Every State Is Writing Its Own AI Rulebook. Washington Hasn't Started.

If you're waiting for one clean federal law to tell your hospital how to handle AI disclosure, prior authorization, and clinical documentation, stop waiting. It isn't coming, at least not on any timeline that matters to you. In 2025 alone, lawmakers in 47 states introduced more than 250 bills regulating AI in healthcare, and 34 of them became law across 21 states. Texas has one of the most far-reaching clinical AI disclosure laws in the country. Rhode Island just passed its own. Iowa's took effect July 1. Meanwhile, the federal government's actual energy this year has gone into deciding which companies get to use the most powerful AI models and negotiating equity stakes in AI companies, not into building the compliance framework your revenue cycle team needs on Monday morning.

‍Here's what's actually on the books, what it means for your organization, and why "we'll wait for federal guidance" stopped being a defensible compliance strategy a while ago.

‍ ‍

How Many States Actually Have AI Healthcare Laws Right Now?‍ ‍

More than you'd guess if your only exposure to this topic is a conference keynote. According to a December analysis from Manatt Health, states are expected to remain the primary regulators of healthcare AI through 2026, and at least four states have enacted laws that directly govern how health systems must disclose or limit AI use in clinical care, with dozens more bills advancing this year. That number is a floor, not a ceiling. It grows every legislative session, and it grows unevenly, which is exactly the problem. A disclosure standard that satisfies Texas regulators does not automatically satisfy Rhode Island's, and neither one tells you a thing about what New York or Illinois will require next year.

‍ ‍

What Does Texas Actually Require Under TRAIGA?‍ ‍

The Texas Responsible Artificial Intelligence Governance Act is the one everyone else is watching. Under TRAIGA, healthcare providers must give patients or their personal representatives conspicuous written disclosure whenever an AI system is used in diagnosis or treatment, delivered before or at the time of the clinical interaction, with a narrow exception for emergencies. It took effect January 1, and it's already forcing a real answer to a question most compliance teams have been avoiding: what actually counts as "AI-assisted" in a way a patient would care about.‍ ‍

Two of the state's largest systems landed on a similar answer without coordinating with each other. University Health in San Antonio built its standard around what a reasonable patient would consider AI-generated or AI-assisted in the context of a diagnosis or treatment decision, folding that language into its existing general consent process rather than inventing a new one. Houston Methodist took the same approach, weighing whether a use is external-facing and whether a patient would naturally recognize AI's involvement, then building disclosure into consent forms it already had. Neither system reported meaningful patient pushback. Both reported that patients mostly wanted a little context, not a reason to panic.‍ ‍

That's the actual lesson buried in this story, and it's a useful one. Compliance didn't require a new department or a six-figure vendor contract. It required rewriting language you already had.

‍ ‍

What Other States Have Already Passed AI Disclosure Rules?‍ ‍

Rhode Island's General Assembly approved legislation requiring healthcare providers and facilities to notify patients whenever AI tools are used to document an in-person or telehealth visit, with the patient given the option to opt out. The bill's sponsor, a primary care nurse practitioner herself, was explicit about the tradeoff: AI scribes have measurably cut the time clinicians spend on documentation, and the bill is designed to preserve that benefit while keeping patients informed rather than surprised.‍ ‍

Iowa took a different angle entirely. Its new law, effective July 1, prohibits utilization review organizations from using an AI-based algorithm or system as the sole basis for denying, delaying, or downgrading a prior authorization request on medical necessity grounds. It's a narrower rule than Texas's, but it points at a different, equally real risk: not "did the patient know AI was involved," but "did AI alone decide whether the patient gets care."‍ ‍

Four other states, Washington, Florida, and the federal loan-cap changes tied to the same July 1 window, round out this cycle's wave of healthcare policy taking effect, a reminder that AI regulation is landing in the middle of an already crowded compliance calendar, not on its own dedicated track.

‍ ‍

Where Is the Federal Government On All of This?‍ ‍

Mostly, listening. HHS spent late 2025 collecting public comment through a formal request for information on how the agency could use its regulatory, research, and reimbursement powers to speed up responsible AI adoption, and it drew more than 7,000 responses. The takeaway HHS shared back with the industry in June was candid: the sector wants coordination across agencies, practical implementation guidance, and evaluation tools to tell a good AI product from a bad one, and right now it has none of the three in any standardized form. The FDA has said it's preparing rules proportionate to risk and expects to release ideas for public comment soon, but declined to give specifics, which is a polite way of saying not yet.‍ ‍

Meanwhile, the parts of the federal AI conversation that have moved with real urgency this year have had almost nothing to do with clinical compliance. In June, the Commerce Department temporarily blocked Anthropic's most capable AI model over concerns it could be misused for cybersecurity exploitation, then restored access to more than 100 approved institutions after two weeks of negotiation, a stretch of time hospital leaders were watching closely given how much of their own infrastructure runs on the exact kind of legacy systems that model is good at finding holes in. Separately, OpenAI has been in early talks about giving the federal government an equity stake in the company itself. Both stories are legitimate and worth tracking. Neither one tells a compliance officer what to put in a consent form.‍ ‍

That gap is the whole point of this piece. Washington is actively shaping AI's industrial and national security posture. It has not yet meaningfully shaped clinical AI compliance. States have filled that vacuum, state by state, unevenly, and they will keep doing it whether or not your organization is paying attention.

‍ ‍

What Should Hospitals and RCM Leaders Actually Do Right Now?‍ ‍

Treat the patchwork as the permanent condition, not a transitional phase you're waiting out. A few concrete moves, based on what's actually working for the systems already living under these laws:‍ ‍

  • Build disclosure into consent infrastructure you already have. University Health and Houston Methodist both proved this works. You don't need a new form. You need a defensible standard for what counts as AI-assisted care, written into the forms already in your intake workflow.

  • Write your standard around the patient's perspective, not the vendor's. Both Texas systems anchored their disclosure trigger on what a reasonable patient would recognize as AI involvement. That's a more durable compliance standard than trying to track every backend tool, because it survives the next vendor swap.

  • Track prior authorization exposure separately from documentation exposure. Iowa's law is a reminder that "AI touched this decision" and "AI was the whole decision" are two different compliance risks with two different fixes. Don't let one disclosure policy quietly try to cover both.

  • Assume every state session adds to the pile. This isn't a one-time compliance project you close out. It's an ongoing operational function, the same way payer contract review is, and it needs an owner, not a task force that meets twice a year.

‍ ‍

Frequently Asked Questions‍ ‍

Is there a federal law requiring AI disclosure in healthcare? Not yet. As of mid-2026, AI disclosure and use requirements in clinical care are being written and enforced almost entirely at the state level. HHS has gathered industry feedback and signaled that broader federal rulemaking is coming, but has not published specifics.‍ ‍

Which states currently require AI disclosure in patient care?Texas and Rhode Island both have laws on the books requiring providers to disclose AI use in diagnosis, treatment, or clinical documentation. At least four states total have enacted laws directly governing healthcare AI disclosure or limits, according to a December 2025 Manatt Health analysis, with dozens more bills advancing in 2026 sessions.‍ ‍

What is the Texas Responsible Artificial Intelligence Governance Act (TRAIGA)?TRAIGA requires healthcare providers to give patients conspicuous written disclosure whenever AI is used in diagnosis or treatment, delivered before or at the time of the clinical interaction, with an exception for emergencies. It took effect January 1, 2026.‍ ‍

Can AI alone deny a prior authorization request? In Iowa, no. As of July 1, 2026, Iowa law prohibits utilization review organizations from using an AI-based algorithm as the sole basis for denying, delaying, or downgrading a prior authorization request on medical necessity grounds. Rules vary by state, and most states do not yet have an equivalent law.

Next
Next

I Forecast the Future of Revenue Cycle Management From a Travel Company. Here's Why That Makes Me Better At It.