Does the SB 26-189 revision apply only to AI systems deployed after January 1, 2027?

No. The act applies to AI systems in operation as of the effective date. Clinical AI systems already deployed in Colorado are in scope from January 1, 2027 forward. The notification, explanation, and correction rights attach to consequential decisions made on or after that date.

How does the 60-day cure period work?

A deployer who receives a notice of non-compliance from the Colorado AG has 60 days to remedy the issue. The remedy can include policy changes, technical changes to the AI system, or documented updates to the notification and explanation workflows. The cure benefit applies to inadvertent violations only. Willful or repeated violations do not get the cure period.

What happens to the HIPAA BAA in this regime?

The BAA continues to govern the handling of PHI between the covered entity and the business associate. SB 26-189 obligations attach separately. A clinical SaaS vendor operating under a BAA is the developer or service provider under the Colorado act, with developer-side obligations that include providing documentation sufficient for the deployer to fulfill the notification and explanation rights.

Are research uses of clinical AI in scope?

Research uses fall under different rules. SB 26-189 targets consequential decisions about specific individuals in defined categories. A research model used to identify population-level patterns in de-identified data is not making consequential decisions about specific individuals. A research model used in a learning health system to support an active treatment decision for an enrolled patient is.

Does the explanation right require source code disclosure?

No. The explanation has to identify the principal reasons for the decision, the categories of data the system considered, and any human review that occurred. The deployer does not have to disclose source code or trade secrets. The deployer has to produce an explanation that supports the person's correction right.

How does this interact with the EU AI Act for clinical AI deployers with European patients?

A clinical AI deployer with European patients carries the EU AI Act Article 12 traceability obligation in addition to the SB 26-189 obligations. Both regimes expect per-decision evidence. The Colorado regime expects the evidence to support the notification, explanation, and correction rights. The EU regime expects the evidence to support market surveillance inspections. The same evidence layer satisfies both when it captures identity, policy version, data classification, and decision outcome at the per-request granularity.

Colorado SB 26-189: Why HIPAA-Covered AI Deployers Lost Their Exemption

On May 14, 2026, Governor Jared Polis signed SB 26-189 into law, revising Colorado's pioneering AI Act before its effective date. The Ropes & Gray analysis and the Norton Rose Fulbright summary both flag the same operative change: the broad HIPAA covered-entity exemption that the original Colorado AI Act carried is gone, replaced by a narrower "consequential decision" carve-out that brings most clinical AI deployers in Colorado back into scope. The effective date moves to January 1, 2027, with a 60-day cure period through the Attorney General's office.

The legislature did not relax the AI Act for healthcare. The legislature redrew the line so that the obligations attach to systems that influence specific kinds of patient-facing decisions, regardless of the deployer's HIPAA status.

I want to walk through what the May 14 revision actually changed, which clinical AI systems pick up new obligations under the consequential-decision test, and the evidence architecture clinical AI deployers in Colorado need before the January 2027 effective date.

What SB 26-189 changed

The original Colorado AI Act, signed in May 2024, included a categorical exemption for HIPAA-regulated entities operating AI systems on protected health information. The exemption was wide enough that most hospital systems, payers, and clinical SaaS vendors assumed they were out of scope. SB 26-189 closes that path.

The consequential decision test replaces the categorical exemption

Under the revised act, an AI system is in scope when it makes or substantially influences a "consequential decision" about an individual in defined categories, including healthcare access, treatment selection, insurance coverage, and provider credentialing. HIPAA status no longer determines coverage. The operative question is whether the system's output shapes a specific decision about a specific person.

The "substantially influences" criterion sweeps in clinical decision support

A clinical decision support tool that surfaces three differential diagnoses to a physician substantially influences the diagnostic decision. A coverage-determination model that ranks a prior authorization request against medical necessity criteria substantially influences the coverage decision. The legislature's text and the Ropes & Gray reading converge: the substantial-influence threshold is lower than "the AI made the decision." It captures systems that shape the human decision-maker's choice.

Notification and explanation obligations attach to consequential decisions

When a consequential decision is informed by an AI system, the affected person has a right to notification, a right to an explanation of the principal reasons for the decision, and a right to correct any incorrect personal data the AI relied on. The notification is automatic. The explanation has to be specific enough to support the person's correction right.

The Attorney General gets the cure period and enforcement authority

The Colorado AG enforces the act. The 60-day cure period means a deployer who receives a notice of non-compliance has 60 days to fix the issue before the AG can bring an enforcement action. The cure window only applies to inadvertent violations. Willful or repeated non-compliance does not get the cure benefit.

Which clinical AI systems pick up obligations

The consequential decision test produces predictable in-scope clusters.

Clinical decision support tools

A tool that surfaces differential diagnoses, recommends treatment options, or flags drug interactions substantially influences the clinical decision. The hospital system that deploys the tool is the deployer under SB 26-189. The deployer obligations attach even when the developer is a HIPAA business associate operating under a BAA. The BAA addresses the PHI handling. The Colorado act addresses the AI-influenced decision.

Coverage and prior authorization AI

A payer that uses AI to screen prior authorization requests against medical necessity criteria substantially influences the coverage decision. Under SB 26-189, the affected member has the notification right and the explanation right. The payer's existing utilization management workflow has to surface the AI's role in the decision and produce a specific explanation when the member exercises their rights.

Provider credentialing models

AI-assisted credentialing models that score provider applications against quality metrics or risk factors substantially influence the credentialing decision. The credentialing entity is the deployer. The affected provider has the same notification and explanation rights as a patient affected by a clinical AI decision.

Triage and routing AI in payer or provider call centers

A triage model that routes a member call to a higher or lower acuity queue substantially influences the care pathway. Whether the triage decision is "consequential" turns on the downstream effect: routing that delays urgent care meets the test, while routing that distinguishes between two equally appropriate care channels probably does not. The deployer has to document the analysis.

The compliance gap most deployers carry into January 2027

The runway is roughly six months. The gap clinical AI deployers carry in is the same gap most regulated AI deployers carry in: the existing application logs were never designed to satisfy a notification-plus-explanation regime.

A clinical decision support tool typically logs that a recommendation was surfaced, when, and to which clinician. It rarely logs the policy version that governed the recommendation, the identity context of the patient and the clinician at the moment of decision, the specific data elements the model considered, or the model confidence at the moment of decision. The explanation right under SB 26-189 expects all four. The notification right expects the deployer to identify which decisions were AI-influenced quickly enough to issue the notification.

The deployer also needs a workflow for the correction right. A patient who exercises their correction right has to be able to point to the specific data the AI relied on. That requires per-decision evidence retained long enough to support the right, which the Colorado AG will interpret in the implementing rules but is unlikely to be less than one year.

How SB 26-189 sits next to HIPAA, the EU AI Act, and the federal landscape

Colorado is not running parallel to HIPAA. HIPAA continues to govern the handling of PHI by covered entities and business associates. SB 26-189 governs the AI-influenced decisions, regardless of HIPAA status. A clinical AI deployer in Colorado has to satisfy both. The HIPAA audit trail demonstrates appropriate access to PHI. The SB 26-189 audit trail demonstrates the basis for the consequential decision.

The same evidence architecture serves the EU AI Act for any clinical AI deployer with European patients or providers. Article 12 traceability requires the same per-decision evidence that the Colorado explanation right expects. The vocabulary differs. The infrastructure requirement is the same.

Federal action is moving more slowly. The expected HHS guidance on AI in clinical decision support will likely reference both the HIPAA framework and emerging state regimes. Colorado is the first state to land the consequential-decision test in healthcare AI. Other states are likely to follow.

DeepInspect

This is the per-decision evidence layer DeepInspect produces. DeepInspect sits at the AI request boundary as a stateless proxy between authenticated users or agents and the LLM endpoints, enforces identity-bound policy on every request, and records a per-decision audit record that includes the identity, the policy version, the data classification, the decision outcome, and a tamper-evident signature.

For Colorado clinical AI deployers, the per-decision records are the source data for both the notification right and the explanation right under SB 26-189. The deployer can identify which decisions were AI-influenced, surface the specific data the model relied on, and reconstruct the policy and identity context that governed the decision. The records also serve the HIPAA audit obligation and the EU AI Act Article 12 traceability obligation from the same source.

If you are running clinical AI in Colorado and your evidence strategy depends on application logs the AI vendor controls, the January 2027 effective date will surface the gap. Book a demo today.

Beyond Colorado

SB 26-189 is the leading edge of a state-level consequential-decision regime that other states are watching closely. New York, California, Connecticut, and Texas have each introduced AI legislation in 2025-2026 that includes consequential-decision elements. The federal landscape is shaped by HHS and CMS guidance, neither of which has yet landed a binding rule for clinical AI. The trajectory is clear: per-decision evidence is becoming the default expectation for AI-influenced decisions in regulated sectors.

The clinical AI deployer that builds the evidence layer to satisfy SB 26-189 satisfies the next state-level act with the same infrastructure. The evidence architecture is portable. The legal interpretations are not.