Laws & Statutes PA PA-HB-1925
HB-1925
PA · State · USA
PA
USA
● Pending
Proposed Effective Date
2026-10-06
Pennsylvania HB 1925 — Amending Titles 35 (Health and Safety) and 40 (Insurance) of the Pennsylvania Consolidated Statutes, providing for artificial intelligence in facilities, for artificial intelligence use by insurers and for artificial intelligence use by MA or CHIP managed care plans
PA HB 1925 regulates the use of AI in healthcare across three parallel chapters: healthcare facilities (Chapter 35, enforced by the Department of Health), health insurers (Chapter 52, enforced by the Insurance Department), and MA/CHIP managed care plans (Chapter 53, enforced by the Department of Human Services). For facilities, the bill requires disclosure to patients when AI is used in clinical decision making and mandates that AI not supersede provider clinical judgment. For insurers and managed care plans, the bill requires that AI used in utilization review base determinations on individual patient data (not solely group datasets), not supersede the reviewing provider's independent judgment, and be disclosed to providers and covered persons. All three chapters require annual compliance statements filed with the respective department, nondiscrimination obligations, periodic performance review of AI algorithms, data use limitations consistent with HIPAA, and records retention. Third-party AI vendors supplying algorithms to covered entities are also subject to the chapters. Enforcement is agency-initiated with civil penalties up to $5,000 per violation, capped annually, and no private right of action.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party Yes
Bipartisan Yes
Prior session None
Legislative History
2025-10-06 committee referral Referred to Communications & Technology
Mapped Requirements
HC-01 Healthcare AI Decision Restrictions H-02 Non-Discrimination & Bias Assessment S-01 AI System Safety Program D-01 Automated Processing Rights & Data Controls R-02 Regulatory Disclosure & Submissions G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

PA HB 1925 regulates the use of AI in healthcare across three parallel chapters: healthcare facilities (Chapter 35, enforced by the Department of Health), health insurers (Chapter 52, enforced by the Insurance Department), and MA/CHIP managed care plans (Chapter 53, enforced by the Department of Human Services). For facilities, the bill requires disclosure to patients when AI is used in clinical decision making and mandates that AI not supersede provider clinical judgment. For insurers and managed care plans, the bill requires that AI used in utilization review base determinations on individual patient data (not solely group datasets), not supersede the reviewing provider's independent judgment, and be disclosed to providers and covered persons. All three chapters require annual compliance statements filed with the respective department, nondiscrimination obligations, periodic performance review of AI algorithms, data use limitations consistent with HIPAA, and records retention. Third-party AI vendors supplying algorithms to covered entities are also subject to the chapters. Enforcement is agency-initiated with civil penalties up to $5,000 per violation, capped annually, and no private right of action.

Enforcement & Penalties
Enforcement Authority
Three separate departments enforce the three chapters: the Department of Health enforces Chapter 35 (facilities), the Insurance Department enforces Chapter 52 (insurers), and the Department of Human Services enforces Chapter 53 (MA/CHIP managed care plans). Enforcement is agency-initiated. Each department may impose civil penalties, seek injunctive relief, require plans of correction in lieu of fines, and request additional information and evidence from regulated entities. For Chapters 52 and 53, violations are also deemed violations of the Unfair Insurance Practices Act. The departments may also temporarily prohibit violating insurers and MA/CHIP plans from enrolling new members. No private right of action is created.
Penalties
Civil penalties up to $5,000 per violation across all three chapters. Each instance of nondisclosure constitutes a separate violation. Aggregate annual caps apply: $500,000 for facilities, insurers, and MA/CHIP managed care plans; $100,000 for any other person (including third-party vendors). Injunctive relief is available. For Chapters 52 and 53, the department may temporarily prohibit violating entities from enrolling new members. Remedies under this act are nonexclusive and supplement penalties under the Health Care Facilities Act, the Unfair Insurance Practices Act, the Accident and Health Filing Reform Act, and the Pennsylvania Health Care Insurance Portability Act. Plans of correction may be imposed in lieu of fines.
Who Is Covered
"Facility." A health care setting or institution providing health care services, including: (1) A general, special, psychiatric or rehabilitation hospital. (2) An ambulatory surgical facility. (3) A cancer treatment center. (4) A birth center. (5) An inpatient, outpatient or residential drug and alcohol treatment facility. (6) A facility licensed by the Department of Human Services' Office of Mental Health and Substance Abuse Services. (7) A laboratory, imaging, diagnostic or other outpatient medical service or testing facility. (8) A health care provider office or clinic that is owned by or employs a Commonwealth-licensed physician, physician assistant or nurse practitioner.
"Insurer." As follows: (1) An entity licensed by the department that offers, issues or renews an individual or group health insurance policy that is offered or governed under any of the following: (i) Chapter 61 (relating to hospital plan corporations) or 63 (relating to professional health services plan corporations). (ii) The act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921, including section 630 and Article XXIV thereof. (iii) The act of December 29, 1972 (P.L.1701, No.364), known as the Health Maintenance Organization Act. (2) The term does not include an entity operating as an MA or CHIP managed care plan.
"Medical Assistance or Children's Health Insurance Program managed care plan" or "MA or CHIP managed care plan." As defined under section 2102 of the act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921.
Compliance Obligations 32 obligations · click obligation ID to open requirement page
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(1)
Plain Language
When a facility uses AI algorithms for clinical decision making, the AI must not supersede the health care provider's clinical judgment. The provider retains ultimate authority over patient care decisions including gathering information, diagnosing, and planning treatments. This is an ongoing operational requirement — every use of AI in clinical decision making must preserve human clinical authority.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which a facility uses artificial intelligence-based algorithms for clinical decision making, the facility shall comply with the following: (1) The artificial intelligence-based algorithms must not supersede health care provider clinical decision making.
HC-01 Healthcare AI Decision Restrictions · HC-01.6HC-01.2 · ProfessionalDeployer · HealthcareFinancial Services
40 Pa.C.S. § 5205(1)-(3)
Plain Language
Before an insurer's utilization review physician issues or upholds a denial, reduction, or termination of health care benefits — including prior authorization denials — the reviewing provider must individually review the patient's clinical records and other relevant information, document that review, and exercise independent clinical judgment separate from any AI recommendation. This ensures a human clinical professional makes or affirms every adverse determination based on individualized review, not AI output alone.
Statutory Text
Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an insurer shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial intelligence-based algorithms.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(1)-(2)
Plain Language
When an insurer uses AI in utilization review, the AI must base its determination on the individual covered person's medical history, individual clinical and nonclinical circumstances presented by the requesting provider, and other relevant information from the patient's clinical record. The AI must not base a determination solely on a group data set. This requires individualized assessment — aggregate population-level data alone is insufficient to support any utilization review determination.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which an insurer uses artificial intelligence-based algorithms in the utilization review process regarding a covered person, the insurer shall comply with the following: (1) The artificial intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the covered person. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the covered person. (2) The artificial intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.1 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(3)
Plain Language
AI algorithms used in the insurer's utilization review process must not supersede the decision making of the health care provider conducting the utilization review. The reviewing provider retains final authority over coverage determinations — AI recommendations are advisory only and cannot override clinical judgment.
Statutory Text
(3) The artificial intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(1)-(2)
Plain Language
When an MA or CHIP managed care plan uses AI in utilization review, the AI must base its determination on the individual enrollee's medical history, individual clinical and nonclinical circumstances presented by the requesting provider, and other relevant clinical record information. Determinations must not be based solely on group-level data sets. This mirrors the insurer requirement in Chapter 52 but applies to Medicaid and CHIP managed care plans.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which a MA or CHIP managed care plan uses artificial intelligence-based algorithms in the utilization review process regarding an enrollee, the MA or CHIP managed care plan shall comply with the following: (1) The artificial intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the enrollee. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the enrollee. (2) The artificial intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.1 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(3)
Plain Language
AI algorithms used by an MA or CHIP managed care plan in utilization review must not supersede the reviewing health care provider's decision making. The provider retains final authority — AI output is advisory only.
Statutory Text
(3) The artificial intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.6HC-01.2 · ProfessionalDeployer · Healthcare
40 Pa.C.S. § 5305(1)-(3)
Plain Language
Before issuing or upholding adverse benefit determinations on behalf of an MA or CHIP managed care plan — including prior authorization denials — the reviewing provider must individually review the enrollee's clinical records and other relevant information, document that review, and exercise independent clinical judgment separate from AI recommendations. This mirrors the § 5205 requirement for commercial insurers but applies in the Medicaid/CHIP managed care context.
Statutory Text
Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an MA or CHIP managed care plan shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial intelligence-based algorithms.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(b)(1)-(2)
Plain Language
When a facility uses AI to generate written or verbal patient communications about clinical information, the communication must include a clear and conspicuous disclaimer identifying it as AI-generated and must provide instructions for contacting a human health care provider. Two exceptions apply: purely administrative communications (scheduling, billing, clerical) are exempt, and communications that have been individually read and reviewed by a human health care provider are also exempt. The human-review exception creates an important safe harbor — if a provider personally reviews the AI-generated communication before it reaches the patient, the disclosure requirements do not apply.
Statutory Text
(b) Communications.-- (1) A facility that uses artificial intelligence to generate written or verbal patient communications pertaining to patient clinical information shall include: (i) A clear and conspicuous disclaimer that indicates that the communication was generated by artificial intelligence. (ii) Clear instructions on how the patient may contact a human health care provider or relevant employee of the facility with questions. (2) The requirements under paragraph (1) shall not apply to communications that: (i) only pertain to administrative matters, including appointment scheduling, billing or other clerical or business matters; or (ii) have been individually read and reviewed by a human health care provider.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(a)(1)-(2)
Plain Language
Facilities must disclose to patients when AI-based algorithms are or will be used for clinical decision making or similar tasks. This disclosure must appear in all related written communications and must be posted on the facility's public website. The Department of Health will determine the specific nature and frequency of these disclosures. This is a general use-of-AI disclosure — it is triggered by the facility's use of AI for clinical decision making broadly, not by a specific AI-generated communication.
Statutory Text
(a) Duty to disclose.--A facility shall disclose to patients of the facility if artificial intelligence-based algorithms are or will be used for clinical decision making or other similar tasks. The disclosure shall be: (1) Provided in all related written communications. (2) Posted on the publicly accessible Internet website of the facility.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5202(a)-(b)
Plain Language
Insurers must disclose to both participating network providers and all covered persons whether AI-based algorithms are or will be used in the insurer's utilization review process. This information must also be posted on the insurer's public website. The Insurance Department will determine the specific nature and frequency of disclosures to covered persons.
Statutory Text
(a) Duty to disclose.--An insurer shall disclose to a participating network provider and all covered persons if artificial intelligence-based algorithms are or will be used in the utilization review process of the insurer. (b) Posting.--An insurer shall post the information about the use of artificial intelligence-based algorithms in the utilization review process of the insurer on the publicly accessible Internet website of the insurer.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
40 Pa.C.S. § 5302(a)-(b)
Plain Language
MA or CHIP managed care plans must disclose to participating network providers and all enrollees whether AI-based algorithms are or will be used in utilization review. This disclosure must also be posted on the plan's public website. The Department of Human Services will determine the specific nature and frequency of disclosures to enrollees.
Statutory Text
(a) Duty to disclose.--An MA or CHIP managed care plan shall disclose to a participating network provider and all enrollees if artificial intelligence-based algorithms are or will be used in the utilization review process of the MA or CHIP managed care plan. (b) Posting.--An MA or CHIP managed care plan shall post the information about the use of artificial intelligence-based algorithms in the utilization review process of the MA or CHIP managed care plan on the publicly accessible Internet website of the MA or CHIP managed care plan.
H-02 Non-Discrimination & Bias Assessment · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(2)-(3)
Plain Language
Facilities must ensure that AI algorithms and their training data do not directly or indirectly discriminate against patients in violation of federal or state law. Algorithms must be applied fairly and equitably, in accordance with applicable HHS regulations and guidance. This encompasses both training data bias and operational application bias.
Statutory Text
(2) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against patients in violation of Federal or State law. (3) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and or guidance issued by the United States Department of Health and Human Services.
H-02 Non-Discrimination & Bias Assessment · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(4)-(5)
Plain Language
Insurers must ensure their AI algorithms and training data do not directly or indirectly discriminate against covered persons in violation of federal or state law, and that algorithms are applied fairly and equitably consistent with applicable HHS regulations and guidance.
Statutory Text
(4) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against covered persons in violation of Federal or State law. (5) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations or guidance issued by the United States Department of Health and Human Services.
H-02 Non-Discrimination & Bias Assessment · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(4)-(5)
Plain Language
MA or CHIP managed care plans must ensure their AI algorithms and training data do not directly or indirectly discriminate against enrollees in violation of federal or state law, and that algorithms are applied fairly and equitably consistent with HHS regulations and guidance.
Statutory Text
(4) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against the enrollees in violation of Federal or State law. (5) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the United States Department of Health and Human Services.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(5),(7)
Plain Language
Facilities must periodically review and revise the performance, use, and outcomes of AI algorithms used in clinical decision making to maximize accuracy and reliability. Additionally, the algorithms must not create foreseeable, material risks of harm to patients. This is an ongoing operational obligation — not a one-time pre-deployment check — requiring continuous monitoring and improvement of AI algorithm performance.
Statutory Text
(5) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability. (7) The artificial intelligence-based algorithms must not create foreseeable, material risks of harm to the patient.
S-01 AI System Safety Program · S-01.7 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(7),(9)
Plain Language
Insurers must periodically review and revise AI algorithms used in utilization review to maximize accuracy and reliability, and the algorithms must not create foreseeable, material risks of harm to covered persons. This is a continuing operational obligation requiring ongoing monitoring and improvement.
Statutory Text
(7) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability. (9) The artificial intelligence-based algorithms must not create foreseeable, material risks of harm to the covered person.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(7),(9)
Plain Language
MA or CHIP managed care plans must periodically review and revise AI algorithms used in utilization review to maximize accuracy and reliability, and the algorithms must not create foreseeable, material risks of harm to enrollees.
Statutory Text
(7) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability. (9) The artificial intelligence-based algorithms must not create foreseeable, material risks of harm to the enrollee.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(6)
Plain Language
Patient data used in connection with facility AI algorithms must not be used beyond the intended and stated purpose of those algorithms. This purpose limitation is layered on top of existing HIPAA requirements and state privacy law. Facilities should clearly define and document the stated purpose of each AI algorithm to establish the boundary for permissible data use.
Statutory Text
(6) Patient data must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(8)
Plain Language
Covered person data used by insurers' AI algorithms must not be used beyond the intended and stated purpose of those algorithms, consistent with state law and HIPAA. This limits secondary use of patient data processed by AI utilization review tools.
Statutory Text
(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(8)
Plain Language
MA or CHIP managed care plans must not use enrollee data beyond the intended and stated purpose of their AI algorithms, consistent with state law and HIPAA. This mirrors the insurer data limitation in § 5203(b)(8).
Statutory Text
(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
35 Pa.C.S. § 3504(a)-(b)
Plain Language
Facilities using AI for clinical decision making must annually file a compliance statement with the Department of Health. The statement must include: a summary of AI algorithm function and scope; a logic or decision tree of the algorithms; a description of each training data set including data source; an attestation of compliance with the responsible use requirements with supporting evidence; and a description of the facility's oversight and validation process. This is both a regulatory submission and an annual certification obligation.
Statutory Text
(a) Compliance statement required.--A facility using artificial intelligence-based algorithms for clinical decision making shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of artificial intelligence-based algorithms used for clinical decision making. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for clinical decision making. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for clinical decision making, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 3503 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the facility for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 3503.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5204(a)-(b)
Plain Language
Insurers using AI in utilization review must annually file a compliance statement with the Insurance Department covering algorithm function and scope, logic/decision trees, training data descriptions with sources, an attestation of compliance with responsible use requirements with evidence, and a description of the insurer's AI oversight and validation process.
Statutory Text
(a) Compliance statement required.--An insurer using artificial intelligence-based algorithms in the utilization review process shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of the artificial intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 5203 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the insurer for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 5203.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
40 Pa.C.S. § 5304(a)-(b)
Plain Language
MA or CHIP managed care plans using AI in utilization review must annually file a compliance statement with the Department of Human Services covering the same categories as the insurer filing: algorithm function and scope, logic/decision trees, training data descriptions with sources, compliance attestation with evidence, and oversight/validation process descriptions.
Statutory Text
(a) Compliance statement required.--An MA or CHIP managed care plan using artificial intelligence-based algorithms in the utilization review process shall annually file with the department, in the form and manner prescribed by the department, an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of the artificial intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 5303 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the MA or CHIP managed care plan for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 5303.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
35 Pa.C.S. § 3507
Plain Language
The Department of Health may request additional information and evidence from facilities beyond the annual compliance statement, covering disclosures, responsible use, and compliance statements, to ensure compliance. Facilities must be prepared to produce supplementary documentation on request.
Statutory Text
The department may request additional information and evidence from a facility regarding the items provided under sections 3502 (relating to disclosure), 3503 (relating to responsible use) and 3504 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5208
Plain Language
The Insurance Department may request additional information and evidence from insurers beyond the annual compliance statement to ensure compliance. Insurers must maintain documentation in a form that can be produced on request.
Statutory Text
The department may request additional information and evidence from an insurer regarding the items provided under sections 5202 (relating to disclosure), 5203 (relating to responsible use) and 5204 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
40 Pa.C.S. § 5308
Plain Language
The Department of Human Services may request additional information and evidence from MA or CHIP managed care plans beyond the annual compliance statement to ensure compliance.
Statutory Text
The department may request additional information and evidence from an MA or CHIP managed care plan regarding the items provided under section 5302 (relating to disclosure), 5303 (relating to responsible use) and 5304 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3506
Plain Language
Facilities must retain records related to AI algorithms for a period to be determined by the Department of Health. While the specific retention period will be set by department policy, facilities should begin preserving all AI-related records — including compliance statements, training data documentation, performance reviews, and disclosure records — from the effective date of the chapter. The obligation is on the facility to retain; the department will set the timeframe.
Statutory Text
The department shall establish a record retention policy and determine the amount of time a facility shall retain records related to artificial-intelligence algorithms. The department may request input from facilities and health care providers or their representatives in making the determination under this section.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5207
Plain Language
Insurers must retain records related to AI use in utilization review for a period to be determined by the Insurance Department. Insurers should preserve all AI-related records pending department guidance on the specific retention period.
Statutory Text
The department shall establish a record retention policy and determine the amount of time an insurer shall retain records. The department may request input from insurers or their representatives in making this determination.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · Healthcare
40 Pa.C.S. § 5307
Plain Language
MA or CHIP managed care plans must retain records related to AI use for a period to be determined by the Department of Human Services.
Statutory Text
The department shall establish a record retention policy and determine the amount of time an MA or CHIP managed care plan shall retain records. The department may request input from an MA or CHIP managed care plan or their representative to make this determination.
Other · Healthcare
35 Pa.C.S. § 3508
Plain Language
Third-party vendors that sell, lease, or otherwise supply AI algorithms or AI-based services to healthcare facilities are subject to the same chapter obligations as the facilities themselves. The Department of Health will develop regulations or guidance to clarify vendor-specific responsibilities. This is significant for AI vendors — supplying algorithms to a Pennsylvania healthcare facility triggers direct statutory obligations on the vendor, not merely contractual pass-through obligations.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the facility shall be subject to this chapter. The department shall develop regulations or guidance regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the facility. The department may request input from facilities, third-party vendors and health care providers or their representatives in making this determination.
Other · HealthcareFinancial Services
40 Pa.C.S. § 5209
Plain Language
Third-party vendors supplying AI algorithms or AI-based services to insurers for use in utilization review are directly subject to this chapter. The Insurance Department will develop regulations to clarify vendor-specific responsibilities.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the insurer services shall be subject to this chapter. The department shall develop regulations or guidelines regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the insurer. The department may request input from insurers, third-party vendors and health care providers or their representatives in making this determination.
Other · Healthcare
40 Pa.C.S. § 5309
Plain Language
Third-party vendors supplying AI algorithms or AI-based services to MA or CHIP managed care plans are directly subject to this chapter. The Department of Human Services will develop regulations to clarify vendor-specific responsibilities.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the MA or CHIP managed care plan shall be subject to this chapter. The department shall develop regulations or guidelines regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the insurer or MA or CHIP managed care plan. The department may request input from insurers, third-party vendors and health care providers or their representatives in making this determination.