(a) Prohibition. Subject to the limited exceptions provided in this section, no person shall: (1) collect or record an individual's neural data gathered from a brain-computer interface; or (2) share with a third party an individual's neural data gathered from a brain-computer interface. (b) Consent to collect. A person shall not collect or record an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written notice explaining how the person will use the individual's neural data; and (2) thereafter receives written informed consent from the individual to collect or record the individual's neural data.

(c) Consent to share. A person shall not share with a third party an individual's neural data gathered from a brain-computer interface unless the person: (1) provides the individual with a written request for the individual's neural data to be shared with a third party and for what purposes, including the name and address of the third party; and (2) thereafter receives written informed consent from the individual to share the individual's neural data with the third party.

(d) Revocation of consent. (1) An individual who has provided written informed consent allowing a person to collect, record, or share the individual's neural data pursuant to this section has the right to revoke consent at any time thereafter by providing written notice to the person initially receiving the consent. This revocation of consent notice shall be as easy or easier for the individual to provide as compared to the requirements for initially providing consent. (2) A person who receives written notice from an individual revoking consent pursuant to subdivision (1) of this subsection shall: (A) destroy all records of the individual's neural data not later than 10 days after receiving the notice; and (B) in the case of the revocation of consent to share an individual's neural data, immediately: (i) cease sharing an individual's neural data with all third parties upon receipt of the notice; and (ii) inform all third parties with whom the person has shared the individual's neural data that the individual has revoked consent.

(a) Specific consent required. (1) A person shall not allow a brain-computer interface it manufactures to be used to bypass the conscious decision making of an individual unless the person has received specific, written informed consent from the individual. As used in this section, "specific" means written consent for each and every category of action performed by the brain-computer interface. (2) A person receiving written informed consent from an individual shall keep a record of the individual's consent. (3) Consent obtained by using a consciousness bypass is not informed consent. (b) Revoking consent. (1) An individual who has provided specific, written informed consent allowing a brain-computer interface to be used to bypass the conscious decision making of the individual pursuant to this section has the right to revoke consent at any time thereafter by providing notice to the person initially receiving the consent. This revocation of consent notice shall be as easy or easier for the individual to provide as compared to the requirements for initially providing consent. (2) An individual's agent, guardian, or surrogate has the right to revoke consent on behalf of the individual pursuant to subdivision (1) of this subsection.

(a) Except as provided in subsection (b) of this section, any health care provider that uses generative artificial intelligence to generate written or verbal patient communications relating to patient clinical information shall ensure that those communications include both of the following: (1) A disclaimer that indicates to the patient that the communication was generated by generative artificial intelligence. (A) For written communications involving physical and digital media, including letters, emails, and other occasional messages, the disclaimer shall appear prominently at the beginning of each communication. (B) For written communications involving continuous online interactions, including chat-based telehealth, the disclaimer shall be prominently displayed throughout the interaction. (C) For audio communications, the disclaimer shall be provided verbally at the start and end of the interaction. (D) For video communications, the disclaimer shall be prominently displayed throughout the interaction. (2) Clear instructions describing how a patient may contact a human health care provider; an employee of the health care facility, clinic, physician's office, or office of a group provider; or other appropriate person. (b) If a communication is generated by generative artificial intelligence and read and reviewed by a licensed human health care provider, the requirements of subsection (a) of this section shall not apply.

(a)(1) Except as provided in subdivision (2) of this subsection, a supplier of a mental health chatbot shall not sell to or share with any third party any: (A) individually identifiable health information of a Vermont user; or (B) user input of a Vermont user. (2) The prohibition set forth in subdivision (1) of this subsection shall not apply to individually identifiable health information that is: (A) requested by a health care provider with the consent of the Vermont user; (B) provided to a health plan of a Vermont user upon request of the Vermont user; or (C) shared in compliance with subsection (b) of this section. (b)(1) A supplier may share individually identifiable health information necessary to ensure the effective functionality of the mental health chatbot with another person with whom the supplier has a contract related to such functionality. (2) When sharing information pursuant to subdivision (1) of this subsection, the supplier and the other person shall comply with all applicable privacy and security provisions of 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, as if the supplier were a covered entity and the other person were a business associate, as those terms are defined in 45 C.F.R. § 160.103.

(a) A supplier shall not use a mental health chatbot to advertise a specific product or service to a Vermont user in a conversation between the Vermont user and the mental health chatbot unless the mental health chatbot: (1) clearly and conspicuously identifies the advertisement as an advertisement; and (2) clearly and conspicuously discloses to the Vermont user any: (A) sponsorship; (B) business affiliation; or (C) agreement that the supplier has with a third party to promote, advertise, or recommend the product or service. (b) A supplier of a mental health chatbot shall not use a Vermont user's input to: (1) determine whether to display an advertisement for a product or service to the Vermont user, unless the advertisement is for the mental health chatbot itself; (2) determine a product, service, or category of product or service to advertise to the Vermont user; or (3) customize how an advertisement is presented to a Vermont user. (c) Nothing in this section shall be construed to prohibit a mental health chatbot from recommending that a Vermont user seek psychotherapy or other assistance from a licensed health care provider, including a specific licensed health care provider.

(a) A supplier of a mental health chatbot shall cause the mental health chatbot to clearly and conspicuously disclose to a Vermont user that the mental health chatbot is an artificial intelligence technology and not a human. (b) The disclosure described in subsection (a) of this section shall be made: (1) before the Vermont user may access the features of the mental health chatbot; (2) at the beginning of any interaction with the Vermont user if the Vermont user has not accessed the mental health chatbot within the previous seven days; and (3) any time a Vermont user asks or otherwise prompts the mental health chatbot about whether artificial intelligence is being used.

(a) It is an affirmative defense to liability in an action for unlawful or unprofessional conduct brought against a supplier by the Office of Professional Regulation or the Board of Medical Practice if the supplier demonstrates that the supplier meets all of the following conditions: (1) the supplier created, maintained, and implemented a policy that meets the requirements of subsection (b) of this section; (2) the supplier maintains documentation regarding the development and implementation of the mental health chatbot that describes: (A) foundation models used in development; (B) training tools used; (C) compliance with federal health privacy regulations; (D) user data collection and sharing practices; and (E) ongoing efforts to ensure accuracy, reliability, fairness, and safety; (3) the supplier filed the policy with the Office of the Attorney General; and (4) the supplier complied with all requirements of the filed policy at the time of the alleged violation. (b) A policy described in subdivision (a)(1) of this section shall meet all of the following requirements: (1) be in writing; (2) clearly state: (A) the intended purposes of the mental health chatbot; and (B) the abilities and limitations of the mental health chatbot; (3) describe the procedures by which the supplier: (A) ensures that qualified mental health providers licensed in Vermont or in one or more other states, or both, are involved in the development and review process; (B) ensures that the mental health chatbot is developed and monitored in a manner consistent with clinical best practices; (C) conducts testing prior to making the mental health chatbot publicly available and regularly thereafter to ensure that the output of the mental health chatbot poses no greater risk to a user than that posed to an individual in psychotherapy with a licensed mental health provider; (D) identifies reasonably foreseeable adverse outcomes to and potentially harmful interactions with users that could result from using the mental health chatbot; (E) provides a mechanism for a user to report any potentially harmful interactions from use of the mental health chatbot; (F) implements protocols to assess and respond to risk of harm to users or other individuals; (G) details actions taken to prevent or mitigate any such adverse outcomes or potentially harmful interactions; (H) implements protocols to respond in real time to acute risk of physical harm; (I) reasonably ensures regular, objective reviews of safety, accuracy, and efficacy, which may include internal or external audits; (J) provides users any necessary instructions on the safe use of the mental health chatbot; (K) ensures users understand that they are interacting with artificial intelligence; (L) ensures users understand the intended purpose, capabilities, and limitations of the mental health chatbot; (M) prioritizes user mental health and safety over engagement metrics or profit; (N) implements measures to prevent discriminatory treatment of users; and (O) ensures compliance with the security and privacy protections of 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A, C, and E, as if the supplier were a covered entity, and applicable consumer protection requirements, including sections 9761-9763 of this subchapter.

(c) To file a policy with the Office of the Attorney General under this section, a supplier of a mental health chatbot: (1) shall provide to the Office, in the form and manner prescribed by the Office: (A) the name and address of the supplier; (B) the name of the mental health chatbot supplied by the supplier; (C) the written policy described in subsection (b) of this section; and (D) a $100.00 filing fee; and (2) may provide to the Office: (A) any revisions to a policy filed under this section; and (B) any other documentation that the supplier elects to provide.

(a) A health plan, as defined in section 9418 of this title, that uses an artificial intelligence, algorithm, or other software tool for the purpose of utilization review or utilization management functions, based in whole or in part on medical necessity, or that contracts with or otherwise works through an entity that uses artificial intelligence, algorithm, or other software tool for the purpose of utilization review or utilization management functions, based in whole or in part on medical necessity, shall ensure all of the following: (1) The artificial intelligence, algorithm, or other software tool bases its determination on the following information, as applicable: (A) a covered individual's medical or other clinical history; (B) the specific clinical circumstances as presented by the requesting health care provider; and (C) other relevant clinical information contained in the covered individual's medical or other clinical record. (2) The artificial intelligence, algorithm, or other software tool does not base its determination solely on a group dataset. (b) Notwithstanding subsection (a) of this section, the artificial intelligence, algorithm, or other software tool shall not deny, delay, or modify health care services based in whole or in part on medical necessity. A determination of medical necessity shall be made only by a licensed human health care provider who is competent to evaluate the specific clinical issues involved in the health care services requested by a treating health care provider by reviewing and considering the requesting provider's recommendation; the covered individual's medical or other clinical history, as appropriate; and the specific clinical circumstances.

(9) The artificial intelligence, algorithm, or other software tool's performance, use, and outcomes are periodically reviewed and revised to maximize accuracy and reliability.

(10) Patient data is not used beyond its intended and stated purpose, consistent with chapter 42B of this title and with the security and privacy protections of 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E, as applicable.

(7) The artificial intelligence, algorithm, or other software tool is open to inspection for audit or compliance reviews by the Department of Financial Regulation and by other State agencies and departments pursuant to applicable State and federal law. (8) Disclosures pertaining to the use and oversight of the artificial intelligence, algorithm, or other software tool are contained in the health plan's written policies and procedures to the extent required by the Department of Financial Regulation.

(4) The artificial intelligence, algorithm, or other software tool does not supplant health care provider decision making. (5) The use of the artificial intelligence, algorithm, or other software tool does not discriminate, directly or indirectly, against covered individuals in violation of State or federal law. (6) The artificial intelligence, algorithm, or other software tool is fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the U.S. Department of Health and Human Services.

(11) The artificial intelligence, algorithm, or other software tool does not directly or indirectly cause harm to the covered individual.

(a) A violation of this chapter shall constitute an unfair or deceptive act or practice in commerce under 9 V.S.A. chapter 63, Vermont's Consumer Protection Act. (b) A person who violates this chapter shall be subject to a civil penalty of not more than $10,000.00 for each violation. (c) The Attorney General shall have the same authority to make rules, conduct civil investigations, enter into assurances of discontinuance, and bring civil actions as provided under 9 V.S.A. chapter 63, subchapter 1. Consumers shall have the same rights and remedies as provided under 9 V.S.A. chapter 63, subchapter 1.

The Attorney General may impose an administrative penalty of not more than $2,500.00 for each violation of this chapter. In addition, and in addition to any other remedy provided by law, the Attorney General may file an action in Superior Court for a violation of this chapter. The Attorney General shall have the same authority to investigate and obtain remedies as if the action were brought under the Vermont Consumer Protection Act, 9 V.S.A. chapter 63. Each violation of this chapter constitutes a separate violation for which the Attorney General may obtain relief.

(3) The artificial intelligence, algorithm, or other software tool's criteria and guidelines comply with 8 V.S.A. chapter 107, chapter 221 of this title, and other applicable State and federal laws.