The Regulatory Flashpoint Over AI in Prior Authorization and Claims Review: State Laws, Federal Preemption, and the Compliance Burden in 2026

How AI Is Used Across the Claims Review Cycle

Artificial intelligence has moved from the periphery of healthcare administration to the core of coverage decision-making. A 2025 survey by the National Association of Insurance Commissioners (NAIC), covering 93 insurance companies across 16 states, found that 84% of responding health insurers across product lines now use AI or machine learning for utilization management, disease management, and prior authorization. This is not a pilot program or a niche application — it is the operational baseline for the industry.

On the payer side, AI tools ingest patient records, clinical guidelines, and plan-specific coverage rules to determine whether a procedure or medication requires prior authorization and, increasingly, whether it meets medical necessity criteria. These systems can generate the documentation payers need and, in some implementations, issue an approval or denial without direct human involvement at the point of decision.

On the provider side, health systems deploy AI to predict which claims are likely to be denied, to preemptively gather supporting documentation, and to automate the submission and appeal process. The same technology that an insurer uses to deny a claim may be mirrored by a provider's system designed to overturn that denial — creating an automated arms race that regulators are only beginning to address.

For readers who need a deeper technical grounding in how these tools function — the NLP models that parse clinical notes, the rules engines that apply coverage criteria, and the machine learning classifiers that flag high-risk claims — ClinicalMind's Prior Authorization AI: Evidence, Adoption, and Regulatory Landscape provides a comprehensive technical overview. The competitive dynamics between insurer and provider vendors are covered in The AI Arms Race in Prior Authorization. This article focuses on the regulatory compliance crisis that has emerged as a direct consequence of this widespread deployment.

The Core Risks: Algorithmic Denials, Bias, Opacity, and Privacy Gaps

The rapid adoption of AI in coverage decisions has generated a corresponding wave of documented harms and legal risks. These are not hypothetical concerns — they are the specific problems that the 2025–2026 wave of state legislation and federal policy action is attempting to address.

Algorithmic Denials Without Meaningful Human Review

The most politically salient risk is the use of AI to deny coverage without a clinician reviewing the individual patient's circumstances. The American Medical Association reports that over 60% of physicians say unregulated AI tools systematically deny patients coverage for necessary care. When an algorithm applies a coverage rule incorrectly — or applies the right rule to the wrong clinical context — the patient may never have their case evaluated by a person with the training to catch the error.

Algorithmic Bias and Discrimination

The legal literature identifies multiple vectors for bias in administrative AI systems. Measurement errors in training data, selection bias in the populations used to train models, developer bias in feature selection, and deployment bias when a model is applied to a population different from its training set all contribute to discriminatory outcomes. The 2024 NCBI Bookshelf chapter on AI in hospital administration notes that these bias types are well-documented in the research literature but rarely addressed in vendor deployment protocols.

Black-Box Opacity in Decision Logic

Many AI tools used in claims review operate as black boxes: the system produces a decision — approve, deny, request more information — but cannot explain why. This opacity creates legal vulnerability on multiple fronts. Under ERISA, plan participants have a right to a full and fair review of denied claims, which courts have interpreted to require an explanation of the specific reasons for denial. A black-box model cannot provide that explanation. The same problem arises under state external review laws and Medicare Advantage regulations.

Privacy Vulnerabilities Under HIPAA's Limited Scope

HIPAA's privacy and security rules apply only to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. Technology companies that develop and operate AI tools for claims review may fall outside this framework if they are not acting as business associates. The NCBI chapter highlights that de-identified data used to train AI models carries re-identification risks that current regulatory frameworks do not adequately address. Patients are often not informed that an AI system is making or influencing coverage decisions that affect their care.

The Fragmented Federal Landscape: ERISA, Medicare Advantage, and Medicaid

One of the most challenging aspects of compliance with AI-in-claims-review regulation is that there is no single federal standard. Instead, three distinct regimes apply depending on the type of coverage, and they impose different — sometimes conflicting — requirements on the same AI tool.

The practical consequence is that a health plan operating a single AI-driven prior authorization tool across its commercial (ERISA), Medicare Advantage, and Medicaid product lines faces three different compliance standards. The same algorithm that is legally acceptable for an employer-sponsored plan in one state may violate Medicare Advantage rules or a Medicaid managed care contract in another.

Adding to the complexity, the CMS WISeR model (Wellness, Integrated Care, and Social Determinants of Health Referral) is piloting AI for prior authorization in six states, creating a test bed for federal-state collaboration that may inform future rulemaking. Meanwhile, the HTI-5 proposed rule from the Office of the National Coordinator for Health IT would eliminate some federal certification standards for health IT transparency and AI audit reporting — a move that consumer advocates argue would reduce accountability at the moment it is most needed.

The State-Level Consumer Protection Response: 12+ Laws Enacted in 2025–2026

In the absence of comprehensive federal AI legislation, state legislatures have taken the lead. As of April 2026, at least 12 states have enacted laws specifically addressing AI use in prior authorization and claims review, according to the KFF analysis published May 6, 2026. These laws cluster around six core regulatory approaches, and many states combine multiple requirements.

This is a rapidly evolving landscape. Several additional states have bills in active legislative sessions, and the count of 12+ enacted laws should be verified at the time of publication. The common thread across all of these laws is a rejection of the premise that AI can make coverage decisions without human oversight, clinical context, and transparency.

• Human review requirements (Illinois) directly challenge the fully automated denial model that some insurers have deployed.
• Individual clinical circumstances mandates (Alabama) require that AI tools be designed to evaluate patient-specific factors, not just apply population-level rules.
• Disclosure laws (Utah) create a transparency obligation that many current AI systems cannot meet due to their black-box architecture.
• Audit requirements (California, Texas) impose ongoing compliance costs and may require health plans to restructure their AI procurement and deployment processes.
• Anti-discrimination laws (Washington) create a private right of action that could lead to class-action litigation if algorithmic bias is detected.

The Trump Administration's AI Framework and the Preemption Push

In March 2026, the Trump administration released its AI Framework, a legislative recommendation that proposes federal preemption of what it describes as 'cumbersome' state AI laws while preserving traditional state consumer protection authority. The framework is not law — it is a policy document that signals the administration's preferred direction for federal AI legislation.

The preemption recommendation creates a fundamental tension. On one side, health plans operating across multiple states argue that complying with 12+ different state AI laws is operationally burdensome and creates inconsistent patient protections. On the other side, consumer advocates and state regulators argue that federal preemption would gut the most meaningful consumer protections enacted to date, leaving patients with a weaker federal standard that may not address the specific risks of AI in coverage decisions.

For compliance teams, the preemption debate adds another layer of uncertainty to an already complex landscape. A health plan that invests in compliance infrastructure for Illinois's human review requirement may find that investment unnecessary — or legally irrelevant — if federal preemption nullifies the state law. Conversely, a plan that delays compliance in anticipation of preemption may face enforcement actions and litigation if preemption does not materialize.

The broader cost implications of this regulatory uncertainty are explored in ClinicalMind's The Administrative AI Paradox: Why Automation Is Driving Up Healthcare Costs in 2026, which examines how the compliance burden of fragmented regulation may offset the efficiency gains that AI automation promises.

What It Means for Providers, Payers, and Patients

The fragmented regulatory environment creates distinct challenges for each stakeholder group in the healthcare system.

For Providers

Health systems and physician practices face a patchwork of state-level disclosure and audit requirements that vary by patient location, not just by provider location. A multi-state health system must track which of its patients are covered by which state's AI consumer protection laws and ensure that its claims and appeals processes comply with each jurisdiction's specific requirements. The administrative burden of this compliance — building systems to identify AI-influenced denials, generate required disclosures, and maintain audit trails — falls disproportionately on providers, who are already operating on thin margins.

For Payers

Health plans must navigate conflicting federal and state rules across their product lines. The same AI tool used for prior authorization in an ERISA plan, a Medicare Advantage plan, and a Medicaid managed care plan may need to operate under three different compliance frameworks. Payers that operate nationally face the additional challenge of complying with 12+ state AI laws, each with different requirements for human review, disclosure, auditing, and anti-discrimination. The cost of this compliance — legal review, system modifications, audit infrastructure, and potential liability — is significant and growing.

For Patients

Patients face inconsistent protections depending on their coverage type and state of residence. A patient in Illinois with employer-sponsored insurance (ERISA) may have fewer protections against AI-driven denials than a patient in the same state with Medicare Advantage, because ERISA does not have the same individual review requirements. A patient in Alabama may have stronger protections for individual clinical circumstances than a patient in a state without such a law. This inconsistency undermines the principle of equitable access to healthcare and creates a system where the quality of consumer protection depends on the details of one's insurance policy and zip code.

• Providers must build compliance systems that track state-level AI requirements across their patient populations.
• Payers must operate the same AI tool under ERISA, Medicare Advantage, and multiple state regimes simultaneously.
• Patients face a fragmented patchwork of protections that vary by coverage type and state of residence.
• All stakeholders face uncertainty about whether federal preemption will simplify or disrupt the current regulatory landscape.

Outlook for 2026–2027: Legislative Momentum, Enforcement, and the Path Forward

The regulatory trajectory for AI in prior authorization and claims review points toward continued fragmentation and intensifying compliance pressure. Several trends are worth monitoring.

Continued State Legislative Activity

The 12+ states that have enacted AI laws as of April 2026 are unlikely to be the last. Multiple states have bills in active legislative sessions, and the 2027 legislative cycle is expected to bring additional proposals. The KFF analysis notes that the legislative landscape is evolving rapidly, and the count of enacted laws should be verified at the time of publication. Compliance teams should track legislative activity in every state where their organization operates.

Potential Federal Action

The Trump administration's AI Framework is a legislative recommendation, not law, but it signals the direction of federal policy. Whether Congress will act on the preemption recommendation — and in what form — remains uncertain. Even without comprehensive federal AI legislation, federal agencies have tools to act. The Department of Labor could issue guidance on ERISA fiduciary duties as they apply to AI-driven claims decisions. CMS could strengthen Medicare Advantage oversight of AI tools. The FTC could pursue enforcement actions against unfair or deceptive AI practices in claims review under its Section 5 authority.

Enforcement Risks Under Existing Laws

Even without new legislation, existing legal frameworks create enforcement risk. ERISA plan participants can sue for breach of fiduciary duty if an AI-driven denial is found to be arbitrary and capricious. State consumer protection laws provide for private rights of action, class actions, and state attorney general enforcement. The proposed Section 1557 rule (from the Biden administration) would have held covered entities liable for biased clinical algorithms — while that rule has not been finalized, the legal theory it articulated could be revived in future administrations or adopted by state courts.

The Role of Standards Organizations

Organizations like the Coalition for Health AI (CHAI) are developing assurance standards for AI in healthcare, including for administrative applications. While these standards are voluntary, they may become de facto requirements as states and federal agencies look for established frameworks to reference in regulation. Health plans and providers that align their AI governance with emerging standards may be better positioned to demonstrate compliance as the regulatory landscape evolves.

• Track state legislative activity in every jurisdiction where your organization operates — the 12+ state count is a floor, not a ceiling.
• Monitor the HTI-5 proposed rule and the Trump AI Framework for signals about federal preemption and health IT transparency requirements.
• Prepare for enforcement actions under existing ERISA fiduciary duties, state consumer protection laws, and FTC authority — not just new legislation.
• Align AI governance practices with emerging standards from CHAI and other organizations to build a defensible compliance posture.
• Engage with the public comment process on federal rulemakings to shape the regulatory framework before it is finalized.

The use of AI in prior authorization and claims review is not going away — the operational and financial incentives are too strong. But the regulatory environment in which these tools operate is being fundamentally reshaped. The organizations that invest in compliance infrastructure, transparency, and human oversight now will be better positioned to navigate the uncertainty ahead.