1. The Regulatory Landscape
Health insurance AI is the fastest-growing category of state-level AI regulation in the United States. Over 240 bills across 43 states target AI use in insurance decisions, covering claims automation, prior authorization, underwriting, pricing, and utilization management. Six states have enacted requirements that directly govern how insurers deploy AI and algorithmic systems in decisions that affect consumer coverage and care access.
Health insurance AI regulation is distinct from general AI governance because it intersects with existing insurance regulatory frameworks, NAIC model laws, and state insurance commissioner authority. Every state insurance department already has examination authority over insurer practices. AI governance requirements layer onto this existing oversight structure, meaning noncompliance can trigger market conduct examinations, corrective action plans, and license proceedings.
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted December 2023) provides the regulatory baseline. It requires insurers to develop, implement, and maintain an AI governance program covering all AI systems used in insurance decisions. The six states covered in this guide have adopted or exceeded the NAIC baseline through legislation or insurance department action.
2. State-by-State Summary
| State | Law / Authority | Core Focus | Effective | Enforcement |
|---|---|---|---|---|
| Indiana | HEA 1304 | Prior auth AI disclosure, human review of denials | Jul 2025 | Dept of Insurance, license action |
| Alabama | Insurance Dept Bulletin (NAIC adoption) | AI governance for insurers, model risk management | 2025 | Dept of Insurance, corrective action |
| Utah | AI Policy Act (SB 149 + amendments) | AI disclosure in regulated decisions, consumer notification | May 2024 | AG enforcement, $2,500/violation |
| Washington | SB 5518 | Prior auth AI transparency, utilization management | 2025-2026 | OIC enforcement, license suspension |
| Iowa | Insurance Dept AI Guidance (NAIC adoption) | Insurance AI governance, algorithmic accountability | 2025 | Insurance Commissioner, market conduct |
| Georgia | Insurance Dept AI Requirements | AI transparency in underwriting and claims | 2025-2026 | Dept of Insurance, regulatory action |
Indiana (HEA 1304)
Indiana HEA 1304 requires health insurers to disclose when artificial intelligence or algorithmic systems are used in prior authorization decisions. When AI contributes to a claim denial, the insurer must provide human review by a qualified clinical reviewer before the denial becomes final. The law also requires that denial notices explain how AI factored into the decision in plain language that the consumer can understand.
Alabama (Insurance Department Bulletin)
Alabama adopted the NAIC Model Bulletin through an insurance department bulletin requiring all licensed insurers to establish AI governance programs. Insurers must maintain an inventory of AI systems used in underwriting, claims, pricing, and marketing. The governance program must include model risk management, bias testing, and documentation of how AI systems are validated before deployment and monitored during operation.
Utah (AI Policy Act, SB 149)
Utah's AI Policy Act was one of the first state-level AI laws in the nation (effective May 2024). It requires entities using AI in regulated transactions, including insurance, to disclose AI involvement to consumers. Subsequent amendments expanded the disclosure requirements for insurance-specific use cases, including underwriting and pricing decisions. Violations carry penalties of up to $2,500 per occurrence, enforced by the Attorney General.
Washington (SB 5518)
Washington SB 5518 targets AI use in health insurance utilization management and prior authorization. Insurers using AI or algorithmic tools to make or inform prior authorization decisions must disclose that use to enrollees and providers. The law prohibits using AI as the sole basis for denying prior authorization of medically necessary care. The Office of the Insurance Commissioner (OIC) has enforcement authority including license suspension for persistent noncompliance.
Iowa (Insurance Department AI Guidance)
Iowa adopted the NAIC Model Bulletin framework through insurance department guidance requiring insurers to establish governance over AI systems. The guidance emphasizes algorithmic accountability, requiring insurers to document AI model development, testing, deployment, and ongoing monitoring. Iowa's insurance commissioner has market conduct examination authority to verify compliance during regular examination cycles.
Georgia (Insurance Department AI Requirements)
Georgia's insurance department has implemented AI transparency requirements for underwriting and claims operations. Insurers must document the AI systems used in rate-setting and underwriting decisions, demonstrate that those systems do not produce unfairly discriminatory outcomes, and maintain audit trails for AI-driven decisions. The department has enforcement authority through its existing regulatory examination framework.
3. Common Obligations
Across the six states, ten recurring obligations emerge. Each obligation maps to one or more SWT3 procedures that produce cryptographic witness evidence:
- Prior authorization AI disclosure: Notify consumers and providers when AI influences prior authorization decisions (IN, WA, UT).
- Human review of AI-driven claim denials: A qualified clinical reviewer must review the decision before a denial becomes final (IN, WA, AL).
- Algorithmic underwriting transparency: Document and make available the AI models used in underwriting decisions (AL, GA, IA).
- Non-discrimination in AI pricing: AI pricing and underwriting models must not produce unfairly discriminatory outcomes based on protected characteristics (UT, GA, IA, AL).
- Consumer notification for AI-affected coverage: Inform policyholders when AI affects coverage, benefits, or rate decisions (IN, UT, WA, GA).
- Insurer accountability for AI vendor decisions: Insurers remain responsible for AI decisions made by third-party vendors and delegated entities (WA, AL, IA).
- AI model governance program: Maintain a formal governance structure covering AI model inventory, approval, monitoring, and risk management (AL, IA, GA).
- Decision explainability: Provide plain-language explanation of how AI influenced the decision to affected consumers (IN, WA, UT).
- Audit trail for AI-driven decisions: Maintain complete, tamper-evident records of AI model inputs, outputs, and decision rationale (all 6 states).
- Training data quality and bias testing: Ensure AI training data is representative and free of bias, with documented testing results (AL, IA, GA).
4. Obligation-to-Procedure Mapping
Each obligation maps to an SWT3 procedure that produces a cryptographic witness anchor as auditable evidence. These anchors are immutable, timestamped, and independently verifiable.
| Obligation | SWT3 Procedure | What It Witnesses | Evidence Produced |
|---|---|---|---|
| Prior auth AI disclosure | AI-TRANS.1 | Transparency disclosure when AI influences prior auth | Anchor with disclosure type, decision context, notification timestamp |
| Human review of denials | AI-HITL.1 | Clinical reviewer oversight before final denial | Anchor with reviewer qualification, review type, override authority |
| Underwriting transparency | AI-EXPL.1 | Explainability of underwriting model factors | Anchor with model factors, explanation method, recipient type |
| Non-discrimination in pricing | AI-FAIR.1 | Fairness testing of AI pricing models | Anchor with protected categories, disparate impact ratio, test date |
| Consumer notification | AI-TRANS.1 | Notification to policyholders of AI-affected decisions | Anchor with notification type, coverage impact, delivery method |
| Vendor accountability | AI-GOV.1 | Governance policy covering third-party AI vendors | Anchor with vendor identifier, liability chain, oversight model |
| AI model governance | AI-GOV.1 | Governance framework for insurance AI models | Anchor with governance body, model inventory, risk tier |
| Decision explainability | AI-EXPL.1 | Plain-language explanation of AI decision rationale | Anchor with explanation format, audience, complexity level |
| Audit trail | AI-AUDIT.1 | Immutable record of AI decision inputs and outputs | Anchor with decision identifier, model version, input hash, output hash |
| Training data quality | AI-DATA.1 | Training data representativeness and bias assessment | Anchor with data source, representativeness score, bias test date |
| Automated claim decisions | AI-AUTO.1 | Automated decisions in claims adjudication | Anchor with decisions count, human reviewed flag, decision type code |
| Consumer consent | AI-CONSENT.1 | Consumer acknowledgment of AI use in coverage decisions | Anchor with consent type, opt-out offered, legal basis |
| Clinical safety guardrails | AI-SAFE.1 | Safety constraints on medical necessity determinations | Anchor with safety constraint, override protocol, clinical context |
5. Detailed Procedure Cards
Automated Decision Notification
States requiring: IN, WA, UT, AL
What states require: Notify consumers when automated systems make or influence claim adjudication, prior authorization, or underwriting decisions. Indiana and Washington specifically require disclosure before a denial becomes final. AI-AUTO.1 captures the decision type code (insurance = 2) to differentiate insurance decisions from other automated decision categories.
How SWT3 addresses it: witnessAutomatedDecision() with factor_c = 2 (insurance category) creates an immutable record of every automated decision. The anchor captures decision count, whether human review occurred, and the decision outcome. Cross-reference with AI-HITL.1 anchors to prove that denials received clinical review.
Query AI-AUTO.1 anchors with decision_type_code = 2. Count total automated decisions versus human-reviewed decisions. For Indiana and Washington, every claim denial must have a corresponding AI-HITL.1 anchor. A denial without a paired human review anchor is a potential market conduct finding.
Fairness and Non-Discrimination
States requiring: UT, GA, IA, AL
What states require: AI pricing and underwriting models must not produce unfairly discriminatory outcomes based on race, gender, ethnicity, disability, genetic information, or other protected characteristics. Alabama and Iowa align with the NAIC Model Bulletin requirement for bias testing as part of the AI governance program.
How SWT3 addresses it: witnessFairness() records protected category testing results, disparate impact ratios, and testing methodology. Each anchor represents a documented bias test with quantifiable results, creating an audit trail of the insurer's ongoing fairness monitoring program.
Request AI-FAIR.1 anchors showing disparate impact ratios. Insurance examiners can apply the four-fifths rule (80% threshold) to evaluate pricing and underwriting outcomes across protected categories. Cross-reference with AI-DATA.1 anchors to verify that bias testing covered the same data used to train the models. Annual or more frequent testing cadence expected.
Transparency Disclosure
States requiring: IN, WA, UT, GA
What states require: Transparent disclosure to consumers and providers when AI influences insurance decisions including prior authorization, claim adjudication, and rate setting. Utah requires disclosure at the point of the regulated transaction. Indiana requires explanation in denial letters. Washington requires disclosure to both enrollees and treating providers.
How SWT3 addresses it: witnessTransparency() mints anchors with disclosure type (prior_auth_ai, coverage_decision_ai, rate_setting_ai), notification method, and recipient. Each anchor is timestamped, proving disclosure occurred at or before the point of decision.
AI-TRANS.1 anchors must precede or coincide with the corresponding AI-AUTO.1 decision anchor. A gap in disclosure anchors during active decision periods indicates potential noncompliance. For Washington, verify that both enrollee and provider received notification (separate anchors or dual-recipient notation).
Human-in-the-Loop Clinical Review
States requiring: IN, WA, AL
What states require: A qualified clinical reviewer (licensed physician, nurse, or appropriate health professional) must review AI-driven claim denials before the denial becomes final. The reviewer must have authority to override the AI recommendation. Washington specifically prohibits AI as the sole basis for denying medically necessary care.
How SWT3 addresses it: witnessHumanOversight() anchors the reviewer's qualification, review type (pre-denial clinical review), and override authority. The anchor chain proves that no denial was issued without qualified human review in the decision loop.
Every claim denial (identifiable via AI-AUTO.1 with denial outcome) must have a matching AI-HITL.1 anchor. The reviewer must be a licensed health professional, not a claims adjuster or administrative staff. Cross-reference reviewer credentials with state licensing records. A denial without a paired clinical review anchor is a market conduct violation in Indiana and Washington.
Decision Explainability
States requiring: IN, WA, UT
What states require: Provide a plain-language explanation of how AI influenced the insurance decision, understandable by the consumer. Indiana requires this explanation in denial letters. Washington requires that the explanation be sufficient for the enrollee or provider to understand the basis for the decision and pursue an appeal if desired.
How SWT3 addresses it: witnessExplainability() records the explanation method, audience (consumer, provider, regulator), and complexity level. The anchor proves that an explanation was generated and delivered, not just that the capability exists. Links to the specific decision via decision identifier cross-reference.
Verify that AI-EXPL.1 explanation_method is consumer-appropriate (plain-language summary, not raw model coefficients or SHAP values). For Indiana, the explanation must appear in the denial letter itself. For Washington, the explanation must be sufficient to support an informed appeal. Check that explanation anchors correlate with denial anchors by decision identifier.
AI Governance Framework
States requiring: AL, IA, GA
What states require: Establish and maintain a formal AI governance structure covering model inventory, approval workflows, ongoing monitoring, vendor oversight, and risk management. Alabama and Iowa align with the NAIC Model Bulletin governance requirements. Georgia requires documentation of governance structure as part of the insurer's examination file.
How SWT3 addresses it: witnessGovernance() anchors the governance body, model inventory, risk tier assignments, and vendor oversight chain. Separate anchors cover vendor accountability (documenting the insurer's responsibility chain when third-party AI systems are used in insurance decisions).
Look for AI-GOV.1 anchors with governance_body (named committee or officer), model_inventory (complete list of AI systems in use), and vendor_oversight_chain (for third-party AI). The NAIC Model Bulletin requires the governance program to be proportionate to the insurer's risk. A small health plan using one AI vendor needs documentation; a large insurer using dozens of AI systems needs a comprehensive program. Verify that the governance program covers all AI systems identified in the model inventory.
Decision Audit Trail
States requiring: All 6 states
What states require: Maintain complete, tamper-evident records of AI model inputs, outputs, decision rationale, and version history. This is the universal requirement across all six states. Every state with AI insurance requirements expects insurers to be able to produce decision records during market conduct examinations.
How SWT3 addresses it: witnessAudit() creates an immutable anchor for each auditable event with decision identifier, model version, input hash, and output hash. The anchor chain forms a continuous, tamper-evident record that can be independently verified. SWT3 Witness Anchors are cryptographically signed and timestamped, meeting the evidentiary standard for regulatory examinations.
AI-AUDIT.1 is the foundational procedure for all six states. Query anchors by date range to verify continuous audit coverage during reporting periods. Any gaps in the anchor chain during active decision-making periods are examination red flags. For market conduct exams, request the full anchor chain for a sample of decisions and verify that each decision has input hash, output hash, and model version documented.
Training Data Quality and Provenance
States requiring: AL, IA, GA
What states require: AI training data must be representative, documented, and tested for bias. Data provenance from source through model training must be traceable. The NAIC Model Bulletin requires insurers to understand the data used to train AI systems and to assess whether that data introduces unfair bias.
How SWT3 addresses it: witnessDataQuality() records data source, representativeness score, and bias test date for each training dataset. The anchor creates a verifiable chain from data sourcing through model training, documenting that the insurer assessed data quality before deploying the model.
Check AI-DATA.1 anchors for data_source and representativeness_score fields. Cross-reference with AI-FAIR.1 to verify that bias testing was performed on the same data. For insurers using third-party data, verify that the data provenance chain extends to the vendor's data sources. Underrepresentation in training data is a common source of unfairly discriminatory outcomes in insurance pricing models.
Consumer Consent
States requiring: UT, WA
What states require: Consumer acknowledgment that AI is being used in their coverage decisions. Utah requires disclosure at the point of the regulated transaction with opt-out where applicable. Washington requires that enrollees be informed of AI use in utilization management decisions.
How SWT3 addresses it: witnessConsent() records consent type (informed disclosure, affirmative consent), opt-out availability, and legal basis. The anchor proves that the consumer was informed and, where required, given the opportunity to opt out of AI-driven decision-making.
AI-CONSENT.1 anchors should predate AI-AUTO.1 anchors for the same member or policy. For Utah, verify that disclosure occurred at enrollment or at the point of the first AI-driven transaction. Check that opt_out_offered reflects the statutory requirement. Consent obtained after the AI decision was made does not satisfy the disclosure requirement.
Clinical Safety Guardrails
States requiring: IN, WA
What states require: Safety guardrails on AI systems making or influencing medical necessity determinations to prevent clinically inappropriate denials. Washington specifically prohibits AI as the sole basis for denying prior authorization of medically necessary care. Indiana requires that the human review process include clinical context sufficient to evaluate the AI recommendation.
How SWT3 addresses it: witnessSafety() records safety constraints, override protocol, and clinical context for each medical necessity determination. The anchor proves that safety guardrails were active and that clinical context was preserved throughout the decision process.
Look for AI-SAFE.1 anchors with override_protocol and clinical_context fields. For Washington, verify that no prior authorization denial was based solely on AI output (cross-reference with AI-HITL.1). For Indiana, verify that clinical context was available to the human reviewer. Absence of safety constraint anchors during periods of active prior authorization processing is a significant finding.
6. State Coverage Matrix
Each SWT3 procedure covers one or more of the six states. This matrix shows which procedures produce evidence relevant to each state's requirements:
| SWT3 Procedure | IN | AL | UT | WA | IA | GA |
|---|---|---|---|---|---|---|
AI-AUTO.1 | Yes | Yes | Yes | Yes | - | - |
AI-FAIR.1 | - | Yes | Yes | - | Yes | Yes |
AI-TRANS.1 | Yes | - | Yes | Yes | - | Yes |
AI-HITL.1 | Yes | Yes | - | Yes | - | - |
AI-EXPL.1 | Yes | - | Yes | Yes | - | - |
AI-GOV.1 | - | Yes | - | - | Yes | Yes |
AI-AUDIT.1 | Yes | Yes | Yes | Yes | Yes | Yes |
AI-DATA.1 | - | Yes | - | - | Yes | Yes |
AI-CONSENT.1 | - | - | Yes | Yes | - | - |
AI-SAFE.1 | Yes | - | - | Yes | - | - |
AI-AUDIT.1 is the only procedure required by all six states, making it the foundational evidence layer. AI-FAIR.1 and AI-TRANS.1 each cover four states, forming the next tier of coverage. Insurers operating across multiple states should implement the full set of 10 procedures to achieve comprehensive coverage.
7. Quick Reference
| Examiner Question | Where to Look |
|---|---|
| How does the insurer disclose AI use in prior authorization? | AI-TRANS.1 anchors with disclosure_type = prior_auth_ai. Must predate or coincide with the decision notification. For Washington, verify both enrollee and provider received notification. |
| Is there human review of AI-driven claim denials? | AI-HITL.1 anchors with reviewer_qualification = licensed_clinician. Must exist for every denial. Cross-reference with AI-AUTO.1 denial outcomes. Missing pairs = market conduct finding. |
| How does the insurer test for discrimination in AI pricing? | AI-FAIR.1 anchors with disparate_impact_ratio and protected_categories. Apply four-fifths rule. Annual or more frequent testing cadence expected. Cross-reference with AI-DATA.1 for data coverage. |
| What governance structure oversees insurance AI? | AI-GOV.1 anchors with governance_body, model_inventory, and vendor_oversight_chain. Governance program must cover all AI systems in the model inventory. Proportionate to risk per NAIC guidance. |
| Can consumers opt out of AI-driven decisions? | AI-CONSENT.1 anchors with opt_out_offered = true. Must predate AI-AUTO.1 anchors for the same member. Utah requires disclosure at enrollment. |
| How are AI model inputs and outputs recorded? | AI-AUDIT.1 anchors with decision_id, model_version, input_hash, output_hash. Continuous chain with no gaps during active decision periods. Covers all six states. |
| How does the insurer ensure training data is unbiased? | AI-DATA.1 anchors with data_source and representativeness_score. Cross-reference with AI-FAIR.1 to verify bias testing covered the same training data. |
| What safety guardrails prevent inappropriate denials? | AI-SAFE.1 anchors with override_protocol and clinical_context. Washington: AI cannot be sole basis for medical necessity denial. Cross-reference with AI-HITL.1. |
8. Quick Start
pip install swt3-ai
# Initialize with a health insurance profile
swt3 init --profile health-insurance --tenant YOUR_TENANT
# Run the demo to see witness anchors in action
python -m swt3_ai.demo
# Or use TypeScript
npm install @tenova/swt3-ai
npx swt3-init --profile health-insurance
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup
9. References
- NAIC Model Bulletin on the Use of AI Systems by Insurers (December 2023)
- Indiana HEA 1304 - AI in Prior Authorization (Indiana General Assembly)
- Utah Artificial Intelligence Policy Act, SB 149 (Utah State Legislature)
- Washington SB 5518 - AI in Health Insurance Utilization Management (Washington State Legislature)
- Colorado AI Act Crosswalk (SWT3 Protocol)
- Connecticut CART Act Crosswalk (SWT3 Protocol)
- Illinois AI Safety Measures Act (SB 315) Crosswalk (SWT3 Protocol)
- Cryptographic AI Evidence Quickstart (SWT3 Protocol)