Laws & Statutes PA PA-SB-1113
SB-1113
PA · State · USA
PA
USA
● Pending
Proposed Effective Date
2027-01-09
Pennsylvania SB 1113 — An Act Amending Titles 35 (Health and Safety) and 40 (Insurance) of the Pennsylvania Consolidated Statutes, Providing for Artificial Intelligence in Facilities, for Artificial Intelligence Use by Insurers and for Artificial Intelligence Use by MA or CHIP Managed Care Plans
Regulates the use of AI-based algorithms in three healthcare contexts in Pennsylvania: healthcare facilities (Chapter 35), health insurers (Chapter 52), and MA/CHIP managed care plans (Chapter 53). Facilities must disclose AI use in clinical decision making to patients and include disclaimers on AI-generated patient communications. Insurers and managed care plans must disclose AI use in utilization review to providers and covered persons, ensure AI determinations are based on individualized clinical data rather than solely group datasets, and ensure that AI does not supersede human clinical judgment. All three entity types must annually file AI compliance statements with their respective department detailing algorithms, training data, and oversight processes. Enforcement is agency-initiated through the Department of Health, the Insurance Department, and the Department of Human Services, with civil penalties up to $5,000 per violation subject to aggregate annual caps. The act takes effect one year after enactment.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party No
Bipartisan Yes
Prior session None
Legislative History
2026-01-09 committee referral Referred to Institutional Sustainability & Innovation
Mapped Requirements
HC-01 Healthcare AI Decision Restrictions H-02 Non-Discrimination & Bias Assessment S-01 AI System Safety Program D-01 Automated Processing Rights & Data Controls R-02 Regulatory Disclosure & Submissions G-01 AI Governance Program & Documentation
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Regulates the use of AI-based algorithms in three healthcare contexts in Pennsylvania: healthcare facilities (Chapter 35), health insurers (Chapter 52), and MA/CHIP managed care plans (Chapter 53). Facilities must disclose AI use in clinical decision making to patients and include disclaimers on AI-generated patient communications. Insurers and managed care plans must disclose AI use in utilization review to providers and covered persons, ensure AI determinations are based on individualized clinical data rather than solely group datasets, and ensure that AI does not supersede human clinical judgment. All three entity types must annually file AI compliance statements with their respective department detailing algorithms, training data, and oversight processes. Enforcement is agency-initiated through the Department of Health, the Insurance Department, and the Department of Human Services, with civil penalties up to $5,000 per violation subject to aggregate annual caps. The act takes effect one year after enactment.

Enforcement & Penalties
Enforcement Authority
Agency-initiated enforcement. Three separate departments enforce the three chapters: the Department of Health enforces Chapter 35 (facilities), the Insurance Department enforces Chapter 52 (insurers), and the Department of Human Services enforces Chapter 53 (MA/CHIP managed care plans). Each department may impose civil penalties and seek injunctions. For Chapters 52 and 53, violations are also deemed violations of the Unfair Insurance Practices Act, and the department may temporarily prohibit enrollment of new covered persons/enrollees. No private right of action is created. Administrative appeals lie to Commonwealth Court.
Penalties
Civil penalties up to $5,000 per violation; each instance of nondisclosure is a separate violation. Aggregate annual cap of $500,000 for facilities, insurers, and MA/CHIP managed care plans; $100,000 aggregate annual cap for any other person. Injunctive relief available. For Chapters 52 and 53, the department may also temporarily prohibit new enrollment. Plans of correction may be imposed in lieu of fines. Remedies are nonexclusive and supplement penalties available under other Pennsylvania law, including the Health Care Facilities Act and the Unfair Insurance Practices Act.
Who Is Covered
"Facility." A health care setting or institution providing health care services, including: (1) A general, special, psychiatric or rehabilitation hospital. (2) An ambulatory surgical facility. (3) A cancer treatment center. (4) A birth center. (5) An inpatient, outpatient or residential drug and alcohol treatment facility. (6) A facility licensed by the Department of Human Services' Office of Mental Health and Substance Abuse Services. (7) A laboratory, imaging, diagnostic or other outpatient medical service or testing facility. (8) A health care provider office or clinic that is owned by or employs a Commonwealth-licensed physician, physician assistant or nurse practitioner.
"Insurer." As follows: (1) An entity licensed by the department that offers, issues or renews an individual or group health insurance policy that is offered or governed under any of the following: (i) Chapter 61 (relating to hospital plan corporations) or 63 (relating to professional health services plan corporations). (ii) The act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921, including section 630 and Article XXIV thereof. (iii) The act of December 29, 1972 (P.L.1701, No.364), known as the Health Maintenance Organization Act. (2) The term does not include an entity operating as an MA or CHIP managed care plan.
"Medical Assistance or Children's Health Insurance Program managed care plan" or "MA or CHIP managed care plan." As defined under section 2102 of the act of May 17, 1921 (P.L.682, No.284), known as The Insurance Company Law of 1921.
Compliance Obligations 35 obligations · click obligation ID to open requirement page
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(1)
Plain Language
When a facility uses AI-based algorithms for clinical decision making, the algorithms must not supersede the health care provider's own clinical judgment. The human provider retains ultimate authority over patient care decisions involving gathering information, diagnosing, and planning treatments. This is a human-override requirement ensuring AI remains a support tool rather than the final decision-maker in clinical contexts.
Statutory Text
(1) The artificial-intelligence-based algorithms must not supersede health care provider clinical decision making.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(3)
Plain Language
When an insurer uses AI-based algorithms in utilization review, those algorithms must not supersede the judgment of the health care provider conducting the review. The human reviewer retains final decision-making authority over utilization review determinations.
Statutory Text
(3) The artificial-intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.1HC-01.2 · Professional · HealthcareFinancial Services
40 Pa.C.S. § 5205
Plain Language
Before an insurer's utilization review provider issues or upholds any adverse benefit determination (denial, reduction, or termination of a health care service, including prior authorization denials), the reviewing provider must independently review the individual patient's clinical records, document that review, and exercise independent clinical judgment separate from any AI recommendations. This goes beyond simply requiring human oversight — it mandates documented, individualized clinical review as a prerequisite to any adverse action.
Statutory Text
Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an insurer shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial-intelligence-based algorithms.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(1)-(2)
Plain Language
Insurers' AI-based algorithms used in utilization review must base each determination on the individual covered person's medical history, the clinical circumstances presented by the requesting provider, and other relevant information in the person's clinical record. Determinations may not be based solely on aggregate or group-level datasets — individual patient data must be considered in every case. This ensures individualized rather than population-level decision-making.
Statutory Text
(1) The artificial-intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the covered person. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the covered person. (2) The artificial-intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(3)
Plain Language
When an MA or CHIP managed care plan uses AI-based algorithms in utilization review, those algorithms must not supersede the judgment of the health care provider conducting the review. The human reviewer retains final decision-making authority.
Statutory Text
(3) The artificial-intelligence-based algorithms must not supersede decision making of the health care provider conducting the utilization review.
HC-01 Healthcare AI Decision Restrictions · HC-01.3 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(1)-(2)
Plain Language
MA or CHIP managed care plans' AI-based algorithms used in utilization review must base each determination on the individual enrollee's medical history, clinical circumstances from the requesting provider, and other relevant information in the enrollee's record. Determinations may not rest solely on group-level data. This mirrors the insurer requirement in Chapter 52 but applies specifically to Medicaid and CHIP managed care.
Statutory Text
(1) The artificial-intelligence-based algorithms must base a determination on all of the following: (i) The medical or other clinical history of the enrollee. (ii) Individual clinical or nonclinical circumstances as presented by the requesting health care provider. (iii) Other relevant clinical or nonclinical information contained in the medical or other clinical record of the enrollee. (2) The artificial-intelligence-based algorithms must not base a determination solely on a group data set.
HC-01 Healthcare AI Decision Restrictions · HC-01.1HC-01.2 · Professional · Healthcare
40 Pa.C.S. § 5305
Plain Language
Before an MA or CHIP managed care plan's utilization review provider issues or upholds any adverse benefit determination, the reviewing provider must independently review individual clinical records, document the review, and exercise judgment independent of AI recommendations. This mirrors § 5205 for insurers but applies to MA/CHIP managed care plans.
Statutory Text
Prior to issuing or upholding a decision to deny, reduce or terminate benefits for a health care service, including a decision to deny a prior authorization request, a health care provider who participates in utilization review on behalf of an MA or CHIP managed care plan shall: (1) Review individual clinical records and other relevant information. (2) Document the review under paragraph (1). (3) Based on the review under paragraph (1), exercise judgment independent of any recommendations by the artificial-intelligence-based algorithms.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(b)(1)-(2)
Plain Language
Facilities that use AI to generate written or verbal patient communications about clinical information must include a clear disclaimer that the communication was AI-generated, plus instructions on how to reach a human provider. These requirements do not apply to purely administrative communications (scheduling, billing) or to communications that a human provider has individually read and reviewed before sending. The human-review exemption creates a safe harbor — if a clinician personally reviews the AI output, the disclaimer is not required.
Statutory Text
(1) A facility that uses artificial intelligence to generate written or verbal patient communications pertaining to patient clinical information shall include: (i) A clear and conspicuous disclaimer that indicates that the communication was generated by artificial intelligence. (ii) Clear instructions on how the patient may contact a human health care provider or relevant employee of the facility with questions. (2) The requirements under paragraph (1) shall not apply to communications that: (i) only pertain to administrative matters, including appointment scheduling, billing or other clerical or business matters; or (ii) have been individually read and reviewed by a human health care provider.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
35 Pa.C.S. § 3502(a)
Plain Language
Facilities must disclose to patients when AI-based algorithms are or will be used for clinical decision making. The disclosure must appear in all related written communications and be posted on the facility's public website. The Department of Health will determine the specific nature and frequency of disclosure requirements. This is a general disclosure obligation that patients will know AI is involved in their care, distinct from the per-communication disclaimer requirement in § 3502(b).
Statutory Text
(a) Artificial-intelligence-based algorithms.--A facility shall disclose to patients of the facility if artificial-intelligence-based algorithms are or will be used for clinical decision making or other similar tasks. The disclosure shall be: (1) Provided in all related written communications. (2) Posted on the publicly accessible Internet website of the facility.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5202(a)-(b)
Plain Language
Insurers must disclose to both participating network providers and all covered persons that AI-based algorithms are or will be used in their utilization review process. This disclosure must also be posted on the insurer's public website. The Insurance Department will determine the specific nature and frequency of disclosure requirements to covered persons.
Statutory Text
(a) Artificial-intelligence-based algorithms.--An insurer shall disclose to a participating network provider and all covered persons if artificial-intelligence-based algorithms are or will be used in the utilization review process of the insurer. (b) Posting.--An insurer shall post the information about the use of artificial-intelligence-based algorithms in the utilization review process of the insurer on the publicly accessible Internet website of the insurer.
HC-01 Healthcare AI Decision Restrictions · HC-01.6 · Deployer · Healthcare
40 Pa.C.S. § 5302(a)-(b)
Plain Language
MA or CHIP managed care plans must disclose to participating network providers and all enrollees that AI-based algorithms are or will be used in the plan's utilization review process. The information must also be posted on the plan's public website. The Department of Human Services will determine the specific nature and frequency of disclosure requirements.
Statutory Text
(a) Artificial-intelligence-based algorithms.--An MA or CHIP managed care plan shall disclose to a participating network provider and all enrollees if artificial-intelligence-based algorithms are or will be used in the utilization review process of the MA or CHIP managed care plan. (b) Posting.--An MA or CHIP managed care plan shall post the information about the use of artificial-intelligence-based algorithms in the utilization review process of the MA or CHIP managed care plan on the publicly accessible Internet website of the MA or CHIP managed care plan.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(2)-(3)
Plain Language
Facilities must ensure that their AI-based algorithms and training datasets do not discriminate — directly or indirectly — against patients in violation of federal or state law. The algorithms must be fairly and equitably applied, including compliance with any applicable HHS regulations or guidance. This creates both a non-discrimination obligation and an affirmative fairness requirement for clinical AI tools.
Statutory Text
(2) The artificial-intelligence-based algorithms and training data sets must not directly or indirectly discriminate against patients in violation of Federal or State law. (3) The artificial-intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and or guidance issued by the United States Department of Health and Human Services.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(4)-(5)
Plain Language
Insurers must ensure their AI-based algorithms and training datasets do not discriminate — directly or indirectly — against covered persons in violation of federal or state law. The algorithms must be fairly and equitably applied consistent with applicable HHS regulations or guidance. This applies specifically to AI used in the utilization review process.
Statutory Text
(4) The artificial-intelligence-based algorithms and training data sets must not directly or indirectly discriminate against covered persons in violation of Federal or State law. (5) The artificial-intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations or guidance issued by the United States Department of Health and Human Services.
H-02 Non-Discrimination & Bias Assessment · H-02.1 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(4)-(5)
Plain Language
MA or CHIP managed care plans must ensure their AI-based algorithms and training datasets do not discriminate against enrollees in violation of federal or state law, and must be fairly and equitably applied consistent with HHS guidance. This mirrors the insurer non-discrimination requirement but applies to Medicaid/CHIP managed care plans.
Statutory Text
(4) The artificial-intelligence-based algorithms and training data sets must not directly or indirectly discriminate against the enrollees in violation of Federal or State law. (5) The artificial-intelligence-based algorithms must be fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the United States Department of Health and Human Services.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(5)
Plain Language
Facilities must periodically review and revise the performance, use, and outcomes of their AI-based algorithms to maximize accuracy and reliability. This is an ongoing operational obligation — not a one-time pre-deployment check — requiring continuous monitoring and improvement of AI tools used in clinical decision making.
Statutory Text
(5) The performance, use and outcomes of the artificial-intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
S-01 AI System Safety Program · S-01.7 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(7)
Plain Language
Insurers must periodically review and revise the performance, use, and outcomes of their AI-based algorithms used in utilization review to maximize accuracy and reliability. This mirrors the facility obligation under Chapter 35.
Statutory Text
(7) The performance, use and outcomes of the artificial-intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
S-01 AI System Safety Program · S-01.7 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(7)
Plain Language
MA or CHIP managed care plans must periodically review and revise the performance, use, and outcomes of AI-based algorithms used in utilization review to maximize accuracy and reliability.
Statutory Text
(7) The performance, use and outcomes of the artificial-intelligence-based algorithms must be periodically reviewed and revised to maximize accuracy and reliability.
S-01 AI System Safety Program · S-01.1 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(7)
Plain Language
AI-based algorithms used by facilities for clinical decision making must not create foreseeable, material risks of harm to patients. This is a substantive safety standard — facilities must ensure their AI tools do not expose patients to predictable, significant risks of harm. Compliance likely requires pre-deployment and ongoing safety evaluation.
Statutory Text
(7) The artificial-intelligence-based algorithms must not create foreseeable, material risks of harm to the patient.
S-01 AI System Safety Program · S-01.1 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(9)
Plain Language
Insurers' AI-based algorithms used in utilization review must not create foreseeable, material risks of harm to covered persons. This is a substantive safety standard paralleling the facility requirement.
Statutory Text
(9) The artificial-intelligence-based algorithms must not create foreseeable, material risks of harm to the covered person.
S-01 AI System Safety Program · S-01.1 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(9)
Plain Language
MA or CHIP managed care plans' AI-based algorithms used in utilization review must not create foreseeable, material risks of harm to enrollees.
Statutory Text
(9) The artificial-intelligence-based algorithms must not create foreseeable, material risks of harm to the enrollee.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3503(b)(6)
Plain Language
Patient data collected and used in connection with AI-based algorithms must not be used beyond the intended and stated purpose of those algorithms. This data minimization and purpose limitation requirement must be consistent with Pennsylvania state law and HIPAA. Facilities must clearly define and document the intended purpose of their AI algorithms and restrict data use accordingly.
Statutory Text
(6) Patient data must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with the laws of this Commonwealth and 42 U.S.C. Ch. 7 Subch. XI Part C (relating to administrative simplification), as applicable.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5203(b)(8)
Plain Language
Covered person data used in connection with insurer AI-based algorithms must not be used beyond the algorithms' intended and stated purpose, consistent with Pennsylvania law and HIPAA. This is a purpose limitation requirement for insurance utilization review AI.
Statutory Text
(8) The data of the covered person must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with Commonwealth law and 42 U.S.C. Ch. 7, Subch. XI Part C (relating to administrative simplification), as applicable.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Healthcare
40 Pa.C.S. § 5303(b)(8)
Plain Language
Enrollee data used in connection with MA or CHIP managed care plan AI-based algorithms must not be used beyond the algorithms' intended and stated purpose, consistent with Pennsylvania law and HIPAA.
Statutory Text
(8) The data of the covered person or enrollees must not be used beyond the intended and stated purpose of the artificial-intelligence-based algorithms, consistent with the laws of this Commonwealth and the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936), as applicable.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
35 Pa.C.S. § 3504(a)-(b)
Plain Language
Facilities using AI for clinical decision making must annually file an AI compliance statement with the Department of Health. The statement must include: a summary of each AI algorithm's function and scope, a logic or decision tree, a description of each training dataset and its source, an attestation with evidence of compliance with responsible use requirements, and a description of the facility's oversight and validation process. This is a comprehensive annual regulatory filing combining compliance certification with substantive algorithm documentation.
Statutory Text
(a) Compliance statement required.--A facility using artificial-intelligence-based algorithms for clinical decision making shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--A compliance statement must: (1) Summarize the function and scope of artificial-intelligence-based algorithms used for clinical decision making. (2) Provide a logic or decision tree of artificial-intelligence-based algorithms used for clinical decision making. (3) Provide a description of each training data set used by artificial-intelligence-based algorithms for clinical decision making, including the source of the data. (4) Attest that the artificial-intelligence-based algorithms and the training data sets comply with section 3503 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the facility for overseeing and validating the performance and compliance of the artificial-intelligence-based algorithms in accordance with section 3503.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5204(a)-(b)
Plain Language
Insurers using AI in utilization review must annually file an AI compliance statement with the Insurance Department. Contents mirror the facility filing requirement: algorithm function and scope summary, logic/decision tree, training data descriptions with sources, compliance attestation with evidence, and description of oversight and validation processes.
Statutory Text
(a) Compliance statement required.--An insurer using artificial-intelligence-based algorithms in the utilization review process shall annually file with the department in the form and manner prescribed by the department an artificial intelligence compliance statement. (b) Contents.--A compliance statement must: (1) Summarize the function and scope of the artificial-intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial-intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial-intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial-intelligence-based algorithms and the training data sets comply with section 5203 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the insurer for overseeing and validating the performance and compliance of the artificial-intelligence-based algorithms in accordance with section 5203.
R-02 Regulatory Disclosure & Submissions · R-02.1R-02.4 · Deployer · Healthcare
40 Pa.C.S. § 5304(a)-(b)
Plain Language
MA or CHIP managed care plans using AI in utilization review must annually file an AI compliance statement with the Department of Human Services. Contents parallel the facility and insurer filing requirements.
Statutory Text
(a) Compliance statement required.--An MA or CHIP managed care plan using artificial-intelligence-based algorithms in the utilization review process shall annually file with the department, in the form and manner prescribed by the department, an artificial intelligence compliance statement. (b) Contents.--A compliance statement must: (1) Summarize the function and scope of the artificial-intelligence-based algorithms used for utilization review. (2) Provide a logic or decision tree of artificial-intelligence-based algorithms used for utilization review. (3) Provide a description of each training data set used by artificial-intelligence-based algorithms for utilization review, including the source of the data. (4) Attest that the artificial-intelligence-based algorithms and the training data sets comply with section 5303 (relating to responsible use) and provide evidence of the compliance. (5) Describe the process of the MA or CHIP managed care plan for overseeing and validating the performance and compliance of the artificial-intelligence-based algorithms in accordance with section 5303.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
35 Pa.C.S. § 3507
Plain Language
The Department of Health may at any time request additional information and evidence from a facility regarding its AI disclosures, responsible use practices, and compliance statements. Facilities must be prepared to produce documentation on demand to support their regulatory filings.
Statutory Text
The department may request additional information and evidence from a facility regarding the items provided under sections 3502 (relating to disclosure), 3503 (relating to responsible use) and 3504 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5208
Plain Language
The Insurance Department may request additional information and evidence from insurers regarding their AI disclosures, responsible use practices, and compliance statements at any time to ensure compliance.
Statutory Text
The department may request additional information and evidence from an insurer regarding the items provided under sections 5202 (relating to disclosure), 5203 (relating to responsible use) and 5204 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
R-02 Regulatory Disclosure & Submissions · R-02.2 · Deployer · Healthcare
40 Pa.C.S. § 5308
Plain Language
The Department of Human Services may request additional information and evidence from MA or CHIP managed care plans regarding their AI disclosures, responsible use practices, and compliance statements to ensure compliance.
Statutory Text
The department may request additional information and evidence from an MA or CHIP managed care plan regarding the items provided under section 5302 (relating to disclosure), 5303 (relating to responsible use) and 5304 (relating to artificial intelligence compliance statements) that are necessary to ensure compliance with this chapter.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · Healthcare
35 Pa.C.S. § 3506
Plain Language
The Department of Health will establish a record retention policy specifying how long facilities must retain records related to AI algorithms. While the specific retention period is deferred to department rulemaking, facilities should anticipate a mandatory retention obligation and begin organizing records in a form suitable for production. The department may consult with facilities and providers in setting the policy.
Statutory Text
The department shall establish a record retention policy and determine the amount of time a facility shall retain records related to artificial-intelligence algorithms. The department may request input from facilities and health care providers or their representatives in making the determination under this section.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · HealthcareFinancial Services
40 Pa.C.S. § 5207
Plain Language
The Insurance Department will establish a record retention policy for insurers' AI-related records. Insurers must retain records for the period to be determined by the department.
Statutory Text
The department shall establish a record retention policy and determine the amount of time an insurer shall retain records. The department may request input from insurers or their representatives in making this determination.
G-01 AI Governance Program & Documentation · G-01.3G-01.4 · Deployer · Healthcare
40 Pa.C.S. § 5307
Plain Language
The Department of Human Services will establish a record retention policy for MA or CHIP managed care plans' AI-related records.
Statutory Text
The department shall establish a record retention policy and determine the amount of time an MA or CHIP managed care plan shall retain records. The department may request input from an MA or CHIP managed care plan or their representative to make this determination.
Other · Healthcare
35 Pa.C.S. § 3508
Plain Language
Third-party vendors (contractors, subcontractors, or other vendors) that sell, lease, or supply AI-based algorithms or AI-based services to healthcare facilities are themselves subject to all Chapter 35 obligations. The Department of Health will develop regulations or guidance specifying vendor responsibilities. This extends the compliance perimeter beyond the facility to upstream AI suppliers, though specific vendor obligations await departmental rulemaking.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the facility shall be subject to this chapter. The department shall develop regulations or guidance regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the facility. The department may request input from facilities, third-party vendors and health care providers or their representatives in making this determination.
Other · HealthcareFinancial Services
40 Pa.C.S. § 5209
Plain Language
Third-party vendors that supply AI-based algorithms or services to insurers are directly subject to all Chapter 52 obligations. The Insurance Department will develop regulations specifying vendor responsibilities.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the insurer services shall be subject to this chapter. The department shall develop regulations or guidelines regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the insurer. The department may request input from insurers, third-party vendors and health care providers or their representatives in making this determination.
Other · Healthcare
40 Pa.C.S. § 5309
Plain Language
Third-party vendors that supply AI-based algorithms or services to MA or CHIP managed care plans are directly subject to all Chapter 53 obligations. The Department of Human Services will develop regulations specifying vendor responsibilities.
Statutory Text
A contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the MA or CHIP managed care plan shall be subject to this chapter. The department shall develop regulations or guidelines regarding the responsibility of a contractor, subcontractor or other third-party vendor that sells, leases, subscribes or otherwise supplies artificial-intelligence-based algorithms or services based on artificial-intelligence-based algorithms to the insurer or MA or CHIP managed care plan. The department may request input from insurers, third-party vendors and health care providers or their representatives in making this determination.