California Enacts the Physicians Make Decisions Act Regulating AI for Utilization Review

A new California law, the Physicians Make Decisions Act (the Act), requires healthcare provider oversight when health and disability insurers utilize artificial intelligence (AI), algorithm, or other software tools for utilization review or utilization management functions based in whole or in part on medical necessity. The Act covers "health care service plans," and third parties with which healthcare service plans contract for utilization review. 

The Act also regulates the topics on which any such AI tool must base decisions about medical necessity, such as the enrollee's "medical or other clinical history," "clinical circumstances, as presented by the requesting provider," and "[o]ther relevant clinical information contained in the enrollee's medical or other clinical record." The law states what the AI tool cannot do, such as "base its determination solely on a group dataset," "supplant health care provider decision making," "discriminate, directly or indirectly, against enrollees in violation of state or federal law," and "directly or indirectly cause harm to enrollees." 

The Act amends the Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene), which authorizes a healthcare service plan or disability insurer to use prior authorization and utilization review more generally under the oversight of a licensed physician or healthcare professional competent to evaluate specific clinical issues. In 1978, the Ninth Circuit held that Knox-Keene is preempted by ERISA and therefore does not directly regulate employer benefit plans. See Hewlett-Packard Co. v. Barnes, 571 F.2d 502, 505 (9th Cir. 1978). 

In 1976 and again in 1996, the Department of Labor (DOL) issued advisory opinions concerning ERISA preemption of Knox-Keene. In the 1976 advisory opinion, the DOL concluded broadly that "to the extent Knox-Keene is interpreted to apply to ERISA-covered plans, it is preempted by ERISA," pointing to the "provisions concerning mandatory health care services and coverage, annual reporting requirements and licensing requirements" as "the type of provisions that would contravene the objectives of ERISA's preemption clause if applied to ERISA-covered plans." In the 1996 advisory opinion, the DOL concluded more specifically that a provision of Knox-Keene prohibiting health maintenance organizations (HMOs) from offering enrollment incentives was preempted by ERISA. In this later opinion, the DOL expressly agreed with Hewlett Packard Co. v. Barnes that ERISA preempts any regulation under Knox-Keene of self-insured plans and the California law would only regulate fully insured plans indirectly "through regulation of the plan's insurer and its insurance contracts."  

While the new Act has not specifically been analyzed by a court or the DOL regarding its applicability to ERISA-governed plans, there is a strong argument for ERISA preemption. Utilization review is a central matter of plan administration and changing the utilization criteria for AI tools by state is directly contrary to ERISA. The Ninth Circuit recently issued a decision in favor of ERISA preemption in the context of state law causes of actions alleging the improper processing of benefits claims under insured employee benefit plans. See Bristol SL Holdings Inc. v. Cigna Health and Life Ins. Co., 103 F. 4th 597, 603-06 (9th Cir. 2024). Of particular relevance to this discussion, the court found that Cigna's "[p]re-treatment verification of out-of-network plan coverage and authorization of medical services" is a "central matter of plan administration." Id. at 604 (internal quotation marks omitted). 

California is one of the first states to regulate AI tools used by health insurance issuers. The Act specifically contemplates continued federal regulation in this space and specifically requires that "[t]he artificial intelligence, algorithm, or other software tool is fairly and equitably applied, including in accordance with any applicable regulations and guidance issued by the federal Department of Health and Human Services." Act, § 1367.01(k)(1)(F) (emphasis added); see also id. § 1367.01(k)(1)(K)(5) (discussing upcoming federal rules and guidance issued by HHS); id. § 10123.135(j)(1)(F) (same with regard to disability insurance); id. § 10123.135(j)(1)(K)(5) (same). 

EBSA's New Guidance Reiterates Applicability of 2021 Cybersecurity Guidance to All Employee Benefit Plans

In Compliance Assistance Release No. 2024-01, the DOL's Employee Benefits Security Administration (EBSA) confirmed that its cybersecurity guidance issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans. This 2024 release is in response to confusion amongst health and welfare service providers believing the April 2021 guidance only applied to retirement plans. 

We've previously discussed the April 2021 guidance. To recap, this guidance offers: tips to help plan sponsors and fiduciaries "prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires"; best practices to "assist[] plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks"; and online security tips to plan participants and beneficiaries who check their accounts or benefit plan information online "to reduce the risk of fraud and loss."

The Department of Health and Human Services (HHS) has also issued guidance regarding cybersecurity for health plans. We've previously written on a Dear Colleagues letter issued by the HHS Office of Civil Rights (OCR) regarding an investigation into the Change Healthcare cybersecurity incident in early 2024. OCR administers and enforces Health Insurance Portability and Accountability Act (HIPAA) privacy, security, and breach notification rules for covered entities (healthcare providers, health plans, and clearinghouses) and their business associates. The 2024 guidance also links to various publications by HHS regarding cybersecurity practices for health plans and service providers last updated in 2023. 

Of note, the 2024 guidance mentions but does not analyze the application of ERISA's fiduciary duties to plan cybersecurity matters. By offering a list of best practices, EBSA and HHS are setting the stage for courts to decide the contours of fiduciary duties under ERISA when it comes to cybersecurity practices. 

Upcoming Speaking Engagements and Events

Joanne will speak at the American Bar Association 18th Annual Labor and Employment Law Conference on November 16.

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.