Laws & Statutes HI HI-SB-2281
SB-2281
HI · State · USA
HI
USA
● Pending
Proposed Effective Date
2028-07-01
Hawaii SB 2281 — Relating to the Use of Artificial Intelligence in Health Care (S.D. 1)
Requires health care providers in Hawaii that use AI systems in patient interactions via remote communication to disclose to patients that they are interacting with AI. When AI is used to make or be a substantial factor in making consequential decisions (decisions significantly affecting a patient's physical or mental health), health care providers must provide pre-decision written notice, post-decision explanations including principal reasons and data types used, opportunities to correct data and appeal decisions with human review, and an opt-out right for profiling. Providers must maintain qualified AI oversight personnel who review and validate or override AI outputs before consequential decisions. Providers must also monitor AI systems, conduct regular performance evaluations assessing bias and safety risks, and maintain detailed records. The Department of Health is directed to adopt implementing rules. Implementation takes effect July 1, 2028.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-01-21 introduced Introduced and passed First Reading.
2026-01-26 committee referral Referred to HHS/LBT, CPN/WAM.
2026-02-18 amendment Reported from HHS/LBT (Stand. Com. Rep. No. 2357) with recommendation of passage on Second Reading, as amended (SD 1) and referral to CPN/WAM.
2026-02-18 committee referral Report adopted; Passed Second Reading, as amended (SD 1) and referred to CPN/WAM.
Mapped Requirements
T-01 AI Identity Disclosure H-01 Human Oversight of Automated Decisions D-01 Automated Processing Rights & Data Controls S-01 AI System Safety Program G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-03-27
AI generated
Summary

Requires health care providers in Hawaii that use AI systems in patient interactions via remote communication to disclose to patients that they are interacting with AI. When AI is used to make or be a substantial factor in making consequential decisions (decisions significantly affecting a patient's physical or mental health), health care providers must provide pre-decision written notice, post-decision explanations including principal reasons and data types used, opportunities to correct data and appeal decisions with human review, and an opt-out right for profiling. Providers must maintain qualified AI oversight personnel who review and validate or override AI outputs before consequential decisions. Providers must also monitor AI systems, conduct regular performance evaluations assessing bias and safety risks, and maintain detailed records. The Department of Health is directed to adopt implementing rules. Implementation takes effect July 1, 2028.

Enforcement & Penalties
Enforcement Authority
Department of Health, in coordination with the Department of Business, Economic Development, and Tourism, is directed to adopt rules pursuant to chapter 91 to implement the new part. No private right of action is created. No specific enforcement mechanism, penalty, or complaint process is specified in the bill text; enforcement would depend on the rules adopted by the Department of Health.
Penalties
The bill does not specify any penalties, damages, civil fines, or remedies. Enforcement consequences would be determined through rules adopted by the Department of Health.
Who Is Covered
Compliance Obligations 8 obligations · click obligation ID to open requirement page
T-01 AI Identity Disclosure · T-01.1 · Deployer · Healthcare
HRS § 321-__ (Patient interaction; disclosure)(a)-(c)
Plain Language
Health care providers that deploy AI systems to interact with patients via remote communication (telehealth, videoconference, electronic messaging, etc.) must disclose to the patient or authorized representative that they are interacting with AI. The disclosure must be clear and conspicuous, provided before or at the time of interaction (or as soon as reasonably possible in emergencies), and must include either a disclaimer that the communication was AI-generated or that it was AI-generated and reviewed by a natural person. It must also include clear instructions for how the patient can contact a human health care provider or appropriate natural person directly.
Statutory Text
(a) Any health care provider that uses or makes available for use an artificial intelligence system intended to interact with patients by means of remote communication shall disclose to the patient or the patient's authorized representative, as applicable, that the person is interacting with artificial intelligence. (b) The disclosure shall be made before or at the time of the interaction; provided that in the case of an emergency, the disclosure shall be made as soon as reasonably possible. (c) The disclosure shall be clear and conspicuous, and include: (1) A disclaimer that: (A) The communication was generated by artificial intelligence; or (B) The communication was generated by artificial intelligence and reviewed by a health care provider who is a natural person or a natural person retained by the health care provider; and (2) Clear instructions on how the patient can directly contact a health care provider who is a natural person, an employee of the health care provider, or other appropriate natural person.
H-01 Human Oversight of Automated Decisions · H-01.1H-01.3 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; notice; statement; opt-out; corrections; appeal)(a)
Plain Language
Before using AI to make or substantially contribute to a consequential decision — any decision significantly affecting a patient's physical or mental health — the health care provider must give the patient or authorized representative a written pre-decision notice. The notice must: (1) inform the patient that AI will be used; (2) disclose the purpose of the AI system and the nature of the decision; (3) describe the AI system in plain language; and (4) allow the patient to opt out of profiling of their individually identifiable health information or personal data for decisions with legal or similarly significant effects. The 'substantial factor' trigger is broadly defined and captures any AI-generated content, prediction, or recommendation used as a basis for a consequential decision.
Statutory Text
(a) Before using an artificial intelligence system to make, or be a substantial factor in making, a consequential decision, a health care provider shall provide the patient or the patient's authorized representative, as applicable, with a written notice that: (1) Informs the recipient that the health care provider will be using an artificial intelligence system to make, or be a substantial factor in making, the consequential decision; (2) Discloses the purpose of the artificial intelligence system and the nature of the consequential decision; (3) Describes the artificial intelligence system in plain language; and (4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient.
H-01 Human Oversight of Automated Decisions · H-01.1H-01.2H-01.4H-01.5 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; notice; statement; opt-out; corrections; appeal)(b)-(c)
Plain Language
After a consequential decision has been made using AI, the health care provider must give the patient or authorized representative: (1) a written statement describing the decision and its principal reasons — including the degree and manner of AI contribution, the types of data the AI processed, and the sources of that data; (2) an opportunity to correct any incorrect health information or personal data the AI used; and (3) an opportunity to appeal the decision with human review of all related information, to the extent technically feasible. The appeal right has a safety exception: it does not apply when delay would risk the patient's life or safety. All notices and statements must be delivered directly to the patient or authorized representative, or if that is not possible, through a manner reasonably calculated to ensure receipt.
Statutory Text
(b) Any health care provider that used an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall provide the patient or the patient's authorized representative, as applicable, with: (1) A written statement that describes the consequential decision and the principal reasons for the consequential decision, including: (A) The degree to which, and manner in which, the artificial intelligence system contributed to the consequential decision; (B) The type of data that was processed by the artificial intelligence system in making the consequential decision; and (C) The sources of the data described in paragraph (B); (2) An opportunity to correct any incorrect health information or personal data that the artificial intelligence system processed in making, or as a substantial factor in making, the consequential decision; and (3) An opportunity to appeal the consequential decision, including allowing, to the extent technically feasible, human review of all information relating to the consequential decision; provided that this paragraph shall not apply if providing the opportunity for appeal is not in the best interest of the patient, including in instances in which any delay might pose a risk to the life or safety of the patient. (c) The notice and statement required pursuant to subsections (a) and (b), respectively, shall be provided directly to the patient or the patient's authorized representative, as applicable; provided that if the health care provider is unable to comply with this requirement, the health care provider shall provide the notice or statement in a manner that is reasonably calculated to ensure that the patient or the patient's authorized representative, as applicable, receives the notice or statement.
D-01 Automated Processing Rights & Data Controls · D-01.3 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; notice; statement; opt-out; corrections; appeal)(a)(4)
Plain Language
As part of the pre-decision written notice, health care providers must give patients the right to opt out of profiling — automated processing of their individually identifiable health information or personal data used to evaluate, analyze, or predict personal aspects — when the profiling furthers decisions with legal or similarly significant effects on the patient. This is an affirmative opt-out right that must be offered before the AI is used in the consequential decision. Though this obligation is embedded in the same subsection as the pre-decision notice, it is a distinct data governance right warranting separate compliance attention.
Statutory Text
(4) Allows the patient to opt out of the processing of the patient's individually identifiable health information or other personal data for purposes of profiling in furtherance of decisions that have legal or similarly significant effects concerning the patient.
H-01 Human Oversight of Automated Decisions · H-01.6 · Deployer · Healthcare
HRS § 321-__ (Consequential decisions; review and validation by qualified oversight personnel)(a)-(c)
Plain Language
Health care providers using AI to make or substantially factor into consequential decisions must designate and maintain AI oversight personnel. This person must be a natural person with qualifications, experience, and expertise to effectively evaluate AI outputs in health care — and may be a third-party contractor. The oversight person must both (1) monitor the provider's AI systems on an ongoing basis and (2) before any AI output is used in a consequential decision, affirmatively review, evaluate, and then validate or override the output. This is a mandatory human-in-the-loop requirement: no AI output may be acted upon for a consequential decision without prior human review and an affirmative validation or override decision. The Department of Health will adopt rules specifying required qualifications for oversight personnel.
Statutory Text
(a) Any health care provider that uses an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall maintain an artificial intelligence oversight personnel. (b) The artificial intelligence oversight personnel: (1) Shall be a natural person; (2) Shall have the qualifications, experience, and expertise necessary to effectively evaluate outputs, including but not limited to any information, data, assumptions, predictions, scoring, recommendations, decisions, or conclusions generated by artificial intelligence systems in the field of health care; and (3) May be retained by contracting with a third-party. (c) The artificial intelligence oversight personnel shall: (1) Monitor the artificial intelligence systems used by the health care provider; and (2) Before the health care provider uses an output generated by an artificial intelligence system to make, or be a substantial factor in making, a consequential decision: (A) Review and evaluate the output; and (B) Validate or override the output.
S-01 AI System Safety Program · S-01.4S-01.7 · Deployer · Healthcare
HRS § 321-__ (Monitoring; performance evaluation; record keeping)(1)-(3)
Plain Language
Health care providers using AI in consequential decisions must: (1) monitor AI system usage on an ongoing basis; (2) conduct regular performance evaluations covering potential biases, patient safety and rights risks (including data confidentiality), and mitigation strategies for identified risks; and (3) implement procedures to remediate deficiencies found through monitoring or evaluations, including suspension or recalibration of AI systems as needed. The frequency of 'regular' performance evaluations will be specified by Department of Health rules. This is a continuing operational obligation — not a one-time pre-deployment assessment.
Statutory Text
Any health care provider that uses an artificial intelligence system to make, or be a substantial factor in making, a consequential decision shall: (1) Monitor the usage of artificial intelligence systems to make, or be a substantial factor in making, consequential decisions; (2) Conduct regular performance evaluations of the artificial intelligence systems, including the assessment of: (A) Potential biases; (B) Risks to the safety and rights of patients, including the confidentiality of personal data; and (C) Mitigation strategies for any identified risks; (3) Implement procedures to address any deficiencies identified through the monitoring or performance evaluations, including the suspension or recalibration of any artificial intelligence system;
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Healthcare
HRS § 321-__ (Monitoring; performance evaluation; record keeping)(4)
Plain Language
Health care providers must maintain four categories of records: (1) an updated inventory of all AI systems used in consequential decisions; (2) documentation of each system's design, intended use, and training data; (3) records of all ongoing monitoring, performance evaluations, and oversight activities; and (4) documentation of findings and remedial actions taken when deficiencies are identified. These are continuing recordkeeping obligations — the inventory must be kept current, and documentation must be maintained as monitoring and evaluations occur. The bill does not specify a retention period, which may be addressed in implementing rules.
Statutory Text
(4) Maintain: (A) An updated inventory of the artificial intelligence systems; (B) Documentation on the system design, intended use, and training data of the artificial intelligence systems; (C) Record of the monitoring, performance evaluations, and oversight activities; and (D) Documentation of findings and actions taken to address any deficiencies identified through the monitoring or performance evaluations.
Other · Healthcare
HRS § 321-__ (Rules)
Plain Language
The Department of Health, coordinating with the Department of Business, Economic Development, and Tourism, must adopt administrative rules under the Hawaii Administrative Procedure Act (chapter 91) to implement this part. The rules must at minimum address the required qualifications for AI oversight personnel and the frequency of regular performance evaluations. This signals that key compliance parameters — particularly who qualifies as oversight personnel and how often evaluations must occur — will be determined through rulemaking rather than specified in statute. Health care providers should monitor the rulemaking process for these details.
Statutory Text
The department of health, in coordination with the department of business, economic development, and tourism, shall adopt rules pursuant to chapter 91 to implement this part. The rules shall include but not be limited to the qualifications, experience, and expertise required for an artificial intelligence oversight personnel and the frequency of regular performance evaluations of artificial intelligence systems required to be performed by certain health care providers.