AI Disclosure Laws Are Here: What the 2026 State Rules Mean for Your Practice

For years, "is it HIPAA compliant?" was the only compliance question most practices asked about an AI tool. In 2026, that question is no longer enough.

A second layer of regulation has arrived — a patchwork of state laws that govern not how patient data is secured, but whether patients are told that an AI was involved in their care at all. If you use an AI medical scribe, an AI patient-communication tool, or anything that drafts clinical notes or messages, these laws apply to you.

Here is an honest map of what is actually on the books as of mid-2026 — with a practical checklist at the end.

HIPAA secures data. These laws demand disclosure.

HIPAA is about confidentiality, integrity, and the safeguards around protected health information. It says almost nothing about transparency — whether a patient knows that a generative model, rather than their clinician, wrote the after-visit summary sitting in their inbox.

That is the gap the new state laws fill. Almost all of them share a single idea: when AI touches a patient's care, the patient — and often a licensed human — should know. If you want the HIPAA fundamentals first, start with What Does HIPAA Compliance Actually Mean for AI Tools?

California — AB 3030 (in effect since January 1, 2025)

California was first out of the gate. AB 3030 requires any health facility, clinic, or physician's office that uses generative AI to produce written or verbal communications containing patient clinical information to include a clear disclaimer that the message was AI-generated, along with instructions on how to reach a human clinician.

Two details matter most:

• There is a human-review exemption. If a licensed or certified clinician reads and reviews the AI-drafted communication before it goes out, the disclaimer requirement does not apply. This is the single most important carve-out in the entire landscape — and a strong argument for keeping a human in the loop.
• It only covers clinical information. Appointment reminders, billing, and scheduling are explicitly excluded.

Texas — TRAIGA / HB 149 (in effect since January 1, 2026)

The Texas Responsible Artificial Intelligence Governance Act took effect on January 1, 2026. For healthcare, its core requirement is disclosure: providers must tell patients (or their representatives) when an AI system is used in their diagnosis or treatment, before or at the time of the interaction — except in emergencies, where disclosure can follow as soon as is reasonable.

Notably, the law expects you to disclose when AI is used, not a blanket "AI may be used" line buried in intake paperwork. Enforcement sits with the Texas Attorney General — there is no private right of action — with civil penalties reported in the $10,000 to $200,000 per-violation range.

Utah — AI Policy Act amendments (in effect since May 7, 2025)

Utah's AI Policy Act already required disclosure when consumers interact with generative AI, with heightened duties for licensed professions including healthcare. In May 2025, a set of amendments sharpened it. The most relevant, HB 452, targets mental-health chatbots: they must clearly tell users they are AI and not human, may not sell or share individually identifiable health information, and face limits on advertising. Violations can draw administrative fines of up to $2,500 each.

Illinois — the WOPR Act / HB 1806 (signed August 2025)

Illinois drew one of the brightest lines in the country. The Wellness and Oversight for Psychological Resources Act says AI may not deliver therapy, make independent therapeutic decisions, interact directly with clients in therapeutic communication, or generate treatment plans without a licensed professional's review.

What remains permitted is telling: administrative AI — drafting therapy notes, prepping files, scheduling, and billing — is still on the table, as long as a licensed clinician stays in charge of clinical judgment. For solo therapy practices, that distinction is the whole ballgame: an AI scribe that documents your session is fine; an AI that decides the treatment is not.

Maine has moved in a similar direction, restricting licensed mental-health professionals to administrative AI and requiring patient consent before using ambient listening or recording tools — a rule that lands directly on how AI scribes work.

Colorado: a cautionary tale about moving targets

Colorado's experience is the best argument against over-committing to any single state's framework. The original Colorado AI Act (SB 24-205), passed in 2024, was meant to impose broad "high-risk AI" duties — including for healthcare decisions. Instead, its effective date was pushed back more than once, and in May 2026 the legislature repealed and replaced it with a narrower law that delays the rules to January 1, 2027 and drops most of the risk-assessment obligations in favor of simpler disclosure and transparency requirements.

The lesson: these laws are still being written and rewritten in real time. Build your process around the durable principle — disclosure plus human oversight — not the fine print of one statute.

The quieter front: insurers and prior authorization

Disclosure laws aimed at clinicians are only half the story. A parallel wave of 2026 legislation targets payers, requiring human review and transparency when AI influences utilization review, claims, or prior authorization decisions. If your practice fights denials, expect more states to demand a human signature behind an AI-generated "no."

What this means if you use an AI scribe

You do not need a law degree to stay on the right side of this. A practical checklist:

• Know your state — and your patients' states. Telehealth across state lines means more than one rulebook may apply.
• Keep a human in the loop. Nearly every framework treats clinician-reviewed AI output more favorably. Reviewing and signing your AI-drafted notes is not just good practice; it is often the legal exemption.
• Get consent for ambient recording. Some states now require it explicitly. A one-line disclosure to the patient before you hit record is cheap insurance.
• Disclose AI-generated patient messages. If a tool writes directly to patients without clinician review, you likely owe them a disclaimer and a way to reach a human.
• Read the vendor's data terms, not just the BAA. Confirm whether your inputs are used to train models and how long data is retained. More on that in Can You Trust AI Scribe Notes?

The throughline

Strip away the bill numbers and the same two ideas appear in every state: tell patients when AI is involved, and keep a licensed human responsible for clinical decisions. Tools that make both easy — visible disclosures, clinician review built into the workflow, and clear data terms — are the ones that will age well as the rules keep changing.

Browse HIPAA-aware AI tools in our directory, or compare the best options for your specialty.

This article is for general information only and is not legal advice. AI and healthcare laws are changing rapidly and vary by state; consult qualified counsel before relying on any specific rule. Always verify a vendor's current compliance posture directly with the vendor.