Regulon — NY-A-03991 · NY A 3991 (AI in Utilization Review)

Summary

This bill would impose requirements on health care service plans and specialized health care service plans in New York that use AI, algorithms, or other software tools for utilization review or utilization management functions. Core obligations include requiring that AI tools base determinations on individualized enrollee clinical data, not supplant provider decision-making, not discriminate on protected characteristics, be open to inspection, be periodically reviewed for accuracy, and limit patient data use to stated purposes. Adverse determinations based on medical necessity must be made by a licensed physician or competent health care provider considering individualized clinical circumstances. The bill would be enforced by the Department of Financial Services through existing Insurance Law authority. No private right of action is created.

Enforcement & Penalties

Enforcement Authority

The bill amends the New York Insurance Law and would be enforced by the New York Department of Financial Services (DFS), which has general supervisory and enforcement authority over insurers and health care service plans under the Insurance Law. No private right of action is created. Enforcement would be agency-initiated through existing regulatory oversight mechanisms, including examinations and compliance reviews.

Penalties

The bill does not specify monetary penalties, damages, or remedy provisions. Violations would be subject to the general enforcement and penalty provisions of the New York Insurance Law applicable to health care service plans.

Who Is Covered

Compliance Obligations 9 obligations · click obligation ID to open requirement page

HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare

Insurance Law § 3224-e(a)(1)

Plain Language

Health care service plans using AI, algorithms, or software tools for utilization review must ensure those tools base their determinations on individualized enrollee clinical data — including the enrollee's medical or dental history, the clinical circumstances presented by the requesting provider, and other relevant clinical information in the enrollee's record. The tool may not rely solely on aggregate or group-level datasets. This applies both to plans that directly use such tools and to plans that contract with entities using them.

Statutory Text

(1) The artificial intelligence, algorithm, or other software tool bases its determination on the following information, as applicable: (i) An enrollee's medical or dental history; (ii) Individual clinical circumstances as presented by the requesting provider; and (iii) Other relevant clinical information contained in the enrollee's medical or dental record.

HC-01 Healthcare AI Decision Restrictions · HC-01.1 · Deployer · Healthcare

Insurance Law § 3224-e(a)(2)

Plain Language

AI, algorithmic, or software tools used in utilization review must not replace or supplant the judgment of health care providers. The tool may inform or assist the decision-making process, but the final clinical decision must remain with a human health care provider. This is a general prohibition that operates alongside the more specific medical necessity review requirement in subsection (b).

Statutory Text

(2) The artificial intelligence, algorithm, or other software tool does not supplant health care provider decision making.

HC-01 Healthcare AI Decision Restrictions · HC-01.1 HC-01.2 · Deployer · Healthcare

Insurance Law § 3224-e(b)

Plain Language

Any denial, delay, or modification of health care services based on medical necessity must be made by a licensed physician or a health care provider who is clinically competent in the relevant specialty. The reviewing professional must consider the requesting provider's recommendation and the enrollee's individualized medical or dental history and clinical circumstances. AI tools cannot make these adverse determinations — a qualified human must do so. This provision operates as an overriding requirement regardless of the other subsection (a) obligations.

Statutory Text

(b) Notwithstanding subsection (a) of this section, a denial, delay, or modification of health care services based on medical necessity shall be made by a licensed physician or other health care provider competent to evaluate the specific clinical issues involved in the health care services requested by the provider by considering the requesting provider's recommendation and based on recommendation, the enrollee's medical or dental history, as applicable, and individual clinical circumstances.

H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · Healthcare

Insurance Law § 3224-e(a)(3)-(4)

Plain Language

AI tools used in utilization review must not discriminate — directly or indirectly — against individuals based on an extensive list of protected characteristics, including race, color, religion, national origin, ancestry, age, sex, gender, gender identity, gender expression, sexual orientation, disability (present or predicted), expected length of life, degree of medical dependency, quality of life, or other health conditions. The tool must also be applied fairly and equitably. Note that the protected characteristic list is broader than typical anti-discrimination provisions — it includes predicted disability, expected length of life, degree of medical dependency, and quality of life, which are healthcare-specific characteristics.

Statutory Text

(3) The use of the artificial intelligence, algorithm, or other software tool does not adversely discriminate, directly or indirectly, against an individual on the basis of race, color, religion, national origin, ancestry, age, sex, gender, gender identity, gender expression, sexual orientation, present or predicted disability, expected length of life, degree of medical dependency, quality of life, or other health conditions. (4) The artificial intelligence, algorithm, or other software tool is fairly and equitably applied.

HC-01 Healthcare AI Decision Restrictions · HC-01.7 · Deployer · Healthcare

Insurance Law § 3224-e(a)(5)

Plain Language

AI, algorithmic, or software tools used in utilization review must be open to inspection. While the bill does not specify who may inspect or the procedures for inspection, this requirement means the tools must be accessible for regulatory audit, compliance review, or other examination. Health care service plans must ensure they can produce the tool for inspection when required.

Statutory Text

(5) The artificial intelligence, algorithm, or other software tool is open to inspection.

HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare

Insurance Law § 3224-e(a)(6)

Plain Language

Health care service plans must include disclosures about the use and oversight of AI tools in their written policies and procedures. This means the plan's utilization review policies and procedures must document that AI tools are used, describe how they are used, and explain oversight mechanisms. These written policies and procedures would be available to regulators, providers, and enrollees as applicable under existing Insurance Law requirements.

Statutory Text

(6) Disclosures pertaining to the use and oversight of the artificial intelligence, algorithm, or other software tool are contained in the written policies and procedures.

HC-01 Healthcare AI Decision Restrictions · HC-01.4 · Deployer · Healthcare

Insurance Law § 3224-e(a)(7)

Plain Language

Health care service plans must periodically review and revise AI tools used in utilization review to maximize their accuracy and reliability. This is an ongoing operational obligation — not a one-time pre-deployment check. Reviews must cover the tool's performance, how it is being used, and the outcomes it produces. Plans should document these periodic reviews to demonstrate compliance.

Statutory Text

(7) The artificial intelligence, algorithm, or other software tool's performance, use, and outcomes are periodically reviewed and revised to maximize accuracy and reliability.

HC-01 Healthcare AI Decision Restrictions · HC-01.5 · Deployer · Healthcare

Insurance Law § 3224-e(a)(8)

Plain Language

Patient data used by AI tools in utilization review must not be repurposed beyond its intended and stated purpose. This data use limitation must be consistent with both applicable New York state privacy laws and HIPAA. Health care service plans must ensure that enrollee clinical data processed by AI tools for utilization review is not used for secondary purposes such as marketing, research unrelated to the enrollee's care, or other functions beyond the stated utilization review purpose.

Statutory Text

(8) Patient data is not used beyond its intended and stated purpose, consistent with applicable state laws and the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

Other · Healthcare

Insurance Law § 3224-e(a)(9)

Plain Language

AI tools used in utilization review must not directly or indirectly cause harm to enrollees. This is a broad, substantive prohibition that operates as a general duty of care. It is not tied to a specific procedural compliance requirement — if an enrollee is harmed by an AI tool's determination, the plan could be found in violation regardless of whether it met the other technical requirements. The bill does not define 'harm,' leaving it to be interpreted broadly to include adverse health outcomes, delayed treatment, or other injuries resulting from AI-influenced utilization decisions.

Statutory Text

(9) The artificial intelligence, algorithm, or other software tool does not directly or indirectly cause harm to the enrollee.