ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

How State AI Laws Are Reshaping Healthcare Compliance

Table of Contents

What Healthcare Organizations Need to Know About State AI Laws Taking Effect in 2026 

Without guidance from federal agencies, such as the U.S. Department of Health and Human Services (HHS), which oversees the Health Insurance Portability and Accountability Act (HIPAA), there is no federal law on how AI can be used in healthcare. With that in mind, states are beginning to establish their own regulations for how healthcare can adopt AI.  

Currently, states are setting guardrails around healthcare AI, while requirements differ depending on the state the emerging theme is to protect patient privacy and set a standard for transparency. The reassuring part is that these requirements align with good data governance and privacy practices that most healthcare organizations already have in place. 

In this post, we look at some of the states setting the pace, cover how Colorado’s new law is leading the way, and discuss the practical steps that you can take to turn regulatory readiness into a business advantage.  

Why the State-by-State AI Policy Approach Matters to You 

According to Manatt Health’s AI Policy Tracker, lawmakers in 47 states have introduced more than 250 bills regulating AI in healthcare in 2025, and 33 of them were signed into law across 21 states. Manatt Health expects states to remain the primary regulators of healthcare AI throughout 2026.  

This report also shows how states are setting guardrails and demanding transparency around healthcare in AI. While the details vary from state to state, the themes share common concerns regarding patient privacy and safety, transparency, and ethical oversight. 

  • Clear accountability for how AI tools are used and governed in clinical contexts. 
  • Disclosure for when patient encounter and care services interact with AI, including ambient AI scribe recordings.  
  • Ensure patient consent requirements are in place before using these tools for patient encounters.

 

Map from Source: Manett Health: Health AI Policy Tracker

States That Are Setting the Standard 

Multiple state governments have enacted AI governance laws that set the standard for how healthcare systems should limit AI and what they must disclose to patients.  These state laws reveal how other states across the country are thinking about AI in healthcare.  

California’s AB 3030 became effective in January 2025. It requires healthcare providers who use generative AI in clinical communications to disclose that the content was generated by AI. It also requires that patients be given a clear path to reach a licensed human professional. California has built on AB 3030 with the addition of AB 489, which prohibits the use of professional titles, credentials, or design elements that imply the AI system has licensed medical oversight. Each misleading term or phrase can constitute a separate offense, and state licensing boards, such as the Medical Board of California, have the authority to investigate such offenses.  

Illinois’ HB1806 and the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) take a disclosure and transparency oversight approach requiring providers to disclose that they are using AI before or at the time of a patient encounter and, in some cases, obtain patient consent. These laws permit providers to use AI for administrative and supplementary support, provided the clinician remains responsible for the AI’s output and patients consent to uses like AI-prepared session notes. What stays off limits is AI acting on its own: making independent therapeutic decisions, communicating directly with clients, or generating treatment plans without a licensed clinician’s oversight. 

Florida HB 281, Maine HB 3082, South Carolina SB 78, and Virginia SB 269 focus on mental health providers and AI ambient scribe transcription services. These laws require providers to obtain patient consent before using these types of AI tools. 

Colorado’s AI Act Arrives in January 2027 

Colorado earned national attention in 2024 by passing the first comprehensive state AI law in the country. Two years of debate and revision later, the law has a new shape and a firm date. In May 2026, Governor Polis signed SB 26-189, which replaces the original framework and takes effect January 1, 2027. 

It centers on how AI can be used for automated decision-making, specifically AI systems that make, guide, or assist in consequential decisions about individuals across healthcare delivery and insurance operations. An important element of Colorado’s provisions is the requirement for human oversight to help ensure that decisions affecting patient care are not solely made by an AI system. Other measures of SB 26-189 include restrictions on AI in psychological settings and prohibiting AI systems from presenting themselves as licensed mental health professionals. 

Noteworthy Federal AI Regulation Updates 

While states write the rules for how AI can be used in care delivery, the federal government is promoting AI adoption and putting it to work for critical infrastructure. The Promoting Advanced Artificial Intelligence Innovation and Security policy put forth by the Trump administration on June 2, 2026 includes the following provision:

  • Expanded cybersecurity support for rural hospitals. The Department of Homeland Security is directed to extend cybersecurity tools and services to rural hospitals, state and local governments, and other critical infrastructure organizations within 30 days. 

For more details, read our article What the Trump AI Cybersecurity Executive Order Means for Rural Hospitals 

  • A voluntary AI cybersecurity clearinghouse. The Treasury Department will establish a clearinghouse to coordinate vulnerability scanning, validate findings, and prioritize patch distribution, which could give healthcare IT teams better intelligence for closing security gaps. 
  • Early federal access to advanced AI models. The order establishes a framework for developers of “covered frontier models” to voluntarily share access with the government before release, enabling officials to evaluate cybersecurity and national security risks. 
  • AI-enabled cybercrime as an enforcement priority. The Department of Justice is directed to prioritize investigations and prosecutions involving AI used to breach systems or steal data. 

 

In December 2025, the HHS published a request for information (RFI) asking for public feedback on the adoption and use of AI in healthcare (comments were closed in February 2026). They asked to hear about the barriers healthcare organizations face in adopting AI, including regulatory and reimbursement hurdles, as well as governance, liability, and privacy concerns. They also requested input on how AI tools should be evaluated and governed throughout the generative AI lifecycle.

Healthcare Organizations That Act Now Will Be Ready 

Healthcare lives at the intersection of federal and state regulations, which is why a clear inventory of your AI tools and strong governance practices serve you well no matter which direction policy moves.  

PrivaPlan’s guidance on AI adoption is straightforward: bring AI into your organization the same way you would any technology that touches patient data, with discipline and intention.  

That means strong data governance from day one, so you know exactly what information your AI tools can access and where it flows. It means a current and consistent Security Risk Analysis that accounts for every AI system in your environment. And it means holding every tool, vendor, and workflow to HIPAA standards throughout the entire process, from evaluation to implementation to daily use. Organizations that adopt AI this way make sustainable efforts for a reliable compliance program.  

Learn more from our other articles:  

  1. Ambient AI Scribes & HIPAA Compliance 
  2. The Notice of Privacy Practices Is More Than A Form. It’s a Promise
  3. Healthcare Leads in AI Adoption 

 

Start Building HIPAA Compliant AI Governance Today

AI is moving fast, and the organizations that stay ahead are the ones that build compliance into the process from the start. PrivaPlan’s guide, Ensuring HIPAA Compliance in Generative AI Systems, gives you a practical framework for evaluating risk, advising leadership, and configuring AI tools to meet HIPAA standards. Get your copy today!

Download the Guide

Related Posts

Recent Posts

Categories
Tags

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

A Compliance First Guide focused on AI & the HIPAA Security Rule

Ensuring HIPAA Compliance in Generative AI Systems

Our new practical guide offers actionable strategies for establishing an AI system while focusing on the HIPAA Security Rule framework. It's built to help you:

  • Advise leadership
  • Evaluate risk
  • Establish AI teams
  • Develop internal policies
  • Configure AI Ambient Scribe settings
Download Your Compliance Guide Today!
  • Be Proactive In Compliance

Learn about Compliance!

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.