California SB 1120 in operation: what 16 months of the Physicians Make Decisions Act have revealed

01What SB 1120 actually does

SB 1120 was the first state-level law in the United States to impose substantive obligations on AI used in health care utilisation review. Sixteen months into its operational life, it remains the template that every subsequent state — and every parallel federal conversation — has built on or pushed against.

The bill, formally titled "Health Care Coverage: Utilization Review," was authored by Senator Josh Becker (D-Menlo Park), sponsored by the California Medical Association, passed both chambers in 2024, and was signed by Governor Gavin Newsom on September 28, 2024. Its operative provisions took effect on January 1, 2025. The legislation amends two parallel sections of California law:

• California Health and Safety Code §1367.01 — the utilisation review provisions of the Knox-Keene Health Care Service Plan Act of 1975, which regulates health care service plans (HMOs and similar managed-care entities)
• California Insurance Code §10123.135 — the utilisation review provisions applicable to disability insurers

The two-code structure reflects the bifurcation of California health-coverage regulation between the Department of Managed Health Care (which licenses Knox-Keene plans) and the California Department of Insurance (which licenses disability insurers). SB 1120 imposes substantively identical obligations through both pathways, with two regulators authorised to enforce. An insurer holding both a Knox-Keene licence for an HMO product and a CDI licence for a PPO product faces parallel audit and enforcement exposure on the same underlying AI tooling.

02Who is regulated, and where the obligations attach

SB 1120's reach operates in three concentric layers:

The licensee cannot insulate itself by pushing the AI tooling to a contractor or delegate. The statute reaches the contractor and delegate directly, and the licensee remains responsible for ensuring its contractual arrangements produce compliance. A Knox-Keene plan with a delegated UM relationship now needs to evaluate its delegate's AI-governance posture as part of ordinary delegation oversight — and to be able to evidence that evaluation when DMHC asks.

03The substantive requirements, in plain language

SB 1120 imposes a set of requirements on the use of AI, algorithms, and software tools in utilisation review. The requirements appear in identical structure in both Health and Safety Code §1367.01(k) and Insurance Code §10123.135(j).

3.1 Determinations must be based on the individual's clinical picture

Any AI, algorithm, or software tool used for utilisation review must base its determination on:

• The enrollee's medical or other clinical history
• The individual clinical circumstances as presented by the requesting provider
• Other relevant clinical information contained in the enrollee's medical or other clinical record

The tool may not base its determination solely on a group dataset. Statistical patterns from cohorts may inform model training, but the determination produced about a specific enrollee must be grounded in that enrollee's individual clinical record. This is the substantive standard that the EU AI Act later mirrored and that Maryland HB 820 adopted near-verbatim.

3.2 AI cannot deny, delay, or modify medically necessary services

Any decision to deny, delay, or modify health care services based in whole or in part on medical necessity must be made by a licensed physician or a licensed health care professional who is competent to evaluate the specific clinical issues involved in the requested service.

The statute does not prohibit AI use in utilisation review; it prohibits AI from being the proximate decision-maker for an adverse medical-necessity determination. An AI tool can score, prioritise, route, summarise, and recommend. It cannot be the proximate decision-maker for an adverse determination. The clinician must be the proximate decision-maker, and must be competent to evaluate the specific clinical issues — meaning a generalist reviewer rubber-stamping an AI recommendation in a complex sub-specialty case may not satisfy the statute even when the formal procedural box is checked.

3.3 The tool must be fairly and equitably applied

The AI tool must be fairly and equitably applied, including in accordance with applicable regulations and guidance from the federal Department of Health and Human Services. The statute also requires that the tool's use not discriminate, directly or indirectly, against enrollees in violation of state or federal law.

The "fairly and equitably applied" standard is the most substantively demanding requirement and the least precisely defined. No implementing regulation has been issued as of mid-2026. The mature reading — drawn from analogous fair-lending and ACA §1557 jurisprudence — is that the standard reaches both disparate treatment and disparate impact. Compliance requires not just absence of explicit protected-category use, but documented evaluation that the tool's outputs do not produce unjustified disparate impact.

3.4 Audit, disclosure, and policies-and-procedures obligations

3.5 Authorisation timeframes

Standard prior authorisation requests must be processed within five business days. Urgent requests must be processed within 72 hours. Retrospective review must be completed within 30 days. These are existing utilisation review timeframes that SB 1120 confirms in the AI context with added audit authority around their enforcement.

04The willful-violation criminal exposure

The most distinctive enforcement feature of SB 1120 is that a willful violation of the Knox-Keene Act is a crime under California law. SB 1120 amends the Knox-Keene Act; therefore a willful violation of SB 1120 by a Knox-Keene plan is also a crime.

The Knox-Keene Act's criminal provision (Health & Safety Code §1390) has been a feature of California managed-care regulation since 1975. Willful violations are misdemeanours punishable by imprisonment in a county jail not exceeding one year, a fine not exceeding $10,000, or both. The criminal exposure runs against the plan itself; under California corporate criminal law, prosecutorial discretion also reaches officers and directors who personally participated in the violation.

For disability insurers regulated under the Insurance Code, the criminal provision does not apply in the same form — Insurance Code §10123.135 violations are addressed through administrative enforcement by the Insurance Commissioner only.

05DMHC and CDI — dual enforcement in practice

5.1 The DMHC — active, audit-forward, willing to fine

The California Department of Managed Health Care is the more active of the two regulators. Its Office of Enforcement issued 169 enforcement actions across all violation categories in the first months of 2025, including utilisation review violations. The DMHC's posture on SB 1120 enforcement, as articulated in its Winter 2025 Newsletter, is that AI utilisation review is now a standard category of compliance review during routine and triggered audits.

The DMHC's audit authority under §1381 reaches the AI tooling itself, not merely documentation about it. In practice, DMHC audit teams have begun asking, during routine medical surveys, to see the AI tool's actual operation on a sample of determinations — typically requesting inputs and outputs for ten to fifty determinations selected by the auditor, and asking the plan to demonstrate that the determinations were made consistent with §1367.01(k). Plans with structured logging of AI-tool operation have navigated these requests most smoothly.

5.2 The CDI — administrative, slower, but with parallel authority

CDI enforces SB 1120 with respect to disability insurers under Insurance Code §10123.135. CDI's audit cadence on AI utilisation review has been less active in 2025, but its market conduct examinations — which historically produce significant administrative penalties in claims-handling contexts — are widely expected to begin including AI utilisation review as a standard examination element through 2026. Carriers operating across both regimes should design their compliance posture to satisfy the more active regulator (DMHC).

06Sixteen months in: what has actually happened

6.1 Workflow redesign was universal — and uneven

Every Knox-Keene plan and disability insurer reworked their utilisation review workflows in late 2024 and early 2025 to ensure adverse medical-necessity determinations passed through clinician review before issuance. The redesign was universal in scope but uneven in depth. Plans that implemented thresholded review — where higher-confidence AI-recommended denials receive cursory clinician sign-off — have produced the bulk of post-effective-date compliance concerns, because it raises the question of whether that sign-off constitutes meaningful evaluation or merely procedural compliance with the form of the statute.

6.2 Vendor contract renegotiation has been the dominant procurement workstream

Standard UM-vendor contracts written in 2022 and 2023 did not contemplate SB 1120's direct application to the vendor. The first quarter of 2025 saw most California carriers initiate contract amendments addressing: the vendor's direct statutory obligations under §1367.01(k) Layer 2 status; the audit-cooperation obligations flowing from the "open to inspection" requirement; indemnification posture for vendor-side compliance failures; and data-sharing arrangements required for the carrier to demonstrate substantive compliance during a DMHC audit. Vendors that responded constructively consolidated market position; vendors that resisted lost contracts.

6.3 The "fairly and equitably applied" standard remains undefined

No implementing regulation has been issued. No formal DMHC guidance has been published. No published enforcement action as of mid-2026 has turned on this provision specifically. Compliance programs have largely defaulted to documenting their evaluation process rather than relying on any single bright-line test. Most California regulatory practitioners expect either DMHC notice-and-comment rulemaking or a binding administrative interpretation to emerge in 2026 or 2027.

6.4 Plaintiff-side discovery has begun to use SB 1120 as a framework

Plaintiff-side counsel litigating wrongful-denial cases have begun framing discovery requests around SB 1120's substantive standards. The pattern: a plaintiff alleges the determination was AI-driven; discovery pursues documentation that the determination was actually made by a licensed clinician competent to evaluate the specific clinical issues. Carriers with structured per-determination evidence — the model version, the inputs, the clinician's substantive review notes — have moved cases toward settlement on favourable terms. Carriers without such evidence have faced extended discovery and class-certification pressure.

6.5 The companion law — AB 3030 — has reinforced the disclosure expectation

Assembly Bill 3030 (Calderon), signed the same week as SB 1120, imposes generative-AI disclosure requirements on patient-facing communications produced by AI in California health care settings. The two laws together have produced a California regulatory environment in which AI use in healthcare is presumed to be disclosed, audited, and subject to substantive standards.

07California vs. Maryland vs. the EU AI Act

SB 1120 set the template. The two regulatory frameworks that followed — Maryland HB 820 and the EU AI Act — borrowed from it differently.

The structural lesson: California and Maryland set the substantive standard but leave the evidence regime largely implicit. The EU AI Act added an explicit evidence regime — Article 12's automatic logging requirement — that operationalises the audit authority California and Maryland leave conceptual. A carrier building compliance architecture across all three regimes should design to the EU's evidence-regime standard, because that posture satisfies California's and Maryland's substantive obligations as a side effect. The reverse is not true.

08What to do now, if you have not already

8.1 Audit the AI-tool inventory against the policies-and-procedures documentation

The §1367.01(b) policies-and-procedures obligation requires that the carrier's written documentation describe its UR process, and SB 1120 specifies that disclosures regarding AI use and oversight be contained in those documents. The common gap, fifteen months in, is that the AI-tool inventory has drifted from the documentation: new tools deployed, existing tools updated to new versions, vendor relationships added or modified. The DMHC audit team will reconcile both sides; the carrier benefits from doing so first.

8.2 Architect the evidence regime explicitly, not just the policy regime

California regulators have audit authority over the AI tooling itself, not merely documentation about it. The carriers that navigated 2025 audits most smoothly produced, at decision time, structured evidence of which model version operated on which determination, what the inputs were, what the output was, what the clinician's substantive review captured, and what the final disposition was. This evidence needs to be structured, durable, and produced at decision time rather than reconstructed afterward. Carriers without this capability are operating with an evidence gap that will become visible in their next DMHC medical survey.

8.3 Track the "fairly and equitably applied" standard as it develops

The most likely paths to clarification are DMHC notice-and-comment rulemaking, an administrative interpretation issued through an All Plan Letter, or precedential application in a specific enforcement action. Regulatory affairs teams should monitor the DMHC's published rulemaking calendar, All Plan Letters issued under Knox-Keene authority, and published enforcement actions.