This 2026 healthcare AI regulation tracker is current to July 10, 2026. It covers enacted state activity identified in the reviewed sources, not every introduced bill, agency statement, or pending proposal. Federal preemption remains unresolved, so the useful compliance question is still local and operational: which state has created a live obligation, who is covered, and what has to change in review, disclosure, escalation, or vendor governance.
The scale explains why a tracker is necessary, but it should not be mistaken for the compliance answer. In the first months of 2026, 43 states introduced more than 240 healthcare AI bills, according to Holland & Knight’s May 2026 review of state healthcare AI legislation.[1] Most organizations do not need a speech about momentum. They need to know whether a prior authorization denial now needs licensed human signoff, whether a chatbot must disclose that it is AI, whether a crisis handoff protocol is required, and whether a sandbox approval is narrow relief or general permission.

The enacted state activity in the current sources falls into four practical buckets: insurer AI decision-making, clinical oversight of AI-assisted care, chatbot and AI companion safety, and regulatory sandboxes. Those buckets are not equally mature. Insurer and chatbot laws create the clearest near-term operating duties. Clinical oversight is important but less developed in the available sources. Sandboxes are easy to misread unless the relief terms are treated as specific and conditional.

Enacted State Healthcare AI Tracker
This table separates enacted activity from broader bill volume. “Timing” is limited to dates available in the reviewed sources. Where an effective date is not supplied, the safer compliance posture is not to assume delay; it is to verify against the enacted bill text or state code before deployment, contracting, or denial-workflow changes.
| State or program | Law type | Timing available in materials | Covered entities or setting | Core obligation | Source status |
|---|---|---|---|---|---|
| Alabama | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Indiana | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Utah | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Washington | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Maryland | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Georgia | Insurer AI decision-making | Enacted in 2026; effective date not specified in reviewed materials | Insurance-specific healthcare AI use | AI may assist, but medical-necessity denials require licensed human decision-making | Identified in Manatt and Gunderson tracker materials [2][3] |
| Idaho | Chatbot and AI companion safety | Enacted in 2026; effective date not specified in reviewed materials | Patient-facing chatbot or AI companion setting described in healthcare AI legislation review | Disclosure that the user is interacting with AI; safety obligations may include crisis detection or transfer rules and limits on posing as a licensed professional | Identified in Holland & Knight 2026 review [1] |
| Nebraska | Chatbot and AI companion safety | Enacted in 2026; effective date not specified in reviewed materials | Patient-facing chatbot or AI companion setting described in healthcare AI legislation review | Disclosure that the user is interacting with AI; safety obligations may include crisis detection or transfer rules and limits on posing as a licensed professional | Identified in Holland & Knight 2026 review [1] |
| Oregon | Chatbot and AI companion safety | Enacted in 2026; effective date not specified in reviewed materials | Patient-facing chatbot or AI companion setting described in healthcare AI legislation review | Disclosure that the user is interacting with AI; safety obligations may include crisis detection or transfer rules and limits on posing as a licensed professional | Identified in Holland & Knight 2026 review [1] |
| Tennessee | Chatbot and AI companion safety | Enacted in 2026; effective date not specified in reviewed materials | Patient-facing chatbot or AI companion setting described in healthcare AI legislation review | Disclosure that the user is interacting with AI; safety obligations may include crisis detection or transfer rules and limits on posing as a licensed professional | Identified in Holland & Knight 2026 review [1] |
| Delaware | Chatbot and AI companion safety | Enacted in 2026; effective date not specified in reviewed materials | Patient-facing chatbot or AI companion setting described in healthcare AI legislation review | Disclosure that the user is interacting with AI; safety obligations may include crisis detection or transfer rules and limits on posing as a licensed professional | Identified in Holland & Knight 2026 review [1] |
| Colorado | Comprehensive AI replacement plus targeted healthcare AI bills | SB 26-189 signed May 14, 2026; effective January 1, 2027 | Broad AI governance framework with a large HIPAA-covered entity exemption from core requirements, plus targeted healthcare AI bills HB 26-1139 and HB 26-1195 | Older SB 24-205 timeline should not be treated as current after repeal and replacement | Identified in Live Compliance update dated July 2, 2026 [4] |
| Utah OAIP | Regulatory sandbox | Four regulatory relief agreements executed by March 2026 | Participants receiving specific regulatory relief under Utah’s Oversight of Artificial Intelligence in Prescribing program | Relief is agreement-specific; one agreement involved Legion Health’s autonomous prescription renewal pilot for psychiatric medications | Identified in Holland & Knight 2026 review [1] |
Insurer AI Laws: Assistance Is Not the Same as a Denial
The insurer AI laws are the most immediately workflow-sensitive part of the 2026 patchwork. At least seven states enacted insurance-specific AI laws in 2026, including Alabama, Indiana, Utah, Washington, Maryland, and Georgia, and the identified laws converge on a practical rule: AI can assist in the process, but a licensed human must make medical-necessity denials.[2][3]
That distinction matters because many payer and utilization-management workflows already distribute work across automation, clinical review, template generation, and final notice production. If an AI model flags a request, drafts a rationale, scores likely noncoverage, or routes a case away from approval, the compliance question is not merely whether the tool is “making” the decision in a product manager’s vocabulary. The question is whether the file contains a licensed reviewer’s independent medical-necessity determination before the denial leaves the organization.
The near-term operational burden sits in evidence of review. A policy that says “human in the loop” is weak if the system log shows only a rubber-stamped output, or if the reviewer sees a model-generated denial rationale without the underlying clinical record, plan terms, and applicable criteria. A stronger workflow records who reviewed the case, what license or credential qualified that person to decide, what materials were available, whether the AI output was accepted or modified, and how appeal rights were preserved.
The state-by-state variation still has to be checked before converting that principle into a national policy. The reviewed sources identify convergence on licensed human medical-necessity denials, but they do not supply identical effective dates, covered product lines, enforcement mechanisms, or documentation language for every state. A payer operating in multiple states should not flatten these laws into one generic “AI prior authorization policy” without a jurisdiction column, an effective-date column, and a citation to the primary state source.
For organizations already tracking prior authorization AI risk, the deepest implementation work is usually not the board memo. It is the queue design, reviewer training, denial letter governance, vendor contract language, audit sampling, and escalation rule for cases where the model’s recommendation conflicts with reviewer judgment. The related prior-authorization flashpoint is treated in more depth in the internal article on state laws, federal preemption, and the 2026 compliance burden, but the tracker answer is narrower: where these state laws apply, AI assistance does not replace a licensed human denial decision.
Chatbot and AI Companion Safety: Disclosure Is Only the First Control
Idaho, Nebraska, Oregon, Tennessee, and Delaware enacted chatbot and AI companion safety laws in 2026, with obligations described in the reviewed sources around disclosure that a user is interacting with AI, crisis detection or transfer to human crisis resources, and prohibitions on AI posing as a licensed professional.[1]
Those are different controls. Disclosure tells a patient, member, or user what kind of system they are engaging. Crisis escalation determines what happens when the interaction moves from ordinary support into self-harm, acute distress, or another crisis category. Professional impersonation limits address the system’s identity and authority: the tool cannot present itself as a licensed clinician when it is not one.
The mistake is to treat all of this as a banner notice problem. A chatbot can disclose “I am an AI assistant” and still mishandle risk if it continues a crisis conversation without transfer, simulates a therapeutic relationship outside the organization’s clinical model, or gives the impression that a licensed professional has reviewed a recommendation when no such review occurred. Patient trust is damaged less by the existence of automation than by a mismatch between what the tool appears to be and what the organization is actually supervising.
For digital health teams, the review should cover the full patient-facing experience, not just the model card or vendor statement. The opening disclosure, chat UI, crisis-keyword handling, transfer script, after-hours pathway, data-retention notice, and escalation log all belong in scope. If the tool is embedded in a provider portal, health plan app, employer benefit product, or behavioral health companion, the patient will not separate the vendor’s design choice from the sponsoring organization’s duty to respond.
A useful chatbot inventory therefore needs more than a yes-or-no field for “AI disclosed.” It should identify the state, use case, user population, clinical adjacency, crisis-transfer destination, staff owner, vendor owner, and test evidence. If a product operates across all five identified states, the organization should map the strictest applicable disclosure and escalation obligations, then verify whether any state-specific wording, age-related rule, or professional-licensure limitation changes the implementation.
Clinical Oversight Is a Tracker Category, Not a Blank Check for Detail
Clinical oversight of AI-assisted care belongs in the 2026 tracker, but the available sources do not support a long state-by-state doctrinal analysis. That limitation is important. It is tempting to fill the gap with general statements about clinician supervision, standard of care, or professional responsibility, but those may not describe the enacted mechanisms in any particular state.
For now, the safer use of this category is inventory and verification. Health systems should identify where AI tools influence diagnosis, treatment planning, documentation, triage, prescribing support, patient messaging, or discharge instructions, then ask whether any enacted state law imposes a specific clinical-review, disclosure, licensure, or governance obligation. That question should be answered from primary legal text or current state agency materials, not from a generic internal AI policy alone.
This is also where product classification can mislead. A vendor may describe a feature as administrative because it summarizes notes or routes messages, while clinicians experience it as part of care delivery because the output affects what gets reviewed, prioritized, or communicated. The tracker should preserve that ambiguity until counsel, compliance, and clinical leadership decide how the tool functions in the actual workflow.
Utah’s Sandbox Shows How Experimentation Can Be Specific
Utah’s Oversight of Artificial Intelligence in Prescribing program is the part of the 2026 landscape that deserves attention from organizations that want to experiment without pretending that ordinary compliance duties have disappeared. By March 2026, Utah’s OAIP sandbox had executed four regulatory relief agreements, including one involving Legion Health’s autonomous prescription renewal pilot for psychiatric medications.[1]
That example is useful precisely because it is not a general license to deploy healthcare AI wherever a company sees opportunity. A sandbox agreement should be read as a bounded permission structure: which rules are relieved, which facts made relief acceptable, which monitoring or reporting obligations remain, who supervises the pilot, what patient population is involved, and what happens if the system behaves outside expected limits.
For compliance teams, the practical distinction is between “this deployment is covered by a specific relief agreement” and “a state has a sandbox, so the market is permissive.” The first statement can be audited. The second is too vague to protect patients, clinicians, or the organization. If a pilot involves prescribing, psychiatric medication, or autonomous renewal, the relief terms, residual supervision, adverse-event handling, and patient communication should be visible before launch.
Colorado Is the Version-Control Warning
Colorado is the cleanest reminder that an AI law tracker without dates can become dangerous. Live Compliance’s July 2, 2026 update reports that Colorado repealed its comprehensive AI Act, SB 24-205, before it took effect and replaced it with SB 26-189, signed May 14, 2026 and effective January 1, 2027.[4]
The replacement matters for healthcare organizations because SB 26-189 largely exempts HIPAA-covered entities from its core requirements, while Colorado also moved targeted healthcare AI bills, HB 26-1139 and HB 26-1195.[4] An older alert that correctly described the SB 24-205 timeline when published can still be the wrong operating reference after repeal and replacement.
The lesson is not that law-firm trackers are useless. They are often the fastest way to see the field. The lesson is that every tracker entry needs a date, a status label, and a primary-source verification step before it is used to approve a product launch, rewrite a denial process, or close a vendor diligence issue.
Federal Preemption Is Context, Not an Operating Stay
Federal preemption belongs in the tracker because it could change the landscape, but it does not erase current state obligations by anticipation. Executive Order 14365, dated December 11, 2025, directed a DOJ AI Litigation Task Force; the White House also pressured Utah, where HB 340 failed, and Florida, where HB 1473 was held, while more than 60 Republican state lawmakers pushed back against federal efforts to displace state AI regulation.[1][3]
The available sources also state that no litigation targeting health AI laws had been filed as of March 2026.[1][3] That is a narrow but important point. It does not mean litigation will not arrive, and it does not mean every state law will survive a future challenge. It means a compliance team cannot treat preemption politics as a current exemption from enacted state-law requirements.
Until the federal-state question resolves in a way that changes enforceable obligations, the workable posture is state-by-state. Maintain a matrix that separates enacted laws from introduced bills, records effective dates where available, distinguishes insurer AI from patient-facing chatbot rules, flags sandbox relief as agreement-specific, and requires primary-source verification before relying on secondary summaries. That is less tidy than a national rule, but it is closer to the work organizations actually have to do.
References
- States Continue Efforts to Regulate AI in Healthcare: A Review of Legislation Passed in 2026, Holland & Knight, May 2026
- Health AI Policy Tracker, Manatt Health
- 2026 AI Laws Update: Key Regulations and Practical Guidance, Gunderson
- AI in Healthcare: The Regulatory Landscape (Federal & State), Live Compliance, July 2, 2026
Comments
Join the discussion with an anonymous comment.