01What the law actually does
HB 820 does not ban AI in utilization review. It moves the legal question from whether AI may be used to what carriers must be able to demonstrate about how it was used — in every individual determination, on demand, to the Maryland Insurance Administration.
The bill, formally titled "Health Insurance – Utilization Review – Use of Artificial Intelligence," was sponsored by Delegate Terri L. Hill, passed the General Assembly in March 2025, and was signed by Governor Wes Moore on May 20, 2025 as Chapter 747 of the 2025 session laws. Its operative provisions took effect October 1, 2025.
Maryland's law tracks California's SB 1120 closely — Maryland was the second state to enact substantive AI-in-UM regulation — but it is in several respects broader and more specific than California's: it explicitly reaches insurers, nonprofit health plans, HMOs, dental organizations, pharmacy benefit managers, and private review agents, and it places oversight responsibilities on each of them independently.
Before HB 820, a Maryland carrier asked about its AI utilization-review tooling could answer with policy documents and attestations. After HB 820, the carrier must be prepared to demonstrate, for the specific determination the MIA is asking about, that the AI tool based its decision on that enrollee's medical history — and that the carrier has been conducting quarterly reviews of the tool's performance, use, and outcomes.
02Who is regulated, and where the obligations attach
The statute reaches three categories of entity, with independent obligations on each:
A consequence worth pausing on: the obligation does not vanish when the AI tool sits with a vendor. A carrier that delegates utilization review to a PBM or PRA running an AI engine cannot deflect the MIA's audit by pointing at the vendor. The carrier is independently obligated to ensure the AI tool meets the statute, and so is the vendor. This produces the multi-party compliance architecture that has become characteristic of state AI legislation in 2025 — and which makes a unified evidence regime, rather than a stack of bilateral contractual assertions, the practical necessity.
03The substantive requirements, in plain language
HB 820 imposes obligations that fall into three substantive categories. Each is structured as a property of the AI tool's behavior, not as a property of the carrier's documentation about the tool.
3.1 Decisions must be grounded in the individual's clinical picture
The core substantive requirement is that any AI, algorithm, or software tool used in utilization review must base coverage determinations on:
- The enrollee's medical or clinical history
- The individual clinical circumstances reported by the provider
- Other relevant clinical information contained in the enrollee's record
The statute explicitly prohibits decisions based solely on group datasets. The legislative intent — confirmed in the committee record and the fiscal note — is that the medical-necessity determination remains a clinician-grounded judgment that the AI tool supports rather than replaces.
3.2 The tool must not produce unfair discrimination
The final version of HB 820 requires that the use of any AI, algorithm, or software tool in utilization review does not result in unfair discrimination. This phrasing is narrower than California's — which references state and federal anti-discrimination law explicitly — but the practical compliance posture is similar: carriers must be prepared to demonstrate that the AI tool does not produce disparate outcomes across protected categories beyond what legitimate clinical factors explain.
The legal term "unfair discrimination" carries technical weight in insurance regulation. Actuarially-grounded grouping of similar risks is generally permitted; what HB 820 prohibits is differential treatment that lacks an actuarial or clinical basis. The challenge is that AI tools can produce disparate outcomes through proxies that correlate with protected categories without explicitly using them. Compliance therefore requires demonstrating, not just asserting, independence.
3.3 Human oversight must be maintained
The statute requires that the AI tool support rather than supplant clinician decision-making. The legislative record makes clear that the General Assembly's intent was that final medical-necessity determinations be made by human clinicians, with the AI tool providing recommendations, prioritization, or documentation rather than autonomous decisions.
04Audit, reporting, and the MIA's authority
The substantive requirements above are paired with operational obligations that give the Maryland Insurance Administration real audit teeth. These are the obligations that most carriers' existing compliance infrastructure is least prepared for, because they require the production of evidence — not the recitation of policy.
| Obligation | What it means in practice |
|---|---|
| Quarterly review | At least every three months, the regulated entity must evaluate the AI tool's performance, use, and outcomes. This is not an annual policy review — it is a recurring operational discipline with documented results. |
| Adverse-decision reporting | Carriers must report metrics on the use of AI in adverse decisions. The MIA will be in a position to compare the rate, pattern, and basis of AI-assisted denials across the regulated population — and to identify outliers. |
| Written policies & procedures | Documented governance for AI use in utilization management must be submitted to the MIA. The policies become the standard the regulator measures actual behavior against. |
| Audit-ready availability | The AI tool itself must be available for audit or compliance review by the Insurance Commissioner. This implies the carrier can produce the evidence to show what the tool did on a specific determination, on demand. |
| Penalties for violation | Misdemeanor charges, monetary penalties, denial/suspension/revocation of certificates, cease-and-desist orders, administrative penalties, and restitution to harmed patients. |
"Available for audit" is doing a lot of work in this statute. A regulator who shows up with a list of fifty determinations and asks, for each one, whether the AI tool's recommendation was based on the enrollee's individual clinical picture — and not on cost, churn risk, appeal history, or other factors that proxy for payer economics — is asking a question that policy documents cannot answer. The carrier needs evidence that was produced at decision time, not reconstructed afterward.
05The evidence problem nobody is talking about
The compliance conversation around HB 820, as it has played out in the legal press through late 2025 and into 2026, has focused almost entirely on policy and procedure. These are real questions, but they miss the harder one.
The harder question is this: when the MIA asks about a specific determination — when a member files a complaint about a specific denial, when a plaintiff's counsel subpoenas a class of decisions, when the regulator picks a random sample for audit — what evidence will the carrier produce to show that this specific decision was made on this enrollee's individual clinical picture?
The honest answer for most carriers today is that the evidence is constructed after the fact, from internal logs, reviewer notes, and the carrier's own account of what the AI tool produced. There are four reasons that evidence regime fails:
What HB 820 implicitly demands is an evidence regime that produces per-determination audit-grade artifacts at decision time — artifacts that bind a specific determination to a specific model version, a specific feature set, and a specific reasoning trace, in a way that cannot be reconstructed or modified after the fact. The mature term of art for this is verifiable AI governance. Under HB 820 and the analogous laws that have followed, it is becoming necessary practice.
06How HB 820 collides with CMS-0057-F
Maryland carriers do not face HB 820 in isolation. They face it concurrent with the federal CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F), which is phasing in across 2026 and 2027.
The right way to think about the combined regulatory environment is that HB 820 supplies the substantive standard; CMS-0057-F supplies the operational visibility. Together they produce a compliance environment where the questions a regulator can ask are no longer constrained by access to information — and where the carrier's ability to answer is constrained instead by the quality of the evidence the carrier produced at the moment each decision was made.
07What to do in the next 90 days
7.1 Inventory the AI surface
Begin with a documented inventory of every AI, algorithmic, or rule-based system that touches a Maryland utilization-review decision. This includes obvious tools (the utilization-management engine, the prior-authorization classifier, the specialty-drug routing logic) and less obvious ones (triage logic, document-OCR pipelines, feature-engineering systems). The inventory should record, for each system: the vendor or internal owner, the model version currently in production, the training data lineage, the feature set, the threshold or decision-rule logic, and the workflows the system is integrated into.
7.2 Establish the quarterly review cadence — for real
The statute requires quarterly review of each AI tool's performance, use, and outcomes. Many carriers have established annual AI-governance reviews; HB 820 raises the cadence by a factor of four and changes the substantive content from policy-attestation to operational-performance evaluation. Each quarterly review should produce a documented artifact that captures the metrics evaluated, the variances observed, the corrective actions taken, and the sign-off authority.
7.3 Architect the evidence regime, not just the policy regime
Beyond policies and procedures, the carrier needs an evidence regime that can produce, on demand, a defensible account of what the AI tool did on a specific determination. The mature version of this is a per-determination cryptographic certificate that binds the decision to its model version, feature set, and reasoning trace — generated at decision time, retained durably, and verifiable independently. The interim version is a structured logging discipline that captures the same information in a form regulators and plaintiffs can rely on.
(1) Produce the AI-surface inventory in the first 30 days. (2) Stand up the quarterly review cadence with documented artifacts in days 31–60. (3) Scope the evidence-regime architecture — what evidence is captured per determination, where it is stored, how it is verified — in days 61–90. The output is not full compliance maturity; it is a defensible position from which to engage MIA, plaintiff counsel, and the carrier's own board on AI-governance posture.
08Beyond Maryland: California, and the states that are next
Maryland is the second state to enact substantive AI-in-UM regulation; California (SB 1120, effective 2024) was the first. The mature reading of state legislative trajectories suggests that 5–10 additional states will enact analogous regimes during the 2026–2027 legislative sessions. Texas, New York, Colorado, Washington, Illinois, and Massachusetts each have either active bills, regulatory rulemakings, or attorney general inquiries that point in the same direction.
The strategic implication is that compliance architecture built for Maryland alone is architecture built for the wrong scope. A carrier operating in Maryland, California, and four other states by mid-2027 needs an evidence regime that scales across jurisdictions — decoupled from any single state's reporting format, anchored on substantive verification rather than form-specific attestation, and capable of producing the evidence each state asks for from a common underlying record.
| Jurisdiction | Status | Effective |
|---|---|---|
| California | SB 1120 — health-plan AI in UM (Physicians Make Decisions Act) | January 1, 2025 |
| Maryland | HB 820 — carrier, PBM, PRA AI in UM | October 1, 2025 |
| Federal (CMS) | CMS-0057-F operational provisions | January 1, 2026 |
| Federal (CMS) | CMS-0057-F API requirements | January 1, 2027 |
| Other states | Active bills or rulemakings: TX, NY, CO, WA, IL, MA | 2026–2027 (anticipated) |
References & citations
- Maryland General Assembly. HB 820 (2025): Health Insurance – Utilization Review – Use of Artificial Intelligence. Chapter 747 of 2025; approved May 20, 2025; effective October 1, 2025.
- Maryland Department of Legislative Services. HB 820 Fiscal and Policy Note (Third Reader, revised March 27, 2025).
- Sullivan, S., Simmons, D. W., & Jones-Binns, B. New Maryland Law Regulates Use of AI in Health Care Utilization Management Reviews. Alston & Bird, September 4, 2025.
- Centers for Medicare & Medicaid Services. CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F).
- California Legislature. SB 1120 (2023–2024): Physicians Make Decisions Act.