Introduction: AI Regulation at a Crossroads
Artificial intelligence is rapidly transforming how health insurance payers handle prior authorization and claims review. Moreover, lawmakers at both the federal and state levels are scrambling to set the rules of the road. As a result, payers now face a patchwork of competing regulations — and the stakes are high.
A May 6 KFF issue brief examined where AI-related insurance policies currently stand and outlined what role the federal government may play going forward. Consequently, health plans and payers must stay alert. Understanding this evolving landscape is no longer optional — it is a compliance priority.
ERISA and Self-Insured Plans
How Federal Law Limits State Reach
The Employee Retirement Income Security Act (ERISA) typically shields private employers’ self-insured plans from most state insurance laws. Therefore, state-level AI regulations may not directly apply to these plans. Instead, the federal government oversees self-insured employer-sponsored coverage.
Even so, ERISA is not silent on quality standards. The law still mandates “full and fair” reviews of all benefit claims. This means that while states cannot easily regulate self-insured plan AI tools, federal standards continue to apply. For payers managing self-insured employer accounts, this distinction is critical.
Federal AI Framework: Promise and Risk
A Double-Edged Sword for Payers
A unified federal AI framework could simplify compliance, especially for insurers operating across multiple state lines. However, the picture is complicated. The Trump administration has made removing barriers to AI adoption a central legislative priority. As a result, any new federal framework could potentially lower the consumer protection bar that many states have already established.
Furthermore, federal guidance on AI use within Medicaid and Medicare remains limited. This gap leaves payers operating in government programs in an uncertain position. Until clearer federal rules emerge, compliance teams must monitor both federal signals and state-by-state developments simultaneously.
States Leading the Way on AI Rules
Nine States Have Already Acted
In the absence of strong federal direction, states have moved quickly. As of April 28, nine states had enacted laws specifically addressing AI use in prior authorization or claims review. Those states are California, Illinois, Maryland, Texas, Nebraska, Washington, Utah, Indiana and Alabama.
What These Laws Generally Cover
State AI laws in this space typically focus on transparency, human oversight and non-discrimination in algorithmic decision-making. Additionally, several states require insurers to disclose when AI tools are involved in coverage decisions. Payers operating in multiple states must therefore build compliance frameworks that accommodate this growing list of state mandates.
The variation across states creates operational complexity. A prior authorization AI system compliant in Texas may require modification to meet California’s standards. Accordingly, payers should audit their AI tools against each applicable state law now — rather than waiting for enforcement actions.
HIPAA’s Limits in the Age of AI
Data Gaps Payers Cannot Ignore
Many payers assume HIPAA fully protects all health data flowing through AI systems. However, this assumption is flawed. HIPAA’s scope covers health plans, providers and clearinghouses — but it does not automatically extend to third-party technology vendors or AI companies processing that data.
This gap creates meaningful security and privacy risks. When payers share patient data with external AI vendors, that data may fall outside HIPAA’s protections unless proper Business Associate Agreements are in place. Moreover, state privacy laws may not fill this gap consistently. Payers must therefore conduct thorough due diligence on every AI vendor in their ecosystem to ensure data governance standards meet both legal and ethical requirements.
Medicare’s WISR Model and AI Vendors
New Prior Authorization in Traditional Medicare
The Wasteful and Inappropriate Services Reduction (WISR) Model introduced prior authorization requirements in traditional Medicare across six states. Notably, this model relies on several technology vendors — and some of these vendors actively use AI in their processes.
Congressional Pushback
Democratic lawmakers have raised concerns about AI-driven decision-making within the WISR model. Earlier Medicare Advantage guidance and regulations do provide some guardrails: algorithms cannot determine medical necessity without considering each patient’s individual circumstances. Nevertheless, the use of AI vendors in traditional Medicare prior authorization marks a significant new frontier for regulatory scrutiny.
Payers participating in or affected by the WISR model should closely review their vendor contracts. They should also ensure that AI tools used by those vendors comply with existing Medicare Advantage algorithmic guidance, even where strict rules for traditional Medicare remain underdeveloped.
Legal Actions Shaping Future AI Policy
Court Cases Are Setting Precedents
Legal challenges involving AI algorithms in coverage denials are increasingly prominent. Courts are actively grappling with how to assess algorithmic decision-making in the context of benefit denials — and their rulings will likely shape both regulatory and industry approaches for years to come.
These cases matter because they often expose gaps in existing policy. For instance, litigation involving AI-driven denial decisions has raised questions about transparency, explainability and the adequacy of appeals processes. Payers should therefore monitor active cases closely, as settlement terms and judicial decisions may foreshadow new regulatory requirements.
What Payers Should Do Now
Practical Steps for Compliance
Payers must act proactively rather than reactively. First, conduct a full audit of all AI tools used in prior authorization and claims review — and map each tool against applicable state laws. Second, review vendor contracts to ensure HIPAA-compliant data handling and appropriate Business Associate Agreements. Third, track the nine states that have already passed AI laws and monitor pending legislation in others.
Additionally, engage compliance and legal teams now on how a potential federal framework could interact with existing state protections. The regulatory environment is shifting fast. Payers who build flexible, layered compliance structures today will be far better positioned when new federal rules arrive.
