Which states passed AI prior authorization laws in 2026?

Six states passed AI prior authorization laws in 2026: Alabama (SB 63, effective October 1, 2026), Indiana (HB 1271, effective July 1, 2026), Utah (SB 319, effective January 1, 2027), Washington (SB 5395, effective 2026), Maryland (HB 1563, effective June 1, 2026), and Georgia (SB 544, effective January 1, 2027). Each imposes different requirements around audit trails, human oversight, transparency reporting, and AI decision-making standards.

What do the new state AI prior authorization laws require from healthcare practices?

Requirements vary by state but generally fall into four categories: audit trail documentation (Alabama, Utah, Washington), human-in-the-loop review for adverse decisions (Indiana, Washington), transparency and disclosure of AI usage (Utah, Maryland), and individualized clinical decision-making rather than group-based pattern matching (Alabama, Washington). Practices operating in multiple states may need to comply with the strictest standard across all applicable laws.

How does BAM AI help practices comply with state AI prior authorization regulations?

BAM AI's prior authorization system is built with compliance-first architecture: every AI decision generates a full audit trail with timestamps and clinical reasoning, licensed professionals review all adverse determinations before they're finalized, decisions are based on individual patient clinical data rather than group datasets, and the system produces exportable compliance reports for state regulators. This design meets or exceeds the requirements of all six 2026 state AI PA laws.

My practice operates in multiple states. Which AI prior authorization law applies?

Multi-state practices should comply with the strictest applicable standard. In practice, if you build to Alabama's individual-clinical-data requirement and Washington's prohibition on AI-only denials, you'll likely satisfy the other four states as well. The safest approach is to implement full audit trails, human review for all adverse decisions, individual-level clinical analysis, and quarterly compliance reporting — which covers every 2026 state requirement.

When do the 2026 state AI prior authorization laws take effect?

The earliest deadline is Maryland's HB 1563, effective June 1, 2026, requiring quarterly reporting on AI-involved adverse decisions. Indiana's HB 1271 follows on July 1, 2026. Alabama's SB 63 takes effect October 1, 2026. Utah's SB 319 and Georgia's SB 544 both take effect January 1, 2027. Washington's SB 5395 is effective in 2026 with specific reporting timelines set by the state insurance commissioner.

6 New State AI Prior Authorization Laws in 2026 — Is Your Practice Compliant?

Six states passed laws regulating AI in prior authorization between March and May 2026. Alabama, Indiana, Utah, Washington, Maryland, and Georgia each enacted legislation that imposes new requirements on how AI systems can be used to approve, deny, or modify healthcare authorization decisions. If your practice uses AI for prior authorization — or your payers do — these laws directly affect your compliance obligations starting as early as June 2026.

This isn't a theoretical regulatory wave. Maryland's reporting requirements take effect in five days. Indiana's human-review mandate kicks in July 1. And if your AI prior authorization tool can't produce an audit trail, you're already behind.

6
States passed AI prior authorization laws in 2026 — with more drafting similar legislation

Why States Are Regulating AI in Prior Authorization Now

The timing isn't accidental. Payer adoption of AI in claims and authorization decisions has accelerated dramatically. A 2026 HFMA survey found that payers now route claim decisions "almost 100% to AI" at initial review. Providers report rising denial rates — 74% of physicians say denials have increased over the past two years, according to the AMA.

States are responding to a specific pattern: AI systems denying or delaying care based on algorithmic pattern-matching rather than individual clinical review. Several high-profile cases — including federal CMS enforcement actions — made clear that existing regulations weren't designed for AI-driven authorization decisions.

The result: a patchwork of state laws that impose overlapping but distinct requirements on AI prior authorization systems. For practices operating in multiple states, compliance now means meeting the strictest applicable standard.

State-by-State Breakdown: What Each Law Requires

Alabama — SB 63 (Effective October 1, 2026)

Alabama's law is one of the most prescriptive. It requires insurers using AI in prior authorization to base decisions on individual medical history — not group datasets or population-level patterns. The law also mandates annual AI accuracy certification, meaning insurers must demonstrate their AI systems meet accuracy benchmarks each year.

For practices, this means your AI prior authorization tool must document that each decision was informed by the specific patient's clinical data, not statistical proxies. If you're using an AI system that flags authorization requests based on diagnosis-level patterns without reviewing individual records, Alabama's law could make those decisions unenforceable.

Indiana — HB 1271 (Effective July 1, 2026)

Indiana targets two specific AI behaviors. First, it prohibits AI as the sole basis for downcoding claims without physician review. If a payer's AI system reclassifies a procedure code to a lower-reimbursement level, a licensed physician must review and approve that decision.

Second — and this cuts both ways — the law prohibits providers from submitting AI-generated claims without billing professional review. If your practice uses AI to generate claims or authorization requests, a human billing professional must review them before submission. This is the first state law that explicitly regulates provider-side AI in claims, not just payer-side.

Utah — SB 319 (Effective January 1, 2027)

Utah's law centers on transparency and disclosure. Insurers must disclose AI usage in prior authorization to three audiences: state regulators, providers, and patients. If an AI system was involved in an authorization decision, all three parties must be informed.

The law also requires that licensed professionals make adverse determinations independently from AI. The AI can assist, analyze, and recommend — but the final denial must come from a human professional who exercised independent judgment, not simply rubber-stamped the algorithm's output.

Washington — SB 5395 (Effective 2026)

Washington's law is the broadest. It prohibits relying solely on AI to deny, delay, or limit healthcare services in prior authorization. Every adverse decision requires human clinical review. The law also mandates that AI systems account for individual clinical conditions — not just diagnostic codes — and requires periodic performance review of AI systems with reporting to the state insurance commissioner.

For practices, Washington's law essentially requires full human-in-the-loop architecture for any AI system involved in authorization decisions. Fully automated denial workflows are explicitly prohibited.

Maryland — HB 1563 (Effective June 1, 2026)

Maryland takes a reporting-first approach. Insurers must submit quarterly reports of adverse decisions that include whether AI was used in the determination process. This creates a regulatory paper trail that state authorities can audit.

While Maryland's law doesn't prohibit AI-only decisions outright, the reporting requirement creates strong incentives for insurers to maintain human oversight — because every AI-driven denial will appear in regulatory filings. Practices should expect payers in Maryland to request more documentation to support their compliance reporting.

Georgia — SB 544 (Effective January 1, 2027)

Georgia's law is the most permissive. It explicitly permits insurers to use AI in prior authorization for automation and decision-making. While this may sound like a green light, the significance is in the explicit authorization — it establishes a regulatory framework where AI usage is acknowledged and can be regulated, rather than operating in a gray area.

For practices in Georgia, this means AI-driven authorization decisions will have clear legal standing, but also clear regulatory oversight as the framework matures.

The Compliance Matrix: What Your AI System Needs

Across all six laws, four compliance requirements emerge:

Requirement	States	What It Means
Full audit trails	AL, UT, WA, MD	Every AI decision must be logged with timestamps, clinical inputs, reasoning, and outcome
Human-in-the-loop	IN, WA, UT	Licensed professionals must independently review adverse AI decisions before they're finalized
Individual clinical data	AL, WA	Decisions must reflect individual patient history, not group-level statistical patterns
Transparency reporting	UT, MD	AI usage must be disclosed to regulators, providers, and/or patients

If your practice operates in any of these states — or serves patients insured by carriers operating in them — your AI prior authorization system needs all four capabilities. The most practical approach: build to the strictest standard (Alabama + Washington) and you'll satisfy the rest.

What This Means for Your AI Prior Authorization Vendor

Not all AI prior authorization tools are built for this regulatory environment. Ask your vendor these four questions:

Does your system generate a complete audit trail for every decision? Not just a final output log, but the clinical inputs, the AI's reasoning chain, and a timestamp for every step. Alabama and Washington require this level of documentation.
Can a licensed professional review and override AI decisions before they're sent? Indiana and Washington require human review for adverse decisions. If your system auto-submits without a review step, you have a compliance gap.
Does the AI analyze individual patient records or group-level patterns? Alabama explicitly prohibits group-dataset-based decisions. Your AI must demonstrate that each authorization decision was informed by the specific patient's clinical data.
Can the system produce compliance reports for state regulators? Maryland requires quarterly reporting. Utah requires disclosure to regulators, providers, and patients. If your system can't export this data, you'll be assembling reports manually.

How BAM AI Meets Every 2026 State Requirement

BAM AI's AI prior authorization system was designed with compliance-first architecture — not retrofitted after regulations passed. Here's how it maps to the 2026 state requirements:

Audit trail architecture: Every AI decision generates a complete, immutable audit trail — clinical inputs, reasoning chain, timestamps, and outcome. Meets Alabama, Utah, Washington, and Maryland requirements out of the box.
Human-in-the-loop by design: All adverse determinations route to licensed professionals for independent review before finalization. The AI assists and recommends; humans decide. Meets Indiana, Washington, and Utah mandates.
Individual clinical analysis: BAM AI processes each patient's specific medical history, clinical notes, and treatment context — never relying on group-level statistical proxies. Meets Alabama and Washington's individualization requirements.
Exportable compliance reporting: Built-in reporting generates quarterly summaries of AI-involved decisions, exportable in formats required by Maryland and Utah regulators.

The result: practices using BAM AI for insurance verification and prior authorization don't need to scramble for compliance as each state deadline arrives. The architecture already meets the requirements.

The Multi-State Practice Problem — And How to Solve It

If your practice operates across state lines, compliance gets complicated fast. A dermatology group with locations in Alabama and Indiana faces both individual-data requirements and human-review mandates. A hospital system spanning Washington and Maryland needs human-in-the-loop review and quarterly regulatory reporting.

The practical solution: implement the union of all requirements. Build your AI workflow to the strictest applicable standard — full audit trails, human review for all adverse decisions, individual-level clinical analysis, and quarterly compliance reporting. This covers every 2026 state law and positions you for the additional states likely to pass similar legislation in 2027.

BAM AI's denial management and prior auth systems are designed for exactly this multi-state scenario — one compliance architecture that satisfies every jurisdiction.

What Comes Next: The 2027 Regulatory Forecast

The six 2026 laws are the first wave. At least twelve additional states have introduced AI healthcare bills that are expected to advance in 2027 legislative sessions. The pattern is clear: the states that passed laws in 2026 are setting the template for national adoption.

Federal action is also converging. CMS's CMS-0057-F rule mandating electronic prior authorization for Medicare Advantage plans creates a federal baseline that aligns with state transparency requirements. Practices that build compliance infrastructure now — rather than waiting for a federal mandate — will avoid the scramble when national standards arrive.

"The practices that treat AI compliance as infrastructure — not a checkbox — will have a structural advantage as regulation expands. Build it right once, and every new state law is a configuration change, not a rebuild."