AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← DirectoryCompare with another →
Must ComplyRegulationUSHigh riskLimited risk

California Health Care Services AI Act Disclosure Requirements

Issued by

California State Legislature

liveEffective 2026-01-01CA-HCSAIVerified April 2026

California law requires healthcare providers that use generative AI to communicate with patients to disclose that the communication was AI-generated and to provide clear instructions for reaching a human representative. The requirement applies to covered health care service providers operating in California. It is intended to ensure patients are not misled about the nature of the entity they are interacting with when seeking health information or services.

Applies To

Large enterpriseSMBAI deployerPublic sector

Overview

The California Health Care Services AI Act Disclosure Requirements establish a binding obligation on healthcare providers in California to notify patients when generative AI is used in patient-facing communications, including messages, responses, and related interactions. Covered entities must disclose the AI-generated nature of the communication and supply patients with a readily accessible pathway to contact a human staff member or representative. The law is part of a broader trend of state-level AI transparency mandates targeting high-stakes consumer contexts, particularly in healthcare where patient reliance on communications can have clinical consequences. Enforcement is presumed to fall under existing California health care regulatory oversight, potentially including the Department of Managed Health Care and the California Department of Public Health, though specific penalty structures should be confirmed against the enacted text. Several other states are actively evaluating analogous requirements covering clinical decision support tools and automated insurance claims adjudication. Enterprises operating multi-state health care operations should monitor parallel legislative developments that may impose additional or overlapping obligations.

Key Requirements

  • Disclose to patients when any patient-facing communication is generated or substantially produced by generative AI
  • Provide clear, accessible instructions within the communication for how the patient can contact a human representative
  • Disclosure must be present at the point of the AI-generated communication, not solely in general terms of service or privacy notices
  • Applies to healthcare providers subject to California jurisdiction that deploy generative AI in patient communication workflows
  • Compliance required as of January 1, 2026, for covered entities
  • Note: specific penalty amounts and enforcement agency authority should be verified against the enacted statutory text, as confidence in granular details is medium

What Your Organization Must Do

  • Audit all patient-facing communication channels by October 1, 2025 to identify any workflows where generative AI produces or substantially contributes to messages, responses, or interactions delivered to patients in California.
  • Assign a named compliance owner, such as the Chief Compliance Officer or VP of Health Informatics, to oversee implementation and serve as the internal point of contact for the California Department of Managed Health Care and California Department of Public Health inquiries.
  • Implement inline disclosure language in every AI-generated patient communication by January 1, 2026, stating clearly that the message was produced by generative AI. Confirm disclosures appear at the point of communication and not only in terms of service or privacy notices.
  • Build and test a prominent, accessible human escalation pathway within each AI-generated communication, such as a direct phone number, chat transfer option, or staffed email address, and validate that the pathway functions correctly before the January 1, 2026 deadline.
  • Update vendor contracts and business associate agreements for any third-party generative AI platforms used in patient communication to require contractual commitments to disclosure-compatible outputs and to allocate liability for non-compliant communications.
  • Monitor parallel state legislative developments in other jurisdictions where your organization operates, flagging any analogous disclosure mandates in states such as New York, Texas, or Illinois, and maintain a rolling compliance calendar updated at least quarterly to capture new effective dates and requirements.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

04What are our obligations under emerging AI regulations?06What does meaningful human oversight look like for high-risk AI decisions?07How do we handle AI-generated content and hallucinations?24What does audit-ready AI documentation look like in practice?11How do we ensure human-in-the-loop review is actually effective?

Frequently Asked Questions

Which healthcare providers must comply with CA-HCSAI by January 1, 2026?
Any covered healthcare service provider operating in California that uses generative AI to produce or substantially contribute to patient-facing communications must comply. This includes health plans, hospitals, medical groups, and telehealth platforms subject to California jurisdiction, regardless of where the provider is headquartered.
Does the CA-HCSAI disclosure requirement apply to AI tools embedded in third-party patient portal or EHR vendor platforms?
Yes. If a third-party platform generates or substantially produces a patient-facing communication on behalf of a covered provider, the disclosure obligation still applies to the provider. Contracts and business associate agreements with those vendors should require disclosure-compatible outputs and allocate liability for non-compliant communications.
Is it sufficient to disclose AI use in a general privacy notice or terms of service to satisfy CA-HCSAI?
No. The law explicitly requires disclosure at the point of the AI-generated communication itself. A one-time reference buried in a privacy policy or terms of service does not satisfy the requirement. Each AI-generated message must contain an inline disclosure and a pathway to reach a human representative.
What specific information must appear in a compliant CA-HCSAI disclosure?
Each AI-generated patient communication must state that it was produced by generative AI and must include clear, accessible instructions for contacting a human staff member. The human escalation option must be readily usable, such as a direct phone number, staffed email address, or live chat transfer, not simply a general contact page.
What enforcement agency oversees CA-HCSAI and what are the penalties for non-compliance?
Enforcement is expected to fall under the California Department of Managed Health Care and the California Department of Public Health, consistent with their existing healthcare oversight authority. Specific penalty amounts have not been confirmed with high certainty and should be verified against the enacted statutory text before finalizing your compliance program.
How does CA-HCSAI compare to other state AI disclosure requirements for healthcare?
CA-HCSAI focuses specifically on generative AI in patient communications and requires real-time, point-of-contact disclosure plus human escalation. Several other states are evaluating similar mandates covering clinical decision support and automated insurance claims adjudication, but few have enacted requirements as specific as California's for patient-facing generative AI. Multi-state operators should track parallel developments in states like New York and Illinois.