On May 17, 2024, Colorado Governor signed into law, Senate Bill 24-205, the Colorado Artificial Intelligence (AI) Act (the “Act”). The law will take effect on February 1, 2026 and the Colorado Attorney General will have exclusive enforcement authority. As previewed in our prior blog post, the Act focuses on consumer protection issues when companies develop AI tools and imposes obligations on developers (i.e., creators) and deployers (i.e., users) of “high risk” AI systems. “High-Risk” AI systems (“HRAIS”) are defined as any AI system that “makes, or is a substantial factor in making, a consequential decision.” A substantial factor means one that (1) “assists in making a consequential decision”; (2) “is capable of altering the outcome of a consequential decision”; and (3) “is generated by an artificial intelligence system.” A consequential decision is a decision that has a material legal or similarly significant effect on matters related to education, employment, financial lending services, an essential government service, healthcare services, housing, insurance, or legal services. This article specifically reviews the impact the Act has on healthcare services.

As referenced in the Act, 42 U.S. Code § 234 defines healthcare services as “any services provided by a health care professional, or by any individual working under the supervision of a health care professional, that relate to (A) the diagnosis, prevention, or treatment of any human disease or impairment; or (B) the assessment or care of the health of human beings.” Therefore, if a developer or deployer of HRAIS conducting business in Colorado uses the system to determine whether healthcare services should be provided or denied, the developer or deployer shall (i) publicly disclose to consumers the type of HRAIS being developed or being used; (ii) disclose to the Attorney General when HRAIS is being deployed or has caused algorithmic discrimination; (iii) develop a risk management policy and governance program; and (iv) complete an impact assessment for the HRAIS, among other requirements. Entities covered under the Health Insurance Portability and Accountability Act (“HIPAA”) are exempt from the Act if they provide AI-generated recommendations that require a health care provider to take action to implement the recommendation. Given this exemption, health care entities that are not HIPAA regulated and those that are using blackbox AI (i.e., where the recommendation is pushed out with a healthcare provider to take action) would not be exempt.

We will keep our readers posted on further developments, as the Colorado legislature intends to study and possibly revise the bill before it goes into effect.