State AI Healthcare Laws Accelerate: Georgia, Idaho, California Enact New Rules

By Hector Herrera | May 29, 2026 | Government

States aren't waiting for Congress to regulate AI in healthcare. A new wave of state legislation enacted in 2026 is creating enforceable standards for clinical AI tools — and a compliance patchwork that health systems operating across state lines will spend years navigating.

A Holland & Knight review of current and pending legislation documents the acceleration: Georgia, Idaho, and California have enacted new requirements for AI in clinical and insurance settings, while Congress remains stalled on comprehensive federal rules. The practical result is a fragmented legal landscape with meaningfully different standards depending on where the patient is located.

Georgia: The Prior Authorization Standard

Georgia's SB 544 is the most operationally significant new law in this wave. Effective January 1, 2027, it requires human physician review of all AI-generated prior authorization denials — the decisions by insurers about whether to approve or deny specific treatments, medications, or procedures.

Prior authorization has been a structural friction point in U.S. healthcare for decades. Physicians argue it delays necessary care. Insurers say it prevents inappropriate spending. AI tools that automate denial decisions are attractive to insurers because they are faster and cheaper than human review. Critics argue that AI-driven denials scale the problem: a single flawed model can generate thousands of inappropriate denials before anyone identifies the pattern.

Georgia's law draws a clear governance line: AI can inform the prior authorization decision, but a licensed physician must be accountable for any denial. The law applies to commercial insurance plans operating in Georgia and carries enforcement authority — insurers that violate it face regulatory action from the state insurance commissioner.

The framing is important. Georgia isn't banning AI from prior authorization. It's requiring that human clinical judgment remain in the loop for adverse decisions. That distinction will shape how insurers redesign their workflows before the January deadline.

Idaho and California: Patient Rights and Data Privacy

Idaho enacted requirements that clinical AI tools handling patient data must comply with state medical privacy standards that exceed federal HIPAA minimums. AI systems processing protected health information for diagnostic or treatment recommendation purposes must:

• Notify patients when AI is being used in their care
• Offer patients the option to request human review of AI-assisted decisions
• Maintain audit logs demonstrating how AI-generated recommendations were reviewed before being acted upon

California, predictably, went further. Under guidance extending the California Privacy Rights Act framework, AI-generated clinical inferences about patients are treated as sensitive personal information subject to deletion and correction rights. If a clinical AI system infers that a patient has a condition that doesn't appear in their medical record — a prediction derived from behavioral or physiological patterns — the patient has a right to know about that inference and potentially to challenge it.

The California provision will complicate the deployment of predictive health AI tools, which often generate their most clinically valuable outputs precisely by inferring conditions or risks that haven't been formally diagnosed. A tool that predicts diabetes onset six months before a clinical diagnosis is useful to clinicians — but under the new California framework, the patient has rights over that inference.

Why Congress Is Stalled

The federal picture is familiar: committee hearings, circulating draft bills, no floor votes. The obstacles are both political and technical.

Politically, healthcare AI touches both party coalitions in uncomfortable ways. Republicans generally oppose federal regulation of private business decisions; mandating AI oversight in healthcare cuts against that posture. Democrats support consumer protections but also want AI to make healthcare more accessible and affordable, and are wary of regulations that slow deployment in ways that harm patients who could benefit.

Technically, "AI in healthcare" covers an enormous range: administrative AI (scheduling, billing, prior authorization), diagnostic AI (imaging interpretation, pathology analysis), clinical decision support (treatment recommendations, drug interaction flagging), and patient communication tools. A single federal statute would need to distinguish among these categories in ways Congress hasn't worked through.

The FDA has jurisdiction over AI as a medical device — specifically, AI that makes diagnostic or therapeutic claims — and has been active in that lane, approving AI diagnostic tools and issuing guidance on software as a medical device. But FDA jurisdiction doesn't extend to administrative AI or most clinical decision support tools that stop short of diagnosing. The gap is significant, and states are filling it.

The Compliance Challenge for Multi-State Health Systems

For hospital chains and health systems operating in multiple states, the emerging patchwork creates real operational complexity. A health system with facilities in Georgia, Idaho, California, Texas, and New York now faces different requirements for AI prior authorization review, patient notification, data privacy, inference rights, and audit documentation — depending on where the patient is located at the time of care.

That's not a compliance edge case. It's the standard operating environment for the 30 largest health systems in the country.

The practical short-term response for most systems will be to build to the highest common standard: apply Georgia's human review requirement everywhere, adopt Idaho's audit documentation as a baseline, and implement California's inference rights for all patients regardless of state. That approach is more expensive, but it's simpler than maintaining state-specific AI governance configurations for each jurisdiction.

AI vendors serving healthcare clients face equivalent pressure. Expect contract amendments, updated business associate agreements, and new model risk documentation requirements as the 2027 enforcement dates approach. Vendors that don't proactively update their compliance posture will find themselves removed from health system vendor lists by procurement teams that can't afford the exposure.

What to Watch

Georgia's January 1, 2027 effective date is the nearest hard deadline. Health insurers operating in Georgia have roughly seven months to redesign prior authorization workflows to ensure a licensed physician reviews every AI-generated denial before it is issued. That's not a long runway for systems that process thousands of prior auth decisions daily.

Watch for the first enforcement action after the law takes effect. The Georgia insurance commissioner's willingness to act — or not — will signal how the law functions in practice versus on paper.

Also watch for federal preemption debates. As state AI healthcare laws multiply and diverge, pressure will grow for a federal standard that preempts state rules — both from health systems that want uniformity and from industry groups that prefer a lighter-touch national framework to a patchwork of state requirements. The shape of any federal preemption debate will determine whether the current state-level activity results in durable governance or gets superseded.

The states aren't waiting. Healthcare AI governance is being built from the ground up.