percentage of automated-decision-system-based denials overturned on appeal.
5 The commissioner, in collaboration with the department of health, shall explore or establish technical support programs to help smaller or rural practices adopt secure data systems, comply with prior authorizationPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2) reporting requirements, and integrate telehealth servicesTelehealth services"Telehealth services" or "telehealth" has the same meaning as defined in section 431:10A-116.3.HRS § 432E-__ (Definitions, new Part added by Section 2) effectively.
This section directs the insurance commissioner, in collaboration with the department of health, to explore or establish technical support programs to help smaller or rural practices adopt secure data systems, comply with prior authorization reporting requirements, and integrate telehealth services. This is a directive to a government agency to develop assistance programs rather than a compliance obligation on regulated entities.
6 A managed care plan shall not deny coverage for emergency services based on retrospective review. If an enrollee believes in good faith that their life or health is endangered, the enrollee shall have the right to seek immediate emergency services without facing post-service coverage denials.
This section prohibits managed care plans from denying coverage for emergency services based on retrospective review. Enrollees who seek immediate emergency services in a good-faith belief that their life or health is endangered may not face post-service coverage denials. This is a patient-rights provision that does not specifically address AI systems.
(a) 7 A covered entity, whether located onshore or offshore, shall uphold a standard of data protection meeting or exceeding security requirements set forth in the Health Insurance Portability and Accountability Act of 1996, codified at title 45 Code of Federal Regulations parts 160 and 164, when storing or disclosing personally identifiable enrollee data, including social security numbers and medical identification numbers.
(b) 8 Before offshoring data, a covered entity shall file an attestation with the commissioner confirming that any overseas subcontractors adhere to encryption, breach notification, audit logging, and confidentiality protocols. A covered entity shall undergo random audits and shall produce security certifications upon request.
(c) 9 In the event of a suspected or actual data breach, a covered entity shall notify affected enrollees and the commissioner within seventy-two hours and shall implement a corrective action plan. Repeated or willful violations may result in fines, revocation of accreditation, or other sanctions.
(d) For the purposes of this section, "covered entity" has the same meaning as defined in title 45 Code of Federal Regulations section 160.103.
This section imposes data protection obligations on covered entities (as defined by HIPAA) handling enrollee personally identifiable information. Covered entities must meet or exceed HIPAA security requirements regardless of whether data is stored onshore or offshore. Before offshoring data, covered entities must file an attestation with the commissioner confirming overseas subcontractors adhere to encryption, breach notification, audit logging, and confidentiality protocols. In the event of a data breach, notification to affected enrollees and the commissioner must occur within seventy-two hours. This section takes effect on January 1, 2027 — a staged effective date later than the rest of the bill.
(a) There is established the multidisciplinary advisory group within the department of health. The advisory group shall consist of the following members or their designees: (1) The director of health, who shall serve as chairperson of the advisory group; (2) physicians licensed pursuant to chapter 453; (3) individuals with expertise in cybersecurity or a related field; (4) enrollee advocates; (5) telehealth specialists; and (6) Any other person invited by the chairperson.
(b) The advisory group shall convene periodically to review compliance, recommend updates, and study emerging issues related to this chapter.
This section establishes a multidisciplinary advisory group within the department of health to periodically review compliance, recommend updates, and study emerging issues under Chapter 432E. The group includes the director of health as chair, physicians, cybersecurity experts, enrollee advocates, telehealth specialists, and others. This is a governmental body establishment provision rather than a compliance obligation on regulated entities.
10 A health carrier, managed care plan, or affiliated entity shall not retaliate against a provider for filing a formal complaint, submitting testimony, or participating in external reviews concerning compliance with this chapter.
This section prohibits health carriers, managed care plans, and affiliated entities from retaliating against providers who file formal complaints, submit testimony, or participate in external reviews concerning compliance with Chapter 432E. While related to whistleblower protections, this is a healthcare-specific anti-retaliation provision protecting providers who report compliance concerns rather than an AI-specific whistleblower obligation.
(a) An enrollee shall have the right to be informed fully prior to making any decision about any treatment, benefit, or nontreatment, which shall include a clear explanation of diagnosis, treatment options, and potential outcomes or risks.
(b)(1)–(3) In order to inform enrollees fully, the provider shall: (1) Discuss all treatment options with an enrollee, as provided by section 671-3, including the option of no treatment at all; (2) Ensure that persons with disabilities have an effective means of communication with the provider and other members of the managed care plan; and (3) Discuss all risks, benefits, and consequences to treatment and nontreatment, as provided by section 671-3(b).
(c) The provider shall discuss with the enrollee and the enrollee's immediate family both advance health-care directives, as provided for in chapter 327E, and durable powers of attorney in relation to medical treatment.
(d) A managed care plan shall be prohibited from imposing any type of prohibition, disincentive, penalty, or other negative treatment upon a provider for discussing or providing any information regarding treatment options and medically necessary or appropriate care, including no treatment, even if the information relates to services or benefits not provided by the managed care plan.
(e) A mentally competent enrollee or their appointed representative shall have the right to accept, receive, reject, or discontinue any medical care, treatment, or prescribed medication from any health care provider, and shall have the right to not have that decision denied, prevented, restricted, or impeded by other persons.
This section amends existing law governing enrollee participation in treatment decisions. The amendments strengthen the informed consent requirement by specifying that the information must include a clear explanation of diagnosis, treatment options, and potential outcomes or risks. A new subsection (e) affirms the right of mentally competent enrollees or their representatives to accept, receive, reject, or discontinue any medical care or treatment. These are patient-rights provisions that are not AI-specific.
(a)–(d) A health carrier with enrollees in this State shall establish and maintain a procedure to provide for the resolution of an enrollee's complaints and internal appeals. The procedure shall provide for expedited internal appeals under section 432E-6.5. The definition of medical necessity in section 432E-1.4 shall apply in a health carrier's complaints and internal appeals procedures. The health carrier shall at all times make available its complaints and internal appeals procedures. The complaints and internal appeals procedures shall be reasonably understandable to the average layperson and shall be provided in a language other than English upon request. A health carrier shall decide any expedited internal appeal as soon as possible after receipt of the complaint, taking into account the medical exigencies of the case, but not later than seventy-two hours after receipt of the request for expedited appeal. A health carrier shall send notice of its final internal determination within sixty days of the submission of the complaint to the enrollee, the enrollee's appointed representative, if applicable, the enrollee's treating provider, and the commissioner. The notice shall include the following information regarding the enrollee's rights and procedures: (1) The enrollee's right to request an external review; (2) The one hundred thirty day deadline for requesting an external review; (3) Instructions on how to request an external review; and (4) Where to submit the request for an external review. In addition to these general requirements, the notice shall conform to the requirements of sections 432E-35 and 432E-36.
(e) 11 Whenever a health carrier issues an adverse determination, the health carrier shall provide the enrollee with: (1) A universal external review request form prescribed by the commissioner; and (2) A clear, step-by-step guide, in print or electronic form, explaining the enrollee's rights and procedures to request an internal appeal or external review.
(f) 12 Any notice of denial for insurance coverage, appeal, or any request for clinical services shall describe the specific reasons for the denial. The specifics of the description shall contain information that references the: (1) Enrollee and health care provider contract or agreement; (2) Specialty of the health care provider reviewing the appeal or request for clinical services; (3) Specific sections of medical or clinical policy or guidelines, or where none of the foregoing are applicable; and (4) Specific reasoning for the determination by the reviewing health care provider.
(g) 13 A health carrier shall maintain a publicly accessible website that includes a "frequently asked questions" section regarding enrollee complaint and appeal procedures and shall provide a toll-free hotline to assist enrollees with questions about filing or pursuing an appeal.
(h) The commissioner may impose financial penalties or other administrative measures on health carriers failing to publicize or comply with state and federal appeals requirements.
This section substantially strengthens the complaints and appeals framework. New subsections require that upon any adverse determination, health carriers must provide enrollees with a universal external review request form prescribed by the commissioner and a clear, step-by-step guide to the appeal process. Denial notices must describe specific reasons referencing the contract, the specialty of the reviewing provider, the applicable medical or clinical policy, and the specific reasoning of the reviewing provider. Health carriers must maintain a publicly accessible FAQ website and toll-free hotline for appeal assistance. The commissioner may impose financial penalties for failure to publicize or comply with appeals requirements. While not AI-specific, these provisions are directly relevant to AI-initiated claim denials covered elsewhere in the bill.
(a)(1)–(7) The managed care plan shall provide to its enrollees upon enrollment and thereafter upon request the following information: (1) A list of participating providers, which shall be updated on a regular basis indicating, at a minimum, their specialty and whether the provider is accepting new patients; (2) A written, complete description and explanation of benefits, covered- and non-covered services, and copayments, which shall be presented at a reading level understandable to the average enrollee; (3) A statement on enrollee's rights, responsibilities, and obligations; (4) An explanation of the referral process, if any; (5) Where services or benefits may be obtained; (6) Information on complaints and appeals procedures; and (7) The telephone number of the insurance division.
(b)–(c) Every managed care plan shall provide to the commissioner and its enrollees notice of any material change in participating provider agreements, services, or benefits, if the change affects the organization or operation of the managed care plan and the enrollee's services or benefits. The managed care plan shall provide notice to enrollees not more than sixty days after the change in a format that makes the notice clear and conspicuous so that it is readily noticeable by the enrollee. A managed care plan shall provide generic participating provider contracts to enrollees, upon request.
(d) A managed care plan shall maintain and publicly post an up-to-date, accurate, and easily accessible directory of in-network providers. The directory shall be updated at least quarterly and shall list each provider's: (1) Specialty; (2) Languages spoken; (3) Telehealth availability; and (4) Current patient capacity.
(e) All enrollees shall be able to obtain timely specialist referrals without undue administrative barriers or delays. A managed care plan shall clearly communicate referral steps and expedite all referrals in urgent or complex cases.
This section amends existing enrollee information requirements. The key additions are: benefits descriptions must now be written and presented at a reading level understandable to the average enrollee; managed care plans must maintain and publicly post an up-to-date provider directory updated at least quarterly listing specialty, languages spoken, telehealth availability, and current patient capacity; and enrollees must be able to obtain timely specialist referrals without undue administrative barriers. These are healthcare transparency provisions that are not AI-specific.
(a) All remedies, penalties, and proceedings in articles 2 and 13 of chapter 431 made applicable hereby to managed care plans shall be invoked and enforced solely and exclusively by the commissioner.
(b) The commissioner shall have the authority to audit, investigate, and enforce this chapter. The commissioner may impose fines, clawbacks, revocations of accreditation, and other appropriate remedies for noncompliance.
This section expands the insurance commissioner's enforcement authority. The commissioner has exclusive authority to invoke all remedies, penalties, and proceedings under the applicable insurance code chapters. A new subsection (b) expressly grants the commissioner authority to audit, investigate, and enforce the entire chapter, and to impose fines, clawbacks, revocation of accreditation, and other appropriate remedies for noncompliance. This section creates no independent compliance obligation on regulated entities.
(a) The commissioner shall submit annually to the legislature a report that shall contain the number of external review hearing cases reviewed, the type of cases reviewed, a summary of the nature of the cases reviewed, and the disposition of the cases reviewed. The identities of the plan and the enrollee shall be protected from disclosure in the report.
(b) 14 The commissioner shall publish an annual report detailing enforcement actions, complaint data, automated decision systemAutomated decision system"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.HRS § 432E-__ (Definitions, new Part added by Section 2) usage rates, health insurance claim denial statistics, and any data breaches or security infractions. The report shall include trend analyses that include but are not limited to: (1) Median time-to-decision for prior authorizationsPrior authorization"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.HRS § 432E-__ (Definitions, new Part added by Section 2); (2) Telehealth adoption rates; and (3) Network adequacy improvements.
This section expands the commissioner's existing annual reporting obligation to the legislature. A new subsection (b) requires the commissioner to publish an annual report detailing enforcement actions, complaint data, automated decision system usage rates, health insurance claim denial statistics, and data breaches or security infractions. The report must include trend analyses covering median time-to-decision for prior authorizations, telehealth adoption rates, and network adequacy improvements. This is a government reporting obligation, not a direct compliance obligation on health carriers, but it creates transparency pressure by making AI-related denial data publicly available.
The insurance commissioner shall submit a progress report of its findings and recommendations related to the implementation of this Act, including any proposed legislation, to the legislature no later than twenty days prior to the convening of the regular session of 2028.
This section requires the insurance commissioner to submit a progress report on implementation of the Act, including any proposed legislation, to the legislature no later than twenty days prior to the convening of the 2028 regular session. This is a transitional government reporting obligation.
In codifying the new sections added by section 3 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.
Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
This Act shall take effect upon its approval; provided that section 432E-B, Hawaii Revised Statutes, added by section 3 of this Act, shall take effect on January 1, 2027.
These sections address codification mechanics, indicate that bracketed/stricken material is repealed and underscored material is new, and set the Act's effective date. The Act takes effect upon approval, except that the data protection section (§ 432E-B) takes effect on January 1, 2027.