Laws & Statutes HI HI-SB-2281
SB-2281
HI · State · USA
HI
USA
● Pending
Proposed Effective Date
2028-07-01
Hawaii SB 2281 — Relating to the Use of Artificial Intelligence in Health Care (SD 1)
Imposes disclosure, notice, human oversight, performance evaluation, and recordkeeping obligations on health care providers that use artificial intelligence systems in patient interactions or to make (or substantially factor into) consequential decisions affecting patients. Requires providers to disclose AI use in remote patient communications, provide written pre-decision notice and post-decision statements with appeal and data correction rights, maintain qualified AI oversight personnel who must review and validate or override AI outputs before consequential decisions, and conduct regular performance evaluations covering bias, safety, and data confidentiality. The Department of Health is directed to adopt implementing rules. The substantive provisions take effect July 1, 2028. No enforcement mechanism, penalty structure, or private right of action is specified in the bill text.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-01-15 Pending Introduction. Pending Introduction.
2026-01-21 introduced Introduced and passed First Reading.
2026-01-26 committee referral Referred to HHS/LBT, CPN/WAM.
2026-01-30 The committee(s) on HHS/LBT has scheduled a public hearing on 02-04-26 1:00PM; Conference Room 225 & Videoconference. The committee(s) on HHS/LBT has scheduled a public hearing on 02-04-26 1:00PM; Conference Room 225 & Videoconference.
2026-02-04 The committee(s) on LBT recommend(s) that the measure be PASSED, WITH AMENDMENTS. The votes in LBT were as follows: 4 Aye(s): Senator(s) Elefante, Lamosao, Moriwaki, Fevella; Aye(s) with reservations: none ; 0 No(es): none; and 1 Excused: Senator(s) Ihara. The committee(s) on LBT recommend(s) that the measure be PASSED, WITH AMENDMENTS. The votes in LBT were as follows: 4 Aye(s): Senator(s) Elefante, Lamosao, Moriwaki, Fevella; Aye(s) with reservations: none ; 0 No(es): none; and 1 Excused: Senator(s) Ihara.
2026-02-04 The committee(s) on HHS recommend(s) that the measure be PASSED, WITH AMENDMENTS. The votes in HHS were as follows: 5 Aye(s): Senator(s) San Buenaventura, Kanuha, Keohokalole, Fevella; Aye(s) with reservations: Senator(s) McKelvey ; 0 No(es): none; and 0 Excused: none. The committee(s) on HHS recommend(s) that the measure be PASSED, WITH AMENDMENTS. The votes in HHS were as follows: 5 Aye(s): Senator(s) San Buenaventura, Kanuha, Keohokalole, Fevella; Aye(s) with reservations: Senator(s) McKelvey ; 0 No(es): none; and 0 Excused: none.
2026-02-18 amendment Reported from HHS/LBT (Stand. Com. Rep. No. 2357) with recommendation of passage on Second Reading, as amended (SD 1) and referral to CPN/WAM.
2026-02-18 committee referral Report adopted; Passed Second Reading, as amended (SD 1) and referred to CPN/WAM.
Mapped Requirements
T-01 AI Identity Disclosure H-01 Human Oversight of Automated Decisions D-01 Automated Processing Rights & Data Controls S-01 AI System Safety Program G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-04-02
AI generated
Summary

Imposes disclosure, notice, human oversight, performance evaluation, and recordkeeping obligations on health care providers that use artificial intelligence systems in patient interactions or to make (or substantially factor into) consequential decisions affecting patients. Requires providers to disclose AI use in remote patient communications, provide written pre-decision notice and post-decision statements with appeal and data correction rights, maintain qualified AI oversight personnel who must review and validate or override AI outputs before consequential decisions, and conduct regular performance evaluations covering bias, safety, and data confidentiality. The Department of Health is directed to adopt implementing rules. The substantive provisions take effect July 1, 2028. No enforcement mechanism, penalty structure, or private right of action is specified in the bill text.

Enforcement & Penalties
Enforcement Authority
The Department of Health, in coordination with the Department of Business, Economic Development, and Tourism, is directed to adopt rules to implement this part. The statute does not specify an enforcement mechanism, penalty structure, or private right of action. Enforcement authority and mechanism are expected to be established through rulemaking pursuant to chapter 91.
Penalties
The bill does not specify any penalties, damages, or remedies. These are expected to be addressed through rulemaking by the Department of Health.
Who Is Covered
Compliance Obligations 7 obligations · click obligation ID to open requirement page
T-01 AI Identity Disclosure · T-01.1 · Deployer · Healthcare
HRS § 321-__ (Patient interaction; disclosure)(a)-(c)
Plain Language
Health care providers that deploy AI systems to interact with patients via remote communication (telehealth, videoconference, electronic messaging, etc.) must disclose to the patient or their authorized representative before or at the start of the interaction that they are communicating with AI — not a human. The disclosure must be clear and conspicuous and must include either a disclaimer that the communication was generated by AI, or that it was generated by AI and reviewed by a natural person. It must also include clear instructions on how the patient can reach a human health care provider or appropriate natural person. In an emergency, the disclosure may be made as soon as reasonably possible after the interaction begins.
Statutory Text
(a) Any health care provider that uses or makes available for use an artificial intelligence system intended to interact with patients by means of remote communication shall disclose to the patient or the patient's authorized representative, as applicable, that the person is interacting with artificial intelligence. (b) The disclosure shall be made before or at the time of the interaction; provided that in the case of an emergency, the disclosure shall be made as soon as reasonably possible. (c) The disclosure shall be clear and conspicuous, and include: (1) A disclaimer that: (A) The communication was generated by artificial intelligence; or (B) The communication was generated by artificial intelligence and reviewed by a health care provider who is a natural person or a natural person retained by the health care provider; and (2) Clear instructions on how the patient can directly contact a health care provider who is a natural person, an employee of the health care provider, or other appropriate natural person.
H-01 Human Oversight of Automated Decisions · H-01.1H-01.2H-01.3 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; notice; statement; opt-out; corrections; appeal)(a)-(c)
Plain Language
Health care providers must provide patients (or their authorized representatives) with two separate written communications around AI-assisted consequential decisions. First, before using AI to make or substantially factor into a consequential health decision, the provider must deliver a pre-decision written notice that: informs the patient AI will be used, discloses the AI system's purpose and the nature of the decision, describes the system in plain language, and offers an opt-out from profiling using the patient's individually identifiable health information for decisions with legal or similarly significant effects. Second, after the decision is made, the provider must deliver a written statement explaining the decision, the principal reasons for it, the degree and manner of AI involvement, the data types and sources used, an opportunity to correct inaccurate data, and an opportunity to appeal with human review — unless appeal would risk the patient's life or safety. Both communications must be provided directly to the patient or authorized representative where feasible.
Statutory Text
(a) Before using an artificial intelligence system to make, or be a substantial factor in making, a consequential decision, a health care provider shall provide the patient or the patient's authorized representative, as applicable, with a written notice that: (1) Informs the recipient that the health care provider will be using an artificial intelligence system to make, or be a substantial factor in making, the consequential decision; (2) Discloses the purpose of the artificial intelligence system and the nature of the consequential decision; (3) Describes the artificial intelligence system in plain language; and (4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient. (b) Any health care provider that used an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall provide the patient or the patient's authorized representative, as applicable, with: (1) A written statement that describes the consequential decision and the principal reasons for the consequential decision, including: (A) The degree to which, and manner in which, the artificial intelligence system contributed to the consequential decision; (B) The type of data that was processed by the artificial intelligence system in making the consequential decision; and (C) The sources of the data described in paragraph (B); (2) An opportunity to correct any incorrect health information or personal data that the artificial intelligence system processed in making, or as a substantial factor in making, the consequential decision; and (3) An opportunity to appeal the consequential decision, including allowing, to the extent technically feasible, human review of all information relating to the consequential decision; provided that this paragraph shall not apply if providing the opportunity for appeal is not in the best interest of the patient, including in instances in which any delay might pose a risk to the life or safety of the patient. (c) The notice and statement required pursuant to subsections (a) and (b), respectively, shall be provided directly to the patient or the patient's authorized representative, as applicable; provided that if the health care provider is unable to comply with this requirement, the health care provider shall provide the notice or statement in a manner that is reasonably calculated to ensure that the patient or the patient's authorized representative, as applicable, receives the notice or statement.
D-01 Automated Processing Rights & Data Controls · D-01.3 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; notice; statement; opt-out; corrections; appeal)(a)(4)
Plain Language
Patients must be given the right to opt out of having their individually identifiable health information or other personal data processed for profiling purposes when those profiling outputs are used to further decisions with legal or similarly significant effects. This opt-out must be offered as part of the pre-decision written notice. The opt-out right is specifically scoped to profiling — automated processing that evaluates, analyzes, or predicts personal aspects — not to all AI processing in general.
Statutory Text
(4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient.
H-01 Human Oversight of Automated Decisions · H-01.6 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; review and validation by qualified oversight personnel)(a)-(c)
Plain Language
Health care providers using AI to make or substantially factor into consequential patient decisions must designate and maintain qualified AI oversight personnel — a natural person with the qualifications, experience, and expertise to evaluate AI outputs in health care. This person may be an employee or a contracted third party. The oversight personnel must continuously monitor the provider's AI systems and, critically, must review, evaluate, and either validate or override every AI output before it is used in a consequential decision. This is a mandatory human-in-the-loop requirement: no consequential AI-informed decision may proceed without affirmative human review and authorization.
Statutory Text
(a) Any health care provider that uses an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall maintain an artificial intelligence oversight personnel. (b) The artificial intelligence oversight personnel: (1) Shall be a natural person; (2) Shall have the qualifications, experience, and expertise necessary to effectively evaluate outputs, including but not limited to any information, data, assumptions, predictions, scoring, recommendations, decisions, or conclusions generated by artificial intelligence systems in the field of health care; and (3) May be retained by contracting with a third-party. (c) The artificial intelligence oversight personnel shall: (1) Monitor the artificial intelligence systems used by the health care provider; and (2) Before the health care provider uses an output generated by an artificial intelligence system to make, or be a substantial factor in making, a consequential decision: (A) Review and evaluate the output; and (B) Validate or override the output.
S-01 AI System Safety Program · S-01.4S-01.7 · Deployer · Healthcare
HRS § 321-__ (Monitoring; performance evaluation; record keeping)(1)-(3)
Plain Language
Health care providers using AI in consequential patient decisions must maintain an ongoing program of monitoring, performance evaluation, and remediation for those AI systems. Monitoring must cover actual usage in consequential decision-making. Regular performance evaluations must assess potential biases, risks to patient safety and data confidentiality, and develop mitigation strategies for identified risks. The provider must also implement procedures to address deficiencies discovered through monitoring or evaluation, up to and including suspending or recalibrating the AI system. The frequency of evaluations will be established by Department of Health rules.
Statutory Text
Any health care provider that uses an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall: (1) Monitor the usage of artificial intelligence systems to make, or be a substantial factor in making, consequential decisions; (2) Conduct regular performance evaluations of the artificial intelligence systems, including the assessment of: (A) Potential biases; (B) Risks to the safety and rights of patients, including the confidentiality of personal data; and (C) Mitigation strategies for any identified risks; (3) Implement procedures to address any deficiencies identified through the monitoring or performance evaluations, including the suspension or recalibration of any artificial intelligence system;
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Healthcare
HRS § 321-__ (Monitoring; performance evaluation; record keeping)(4)
Plain Language
Health care providers using AI in consequential decisions must maintain four categories of records: (A) an up-to-date inventory of all AI systems in use; (B) documentation of each system's design, intended use, and training data; (C) records of all monitoring, performance evaluations, and oversight activities; and (D) documentation of findings and remediation actions taken in response to identified deficiencies. The bill does not specify a retention period — this will likely be addressed in DOH rulemaking. This is a continuing recordkeeping obligation that must be kept current as systems change.
Statutory Text
(4) Maintain: (A) An updated inventory of the artificial intelligence systems; (B) Documentation on the system design, intended use, and training data of the artificial intelligence systems; (C) Record of the monitoring, performance evaluations, and oversight activities; and (D) Documentation of findings and actions taken to address any deficiencies identified through the monitoring or performance evaluations.
Other · Healthcare
HRS § 321-__ (Rules)
Plain Language
The Department of Health, working with the Department of Business, Economic Development, and Tourism, must adopt administrative rules to implement this part. The rules must address at minimum (1) the required qualifications, experience, and expertise for AI oversight personnel, and (2) the frequency of regular AI performance evaluations. This is a rulemaking directive to a government agency, not a compliance obligation on health care providers. Future rules may create additional obligations not yet specified in the statute.
Statutory Text
The department of health, in coordination with the department of business, economic development, and tourism, shall adopt rules pursuant to chapter 91 to implement this part. The rules shall include but not be limited to the qualifications, experience, and expertise required for an artificial intelligence oversight personnel and the frequency of regular performance evaluations of artificial intelligence systems required to be performed by certain health care providers.