Laws & Statutes PA PA-HB-1925
HB-1925
PA · State · USA
PA
USA
● Pending
Proposed Effective Date
2026-10-06
Pennsylvania HB 1925 — An Act Amending Titles 35 (Health and Safety) and 40 (Insurance) of the Pennsylvania Consolidated Statutes, providing for artificial intelligence in facilities, for artificial intelligence use by insurers and for artificial intelligence use by MA or CHIP managed care plans
PA HB 1925 regulates the use of AI-based algorithms in three healthcare contexts: healthcare facilities (Chapter 35), health insurers (Chapter 52), and MA/CHIP managed care plans (Chapter 53). Each chapter imposes parallel obligations: disclosure to patients/covered persons/enrollees and network providers when AI is used in clinical decision making or utilization review; responsible-use requirements including human oversight, non-discrimination, individualized data use, periodic performance review, and data-use limitations; annual compliance statements filed with the respective department; and third-party vendor coverage. For insurers and managed care plans, AI may not supersede the reviewing health care provider's independent judgment and may not base determinations solely on group data sets. Enforcement is agency-driven through the Department of Health, Insurance Department, or Department of Human Services, with civil penalties up to $5,000 per violation and aggregate annual caps. The act takes effect one year after enactment.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party Yes
Bipartisan Yes
Prior session None
Legislative History
2025-10-06 committee referral Referred to Communications & Technology
2026-05-05 Reported as amended Reported as amended
2026-05-05 First consideration First consideration
2026-05-05 Laid on the table Laid on the table
Mapped Requirements
HC-01 Healthcare AI Decision Restrictions H-02 Non-Discrimination & Bias Assessment S-01 AI System Safety Program D-01 Automated Processing Rights & Data Controls R-02 Regulatory Disclosure & Submissions G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-05-06
AI generated
Summary

PA HB 1925 regulates the use of AI-based algorithms in three healthcare contexts: healthcare facilities (Chapter 35), health insurers (Chapter 52), and MA/CHIP managed care plans (Chapter 53). Each chapter imposes parallel obligations: disclosure to patients/covered persons/enrollees and network providers when AI is used in clinical decision making or utilization review; responsible-use requirements including human oversight, non-discrimination, individualized data use, periodic performance review, and data-use limitations; annual compliance statements filed with the respective department; and third-party vendor coverage. For insurers and managed care plans, AI may not supersede the reviewing health care provider's independent judgment and may not base determinations solely on group data sets. Enforcement is agency-driven through the Department of Health, Insurance Department, or Department of Human Services, with civil penalties up to $5,000 per violation and aggregate annual caps. The act takes effect one year after enactment.

Enforcement & Penalties
Enforcement Authority
Three separate departments enforce the three chapters: the Department of Health enforces Chapter 35 (facilities), the Insurance Department enforces Chapter 52 (insurers), and the Department of Human Services enforces Chapter 53 (MA/CHIP managed care plans). Enforcement is agency-initiated. Each department may impose civil penalties, seek injunctive relief, require plans of correction, and request additional information and evidence from regulated entities. For Chapters 52 and 53, violations are also deemed violations of the Unfair Insurance Practices Act, and the department may temporarily prohibit violating insurers or managed care plans from enrolling new members. No private right of action is created.
Penalties
Civil penalties up to $5,000 per violation; each instance of nondisclosure is a separate violation. Aggregate cap of $500,000 per calendar year against a facility, insurer, or MA/CHIP managed care plan; $100,000 per calendar year against any other person. Injunctive relief available. For insurers and MA/CHIP plans, the department may also temporarily prohibit enrollment of new members. Penalties are nonexclusive and supplement remedies available under other Commonwealth law, including the Health Care Facilities Act and the Unfair Insurance Practices Act. Departments may impose plans of correction in lieu of fines.
Who Is Covered
"Facility." A health care setting or institution providing health care services, including: (1) A general, special, psychiatric or rehabilitation hospital. (2) An ambulatory surgical facility. (3) A cancer treatment center. (4) A birth center. (5) An inpatient, outpatient or residential drug and alcohol treatment facility. (6) A facility licensed by the Department of Human Services' Office of Mental Health and Substance Abuse Services. (7) A laboratory, imaging, diagnostic or other outpatient medical service or testing facility. (8) A health care provider office or clinic that is owned by or employs a Commonwealth-licensed physician, physician assistant or nurse practitioner.
"Health care provider." As follows: (1) A facility or individual who is licensed, certified or otherwise regulated to provide health care services under the laws of this Commonwealth. (2) The term does not include an individual providing emergency services under a licensed emergency medical services agency as defined in section 8103 (relating to definitions).
"Insurer." As follows: (1) An entity licensed by the department that offers, issues or renews an individual or group health insurance policy that is offered or governed under any of the following: (i) Chapter 61 (relating to hospital plan corporations) or 63 (relating to professional health services plan corporations). (ii) The act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921, including section 630 and Article XXIV thereof. (iii) The act of December 29, 1972 (P.L.1701, No.364), known as the Health Maintenance Organization Act. (2) The term does not include an entity operating as an MA or CHIP managed care plan.
"Medical Assistance or Children's Health Insurance Program managed care plan" or "MA or CHIP managed care plan." As defined under section 2102 of the act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921.
Compliance Obligations 29 obligations · click obligation ID to open requirement page
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(1)
Plain Language
When a healthcare facility uses AI-based algorithms for clinical decision making, the AI must not supersede the health care provider's clinical judgment. The provider retains ultimate decision-making authority over patient care, including gathering information, diagnosing, and planning treatments. This is a continuous operating requirement that applies to each instance of AI use in clinical decisions.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which a facility uses artificial intelligence-based algorithms for clinical decision making, the facility shall comply with the following: (1) The artificial intelligence-based algorithms must not supersede health care provider clinical decision making.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(2)-(3)
Plain Language
Facilities must ensure that their AI-based algorithms and training data do not directly or indirectly discriminate against patients in violation of federal or state law. The algorithms must be applied fairly and equitably, consistent with any applicable HHS regulations or guidance. This imposes both a non-discrimination obligation and an affirmative fairness standard that incorporates federal guidance by reference.
Statutory Text
(2) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against patients in violation of Federal or State law. (3) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and or guidance issued by the United States Department of Health and Human Services.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(a)
Plain Language
Facilities must disclose to patients when AI-based algorithms are or will be used for clinical decision making or similar tasks. The disclosure must appear in all related written communications and be posted on the facility's public website. The Department of Health will determine the specific nature and frequency of disclosures. This is a general AI-use disclosure obligation — distinct from the per-communication AI-generated content labeling in § 3502(b).
Statutory Text
(a) Duty to disclose.--A facility shall disclose to patients of the facility if artificial intelligence-based algorithms are or will be used for clinical decision making or other similar tasks. The disclosure shall be: (1) Provided in all related written communications. (2) Posted on the publicly accessible Internet website of the facility.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(b)(1)-(2)
Plain Language
When a facility uses AI to generate patient communications containing clinical information, each such communication must include a clear disclaimer that it was AI-generated and instructions for contacting a human provider. Two exemptions apply: communications limited to administrative matters (scheduling, billing, etc.) and communications that have been individually read and reviewed by a human health care provider. The human-review exemption effectively means that once a provider personally reviews and approves an AI-drafted clinical communication, no AI disclaimer is required.
Statutory Text
(b) Communications.-- (1) A facility that uses artificial intelligence to generate written or verbal patient communications pertaining to patient clinical information shall include: (i) A clear and conspicuous disclaimer that indicates that the communication was generated by artificial intelligence. (ii) Clear instructions on how the patient may contact a human health care provider or relevant employee of the facility with questions. (2) The requirements under paragraph (1) shall not apply to communications that: (i) only pertain to administrative matters, including appointment scheduling, billing or other clerical or business matters; or (ii) have been individually read and reviewed by a human health care provider.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(5)
Plain Language
Facilities must periodically review the performance, use, and outcomes of their AI-based algorithms used in clinical decision making, and revise them as needed to maximize accuracy and reliability. This is an ongoing operational obligation — not a one-time pre-deployment check. The statute does not specify the review frequency, leaving that to department regulations or guidance.
Statutory Text
(5) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(6)
Plain Language
Patient data used by facility AI systems must not be repurposed beyond the intended and stated purpose of the AI-based algorithms. This data minimization/purpose limitation obligation is layered on top of existing state law and HIPAA requirements. Secondary uses of patient data generated or collected through AI systems require separate justification.
Statutory Text
(6) Patient data must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.
Other · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(7)
Plain Language
AI-based algorithms used by facilities for clinical decision making must not create foreseeable, material risks of harm to patients. This is a substantive safety standard — facilities are liable if their AI tools create material risks of patient harm that were reasonably foreseeable. The provision does not prescribe a specific testing or assessment methodology but imposes a general duty of care standard.
Statutory Text
(7) The artificial intelligence-based algorithms must not create foreseeable, material risks of harm to the patient.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
35 Pa.C.S. § 3504(a)-(b)
Plain Language
Facilities using AI for clinical decision making must annually file an AI compliance statement with the Department of Health. The statement must include: a summary of each AI algorithm's function and scope; a logic or decision tree of the algorithms; a description of each training data set including data sources; an attestation of compliance with responsible-use requirements with supporting evidence; and a description of the facility's oversight and validation process. This combines annual regulatory submission with annual compliance certification.
Statutory Text
§ 3504. Artificial intelligence compliance statements. (a) Compliance statement required.--A facility using artificial intelligence-based algorithms for clinical decision making shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of artificial intelligence-based algorithms used for clinical decision making. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for clinical decision making. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for clinical decision making, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 3503 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the facility for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 3503.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3506
Plain Language
Facilities must retain records related to their AI algorithms for a period to be determined by the Department of Health. While the specific retention period will be set by regulation, facilities should begin organizing AI-related documentation in anticipation. The department will establish the retention policy with input from facilities and providers.
Statutory Text
§ 3506. Retention of records. The department shall establish a record retention policy and determine the amount of time a facility shall retain records related to artificial-intelligence algorithms. The department may request input from facilities and health care providers or their representatives in making the determination under this section.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
35 Pa.C.S. § 3507
Plain Language
The Department of Health may request additional information and evidence from facilities at any time regarding their AI disclosure practices, responsible-use compliance, and compliance statements. Facilities must be prepared to produce supporting documentation on demand. This creates a continuing obligation to maintain records in a form that can be produced to the regulator upon request.
Statutory Text
§ 3507. Oversight. The department may request additional information and evidence from a facility regarding the items provided under sections 3502 (relating to disclosure), 3503 (relating to responsible use) and 3504 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
Other · Developer · Healthcare
35 Pa.C.S. § 3508
Plain Language
Third-party vendors that sell, lease, or supply AI-based algorithms or AI-based services to healthcare facilities are subject to all obligations under Chapter 35. The Department of Health will develop regulations specifying vendor-specific responsibilities. This means AI vendors cannot avoid compliance obligations by arguing they are not the facility — they are independently covered. The specific allocation of responsibilities between vendors and facilities will be determined by regulation.
Statutory Text
§ 3508. Third-party vendor. A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the facility shall be subject to this chapter. The department shall develop regulations or guidance regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial intelligence-based algorithms or services based on artificial intelligence-based algorithms to the facility. The department may request input from facilities, third-party vendors and health care providers or their representatives in making this determination.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(3)
Plain Language
When an insurer uses AI-based algorithms in the utilization review process, the AI must not supersede the decision making of the health care provider conducting the utilization review. The reviewing provider retains independent clinical judgment authority. This parallels the facility-level obligation in Chapter 35 but applies specifically to the insurer's utilization review context.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which an insurer uses artificial intelligence-based algorithms in the utilization review process regarding a covered person, the insurer shall comply with the following: ... (3) The artificial intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(1)-(2)
Plain Language
Insurers' AI algorithms used in utilization review must base determinations on the individual covered person's medical history, individual clinical and nonclinical circumstances as presented by the requesting provider, and other relevant information in the patient's clinical record. The AI may not base a determination solely on a group data set — it must consider individualized patient data. This prevents insurers from using AI to make coverage decisions based solely on aggregate population data without considering the individual patient's circumstances.
Statutory Text
(1) The artificial intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the covered person. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the covered person. (2) The artificial intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · ProfessionalDeployer · HealthcareFinancial Services
40 Pa.C.S. § 5205
Plain Language
Before an insurer can deny, reduce, or terminate healthcare benefits — including denying a prior authorization — the health care provider conducting utilization review on behalf of the insurer must: review individual clinical records and relevant information, document that review, and exercise independent judgment separate from any AI recommendations. This is a mandatory pre-action human review requirement: a qualified human must affirmatively review and independently decide before any adverse determination takes effect. The provider may not simply ratify the AI output — they must exercise independent clinical judgment.
Statutory Text
§ 5205. Health care provider requirements. Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an insurer shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial intelligence-based algorithms.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5202(a)-(b)
Plain Language
Insurers must disclose to both network providers and all covered persons when AI-based algorithms are or will be used in their utilization review process. This disclosure must also be posted on the insurer's public website. The Insurance Department will determine the specific nature and frequency of disclosure to covered persons. This ensures both providers and patients know when AI is being used to inform coverage decisions.
Statutory Text
§ 5202. Disclosure. (a) Duty to disclose.--An insurer shall disclose to a participating network provider and all covered persons if artificial intelligence-based algorithms are or will be used in the utilization review process of the insurer. (b) Posting.--An insurer shall post the information about the use of artificial intelligence-based algorithms in the utilization review process of the insurer on the publicly accessible Internet website of the insurer.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(4)-(5)
Plain Language
Insurers must ensure that AI algorithms and training data used in utilization review do not directly or indirectly discriminate against covered persons in violation of federal or state law. The algorithms must be applied fairly and equitably, consistent with applicable HHS regulations or guidance. This imposes both a non-discrimination obligation and an affirmative fairness standard on insurer AI use in utilization review.
Statutory Text
(4) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against covered persons in violation of Federal or State law. (5) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations or guidance issued by the United States Department of Health and Human Services.
S-01 AI System Safety Program · S-01.7 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(7)
Plain Language
Insurers must periodically review the performance, use, and outcomes of AI algorithms used in utilization review, and revise them as needed to maximize accuracy and reliability. This is a continuing obligation requiring ongoing monitoring and improvement, not a one-time assessment.
Statutory Text
(7) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(8)
Plain Language
Covered person data used by insurer AI systems in utilization review must not be repurposed beyond the AI algorithms' intended and stated purpose. This purpose-limitation obligation is layered on top of HIPAA and state law. Insurers must ensure that data collected or processed through AI tools is not used for secondary purposes without separate justification.
Statutory Text
(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5204(a)-(b)
Plain Language
Insurers using AI in utilization review must annually file a compliance statement with the Insurance Department. The statement must summarize AI algorithm function and scope, provide decision trees, describe training data sets and sources, attest to compliance with responsible-use requirements with supporting evidence, and describe the insurer's oversight and validation process. This combines annual regulatory reporting with compliance certification.
Statutory Text
§ 5204. Artificial intelligence compliance statements. (a) Compliance statement required.--An insurer using artificial intelligence-based algorithms in the utilization review process shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of the artificial intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 5203 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the insurer for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 5203.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5208
Plain Language
The Insurance Department may request additional information and evidence from insurers at any time regarding their AI disclosure, responsible use, and compliance statements. Insurers must maintain documentation in a form that can be produced on demand to the regulator.
Statutory Text
§ 5208. Oversight. The department may request additional information and evidence from an insurer regarding the items provided under sections 5202 (relating to disclosure), 5203 (relating to responsible use) and 5204 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
40 Pa.C.S. § 5302(a)-(b)
Plain Language
MA/CHIP managed care plans must disclose to network providers and all enrollees when AI-based algorithms are or will be used in utilization review. The disclosure must also be posted on the plan's public website. This parallels the insurer disclosure obligation in Chapter 52 but applies to Medicaid and CHIP managed care plans supervised by the Department of Human Services.
Statutory Text
§ 5302. Disclosure. (a) Duty to disclose.--An MA or CHIP managed care plan shall disclose to a participating network provider and all enrollees if artificial intelligence-based algorithms are or will be used in the utilization review process of the MA or CHIP managed care plan. (b) Posting.--An MA or CHIP managed care plan shall post the information about the use of artificial intelligence-based algorithms in the utilization review process of the MA or CHIP managed care plan on the publicly accessible Internet website of the MA or CHIP managed care plan.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(1)-(2)
Plain Language
MA/CHIP managed care plans' AI algorithms used in utilization review must base determinations on the individual enrollee's medical history, individual clinical and nonclinical circumstances presented by the requesting provider, and other relevant information in the patient's record. The AI may not rely solely on group data sets. This ensures individualized consideration of each enrollee's circumstances in AI-assisted coverage decisions.
Statutory Text
(b) Requirements for artificial intelligence-based algorithms.--For each instance in which a MA or CHIP managed care plan uses artificial intelligence-based algorithms in the utilization review process regarding an enrollee, the MA or CHIP managed care plan shall comply with the following: (1) The artificial intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the enrollee. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the enrollee. (2) The artificial intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(3)
Plain Language
When an MA/CHIP managed care plan uses AI in utilization review, the AI must not supersede the clinical decision making of the reviewing health care provider. This parallels the identical requirement for insurers under Chapter 52 and facilities under Chapter 35.
Statutory Text
(3) The artificial intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · ProfessionalDeployer · Healthcare
40 Pa.C.S. § 5305
Plain Language
Before an MA/CHIP managed care plan can deny, reduce, or terminate benefits — including denying a prior authorization — the reviewing health care provider must review individual clinical records, document that review, and exercise independent judgment separate from AI recommendations. This is a mandatory pre-action human review requirement identical to the insurer obligation under § 5205.
Statutory Text
§ 5305. Health care provider requirements. Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an MA or CHIP managed care plan shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial intelligence-based algorithms.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(4)-(5)
Plain Language
MA/CHIP managed care plans must ensure their AI algorithms and training data do not discriminate against enrollees in violation of federal or state law. The algorithms must be applied fairly and equitably, consistent with applicable HHS regulations and guidance. This parallels the insurer non-discrimination requirement.
Statutory Text
(4) The artificial intelligence-based algorithms and training data sets must not directly or indirectly discriminate against the enrollees in violation of Federal or State law. (5) The artificial intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the United States Department of Health and Human Services.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(7)
Plain Language
MA/CHIP managed care plans must periodically review and revise their AI algorithms used in utilization review to maximize accuracy and reliability. This is an ongoing operational review obligation, not a one-time assessment.
Statutory Text
(7) The performance, use and outcomes of the artificial intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(8)
Plain Language
MA/CHIP managed care plans must not use enrollee data beyond the stated purpose of their AI algorithms. This purpose-limitation obligation is layered on top of HIPAA and state law, preventing secondary use of enrollee data collected through AI utilization review processes.
Statutory Text
(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
40 Pa.C.S. § 5304(a)-(b)
Plain Language
MA/CHIP managed care plans using AI in utilization review must annually file a compliance statement with the Department of Human Services, covering algorithm function and scope, decision trees, training data descriptions and sources, compliance attestation with evidence, and a description of the plan's oversight and validation processes. This parallels the insurer compliance statement under § 5204.
Statutory Text
§ 5304. Artificial intelligence compliance statements. (a) Compliance statement required.--An MA or CHIP managed care plan using artificial intelligence-based algorithms in the utilization review process shall annually file with the department, in the form and manner prescribed by the department, an artificial intelligence compliance statement. (b) Contents.--Each compliance statement must: (1) Summarize the function and scope of the artificial intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial intelligence-based algorithms and the training data sets comply with section 5303 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the MA or CHIP managed care plan for overseeing and validating the performance and compliance of the artificial intelligence-based algorithms in accordance with section 5303.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
40 Pa.C.S. § 5308
Plain Language
The Department of Human Services may request additional information and evidence from MA/CHIP managed care plans at any time regarding their AI disclosure, responsible use, and compliance statements. Plans must maintain documentation ready for regulatory production on demand.
Statutory Text
§ 5308. Oversight. The department may request additional information and evidence from an MA or CHIP managed care plan regarding the items provided under section 5302 (relating to disclosure), 5303 (relating to responsible use) and 5304 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.