Laws & Statutes NY NY-A-08556
A-08556
NY · State · USA
NY
USA
● Pending
Proposed Effective Date
2025-08-18
New York Assembly Bill 8556 — An Act to amend the public health law and the insurance law, in relation to the use of an artificial intelligence, algorithm, or other software tool for the purpose of utilization review
Regulates the use of AI, algorithms, or software tools in utilization review and utilization management for healthcare coverage decisions in New York. Applies to utilization review agents under the Public Health Law and disability insurers (including specialized health insurers) under the Insurance Law, including entities that contract with third parties using such tools. Requires that AI tools base determinations on individualized patient clinical data rather than solely on group datasets, prohibits AI tools from independently denying, delaying, or modifying healthcare services based on medical necessity, mandates periodic review of tool performance, restricts patient data use consistent with HIPAA, and requires tools to be open to regulatory inspection. Medical necessity determinations must be made by licensed physicians or competent licensed health care professionals who consider individual clinical circumstances.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-05-20 committee referral referred to insurance
2026-01-07 committee referral referred to insurance
Mapped Requirements
HC-01 Healthcare AI Decision Restrictions H-02 Non-Discrimination & Bias Assessment
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Regulates the use of AI, algorithms, or software tools in utilization review and utilization management for healthcare coverage decisions in New York. Applies to utilization review agents under the Public Health Law and disability insurers (including specialized health insurers) under the Insurance Law, including entities that contract with third parties using such tools. Requires that AI tools base determinations on individualized patient clinical data rather than solely on group datasets, prohibits AI tools from independently denying, delaying, or modifying healthcare services based on medical necessity, mandates periodic review of tool performance, restricts patient data use consistent with HIPAA, and requires tools to be open to regulatory inspection. Medical necessity determinations must be made by licensed physicians or competent licensed health care professionals who consider individual clinical circumstances.

Enforcement & Penalties
Enforcement Authority
New York Department of Health (for utilization review agents under Public Health Law § 4905-a) and New York Department of Financial Services (for disability insurers under Insurance Law § 4905-a). Both departments have inspection and audit authority over covered AI tools. The bill does not create a private right of action or specify complaint-driven enforcement mechanisms. Enforcement is agency-initiated through existing regulatory oversight, audit, and compliance review authority.
Penalties
The bill does not specify statutory damages, civil penalties, or monetary remedies. Enforcement relies on existing regulatory authority of the Department of Health and Department of Financial Services, which may include administrative sanctions, corrective action orders, and other remedies available under existing Public Health Law and Insurance Law frameworks.
Who Is Covered
Compliance Obligations 14 obligations · click obligation ID to open requirement page
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare
Pub. Health Law § 4905-a(1)(a)-(b)
Plain Language
Utilization review agents using AI tools for medical necessity determinations must ensure those tools base their outputs on individualized enrollee clinical data — including medical history, clinical circumstances presented by the requesting provider, and other relevant clinical records. The AI tool may not base its determination solely on aggregate or group-level datasets. This means the tool must evaluate each enrollee's specific situation rather than relying exclusively on population-level patterns or averages.
Statutory Text
(a) The artificial intelligence, algorithm, or other software tool bases its determination on the following information, as applicable: (i) an enrollee's medical or other clinical history; (ii) individual clinical circumstances as presented by the requesting provider; and (iii) other relevant clinical information contained in the enrollee's medical or other clinical record. (b) The artificial intelligence, algorithm, or other software tool does not base its determination solely on a group dataset.
HC-01 Healthcare AI Decision Restrictions · HC-01.1HC-01.2 · Deployer · Healthcare
Pub. Health Law § 4905-a(2)
Plain Language
AI tools used in utilization review may not independently deny, delay, or modify healthcare services based on medical necessity — not even partially. Every medical necessity determination must be made by a licensed physician or licensed health care professional who is competent in the relevant clinical specialty. That professional must review and consider the requesting provider's recommendation, the enrollee's medical history, and individual clinical circumstances. This effectively prohibits the AI tool from serving as the sole or primary basis for any adverse coverage action and requires a qualified human clinical reviewer for every medical necessity decision.
Statutory Text
Notwithstanding subdivision one of this section, the artificial intelligence, algorithm, or other software tool shall not deny, delay, or modify health care services based, in whole or in part, on medical necessity. A determination of medical necessity shall be made only by a licensed physician or a licensed health care professional competent to evaluate the specific clinical issues involved in the health care services requested by the provider, as provided in this title, by reviewing and considering the requesting provider's recommendation, the enrollee's medical or other clinical history, as applicable, and individual clinical circumstances.
HC-01 Healthcare AI Decision Restrictions · HC-01.4 · Deployer · Healthcare
Pub. Health Law § 4905-a(1)(i)
Plain Language
Utilization review agents must periodically review and revise the performance, use, and outcomes of any AI tool used in utilization review to maximize its accuracy and reliability. This is an ongoing operational obligation — not a one-time pre-deployment check. The statute does not specify the review frequency, so agents should establish a reasonable periodic cadence and document the reviews conducted.
Statutory Text
The artificial intelligence, algorithm, or other software tool's performance, use, and outcomes are periodically reviewed and revised to maximize accuracy and reliability.
HC-01 Healthcare AI Decision Restrictions · HC-01.5 · Deployer · Healthcare
Pub. Health Law § 4905-a(1)(j)
Plain Language
Patient data used by AI tools in utilization review must not be repurposed beyond its intended and stated use. This is a purpose-limitation requirement that reinforces HIPAA's minimum necessary standard in the specific context of AI-assisted utilization review. Utilization review agents must ensure their AI vendors and internal systems do not use patient clinical data collected for utilization review purposes for secondary uses such as model training, marketing, or analytics beyond the stated review function.
Statutory Text
Patient data is not used beyond its intended and stated purpose, consistent with this section and the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), as applicable.
HC-01 Healthcare AI Decision Restrictions · HC-01.7 · Deployer · Healthcare
Pub. Health Law § 4905-a(1)(g)-(h)
Plain Language
Utilization review agents must ensure their AI tools are open to inspection by the Department of Health for audit or compliance review purposes. Additionally, disclosures about the use and oversight of the AI tool must be included in the agent's written utilization review policies and procedures required under existing Public Health Law § 4902. This creates both a regulatory transparency obligation (making the tool available for department inspection) and a documentation obligation (incorporating AI use disclosures into existing written UR policies).
Statutory Text
(g) The artificial intelligence, algorithm, or other software tool is open to inspection for audit or compliance reviews by the department. (h) Disclosures pertaining to the use and oversight of the artificial intelligence, algorithm, or other software tool are contained in the written policies and procedures, as required by section forty-nine hundred two of this title.
H-02 Non-Discrimination & Bias Assessment · Deployer · Healthcare
Pub. Health Law § 4905-a(1)(e)-(f)
Plain Language
Utilization review agents must ensure their AI tools do not discriminate — directly or indirectly — against enrollees in violation of state or federal law. The tools must also be fairly and equitably applied, consistent with applicable HHS regulations and guidance. This creates both a non-discrimination compliance obligation and an affirmative fairness and equity standard. The indirect discrimination prohibition reaches proxy-based or disparate-impact discrimination, not just intentional discrimination.
Statutory Text
(e) The use of the artificial intelligence, algorithm, or other software tool does not discriminate, directly or indirectly, against enrollees in violation of state or federal law. (f) The artificial intelligence, algorithm, or other software tool is fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the federal department of health and human services.
Other · Healthcare
Pub. Health Law § 4905-a(1)(d), (k)
Plain Language
Utilization review agents must ensure that their AI tools do not supplant healthcare provider decision-making and do not directly or indirectly cause harm to enrollees. The non-supplanting requirement reinforces the subdivision 2 prohibition on AI-based medical necessity denials — the AI tool must remain an assistive tool rather than a decision-maker. The do-no-harm provision is a broad safety standard that creates liability for any harm to an enrollee caused by the AI tool's use, whether direct or indirect.
Statutory Text
(d) The artificial intelligence, algorithm, or other software tool does not supplant health care provider decision-making. (k) The artificial intelligence, algorithm, or other software tool does not directly or indirectly cause harm to the enrollee.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare
Ins. Law § 4905-a(1)(a)-(b)
Plain Language
Disability insurers (including specialized health insurers) using AI tools for utilization review or utilization management must ensure those tools base their outputs on individualized insured clinical data — including medical history, clinical circumstances from the requesting provider, and other relevant clinical records. The AI tool may not base its determination solely on aggregate or group-level datasets. This mirrors the parallel obligation on utilization review agents under the Public Health Law but applies to insurers regulated under the Insurance Law.
Statutory Text
(a) The artificial intelligence, algorithm, or other software tool bases its determination on the following information, as applicable: (i) An insured's medical or other clinical history; (ii) Individual clinical circumstances as presented by the requesting provider; and (iii) Other relevant clinical information contained in the insured's medical or other clinical record. (b) The artificial intelligence, algorithm, or other software tool does not base its determination solely on a group dataset.
HC-01 Healthcare AI Decision Restrictions · HC-01.1HC-01.2 · Deployer · Healthcare
Ins. Law § 4905-a(2)
Plain Language
AI tools used by disability insurers in utilization review or utilization management may not independently deny, delay, or modify healthcare services based on medical necessity. Every medical necessity determination must be made by a licensed physician or licensed health care professional competent in the relevant clinical specialty, who must review and consider the requesting provider's recommendation, the insured's medical history, and individual clinical circumstances. This mirrors the parallel Public Health Law provision and prohibits AI from serving as the sole or primary basis for any adverse coverage action.
Statutory Text
Notwithstanding subsection one of this section, the artificial intelligence, algorithm, or other software tool shall not deny, delay, or modify health care services based, in whole or in part, on medical necessity. A determination of medical necessity shall be made only by a licensed physician or licensed health care professional competent to evaluate the specific clinical issues involved in the health care services requested by the provider, as provided in this title, by reviewing and considering the requesting provider's recommendation, the insured's medical or other clinical history, as applicable, and individual clinical circumstances.
HC-01 Healthcare AI Decision Restrictions · HC-01.4 · Deployer · Healthcare
Ins. Law § 4905-a(1)(i)
Plain Language
Disability insurers must periodically review and revise the performance, use, and outcomes of any AI tool used in utilization review or utilization management to maximize accuracy and reliability. This is an ongoing operational obligation requiring a reasonable periodic cadence of review. This mirrors the parallel Public Health Law provision.
Statutory Text
The artificial intelligence, algorithm, or other software tool's performance, use, and outcomes are periodically reviewed and revised to maximize accuracy and reliability.
HC-01 Healthcare AI Decision Restrictions · HC-01.5 · Deployer · Healthcare
Ins. Law § 4905-a(1)(j)
Plain Language
Patient data used by disability insurers' AI tools in utilization review or utilization management must not be repurposed beyond its intended and stated use, consistent with state law and HIPAA. This is a purpose-limitation requirement that prevents secondary use of patient clinical data collected for coverage determination purposes. This mirrors the parallel Public Health Law provision.
Statutory Text
Patient data is not used beyond its intended and stated purpose, consistent with state law and the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), as applicable.
HC-01 Healthcare AI Decision Restrictions · HC-01.7 · Deployer · Healthcare
Ins. Law § 4905-a(1)(g)-(h)
Plain Language
Disability insurers must ensure their AI tools are open to inspection by the Department of Financial Services for audit or compliance review purposes pursuant to applicable law. Additionally, disclosures about AI tool use and oversight must be included in the insurer's written utilization review policies and procedures required under existing Insurance Law § 4902. This creates both a regulatory transparency obligation and a documentation obligation mirroring the parallel Public Health Law provision.
Statutory Text
(g) The artificial intelligence, algorithm, or other software tool is open to inspection for audit or compliance reviews by the department pursuant to applicable state and federal law. (h) Disclosures pertaining to the use and oversight of the artificial intelligence, algorithm, or other software tool are contained in the written policies and procedures, as required by section forty-nine hundred two of this title.
H-02 Non-Discrimination & Bias Assessment · Deployer · Healthcare
Ins. Law § 4905-a(1)(e)-(f)
Plain Language
Disability insurers must ensure their AI tools do not discriminate — directly or indirectly — against insureds in violation of state or federal law, and that the tools are fairly and equitably applied consistent with applicable HHS regulations and guidance. This mirrors the parallel Public Health Law provision and reaches both intentional and proxy-based or disparate-impact discrimination.
Statutory Text
(e) The use of the artificial intelligence, algorithm, or other software tool does not discriminate, directly or indirectly, against insureds in violation of state or federal law. (f) The artificial intelligence, algorithm, or other software tool is fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the federal department of health and human services.
Other · Healthcare
Ins. Law § 4905-a(1)(d), (k)
Plain Language
Disability insurers must ensure that their AI tools do not supplant healthcare provider decision-making and do not directly or indirectly cause harm to insureds. The non-supplanting requirement reinforces the subdivision 2 prohibition on AI-based medical necessity denials. The do-no-harm provision creates broad liability for any harm caused by the AI tool's use. This mirrors the parallel Public Health Law provision.
Statutory Text
(d) The artificial intelligence, algorithm, or other software tool does not supplant health care provider decision-making. (k) The artificial intelligence, algorithm, or other software tool does not directly or indirectly cause harm to the insured.