This spring, a claims processor at a hospital in Maryland opened a piece of software that, up until recently, made nearly all of its own decisions. A paper trail, a quarterly report to file, and a human signature are now necessary at the end of the workflow. Washington was not the source of the change. It originated in Annapolis. And in 2026, that little detail—repeated in twelve state capitals—is beginning to define the true nature of AI in American healthcare.
If you take a moment to consider the numbers, they are impressive. Legislation pertaining to healthcare AI has been introduced in at least 43 states. Since January, twelve have signed legislation into law. Each state—Alabama, Indiana, Utah, Washington, Maryland—pulls in slightly different directions and adds vocabulary that the others didn’t consider. Speaking with compliance professionals gives me the impression that the ground is changing more quickly than anyone can map it.
Lisa Bari, who currently oversees policy at Innovaccer after working on health IT issues at CMS, put it plainly. She claimed that HIPAA has always been a patchwork and that the gaps have only gotten bigger as AI has proliferated. The statement resonated with me because it encapsulates something that most people are unaware of: the law that everyone believes safeguards their medical information was never as strong as the advertising claimed. Hospitals, insurance companies, and their suppliers were all covered. The wearable on your wrist, the chatbot you confided in last night, and the period tracker that discreetly sent your data to an advertiser were not covered.
State lawmakers have been working to close that gap. Consumer health data privacy laws have been passed in Connecticut, Maryland, Nevada, and Washington. SB 63, which was signed into law in Alabama in April, requires insurers to annually certify that their AI systems do not use group datasets to disregard medical advice. Indiana took it a step further and outlawed the use of AI as the only justification for downcoding a claim. Regardless of what the algorithm produces, Washington’s SB 5395 mandates that only certified experts make negative decisions regarding prior authorization.
It’s difficult to ignore the pattern. Prior authorization, the bureaucratic roadblock that determines whether an insurer will pay for the MRI your doctor ordered, is mentioned in almost all laws. For years, patients have been silently incensed about it. It was made worse by algorithms, which rejected claims faster than a human reviewer could. State legislators appear to have read the room, even in very conservative areas.
The federal response, meanwhile, has been more akin to a shrug. In contrast to the Biden team’s 2023 actions with GoodRx, the Trump administration has not pursued FTC enforcement of consumer health data. In December, the White House released a fact sheet indicating that preemption might be considered, cautioning that overly stringent state regulations could stifle innovation. Reporters were informed by Melissa Levine, a partner at Hogan Lovells who counsels clients on privacy, that it’s not always clear what organizations are even expected to do under the current FTC. There are costs associated with that uncertainty.
It’s becoming messy. Five distinct consent processes, five distinct reporting schedules, and five distinct definitions of what constitutes a “adverse determination” may be required for a hospital system operating in five states. Compliance officers are hiring in secret. Contracts are being rewritten by vendors. Digital health investors are reevaluating which states are worth the hassle.
And the patients? They continue entering symptoms into ChatGPT. They continue to wear the patches, watches, and rings. The rules follow the data wherever it goes, state by state, unevenly and slowly. The question that hangs over everything is whether Washington eventually intervenes with something comprehensive or chooses to preempt the states. The patchwork is the rule for the time being.
