Skip to main content
EFROS

Resource · Colorado AI Act for Healthcare

Colorado AI Act for healthcare deployers — what compliance actually requires.

The operating standard for healthcare AI is now NIST AI RMF (Govern / Map / Measure / Manage) plus ISO/IEC 42001— the baseline insurers, procurement teams, and enterprise customers expect of every deployer — layered with federal HIPAA Security Rule and HHS-OCR Section 1557 algorithmic non-discrimination. Colorado's amended AI law (SB 26-189, effective January 2027) adds a transparency/disclosure layer for automated decision systems that make consequential decisions about Colorado consumers. (The original SB 24-205 high-risk and impact-assessment regime was repealed and replaced before it took effect.) This page maps those frameworks to the AI tools US health systems, clinics, ACOs, payers, and digital-health firms actually run today, and walks through the 90-day governance roadmap.

Law firms can write the memo. The MSSP runs the controls. EFROS operates the AI Governance program — inventory, classification, vendor BAA verification, audit logging, human oversight, risk assessment, board-grade reporting — under one accountable SLA.

By Stefan Efros, CEO & Founder, EFROS
Updated ·

Jurisdictional trigger

Who must comply

Colorado's amended AI law (SB 26-189) applies based on where the consumer (patient, employee, or ADS-decision subject) resides — not where the deployer is headquartered. A Massachusetts hospital that runs an automated decision system on a Colorado resident's claim, chart, or hiring application picks up SB 26-189 disclosure obligations for that interaction. But the law you actually build the program around is NIST AI RMF plus the federal HIPAA and Section 1557 baselines — they apply to every deployer regardless of any single state.

Two roles still matter operationally: developers (entities that build or substantially modify an AI system) and deployers (entities that use an AI system to make a consequential decision). Most US healthcare organizations are deployers; some larger systems with internal data science teams act as both. NIST AI RMF assigns governance responsibilities to both.

Scope note: SB 26-189 narrows its automated-decision-system disclosure duties and exempts smaller deployers under defined thresholds — much tighter than the repealed SB 24-205 regime. Size never exempts the federal Section 1557 and HIPAA baselines, and NIST AI RMF governance is the assurance standard your insurers and enterprise customers expect of clinical AI regardless of deployer size.

Consequential-decision AI — a NIST AI RMF priority and SB 26-189 disclosure trigger

Nine consequential-decision use cases healthcare deployers face

Healthcare operations intersect with nine consequential-decision categories. Each is a governance priority under NIST AI RMF (Govern / Map / Measure / Manage), a likely ISO/IEC 42001 control scope, and — where it affects a Colorado consumer — an SB 26-189 transparency/disclosure trigger.

AI-driven hiring and credentialing

Automated employment decision tools used to screen physician candidates, clinical staff, or contract nurses are a NIST AI RMF consequential-decision governance priority and an SB 26-189 disclosure trigger, plus NYC LL144 bias audit (if NYC-resident candidates). Common surfaces: HireVue, Pymetrics, Modern Hire, Eightfold, and AI-embedded ATS scoring inside Greenhouse, Workday, iCIMS.

Clinical decision support and diagnostic AI

AI tools that materially inform clinical decisions about a patient — diagnostic imaging interpretation, sepsis prediction, readmission risk scoring, triage routing — are top-tier consequential-decision systems under NIST AI RMF AND carry the HHS-OCR Section 1557 algorithmic non-discrimination requirement. Examples: Aidoc, Viz.ai, Epic Sepsis Model, AWS HealthScribe-derived recommendations.

Clinical AI scribes and documentation

AI scribes that draft clinical notes — Abridge, Suki, Microsoft DAX Copilot, Heidi, Augmedix, Nuance DAX — are HIPAA business associates that require executed BAAs, and become consequential-decision systems (NIST AI RMF governance priority; SB 26-189 disclosure trigger) when their output substantially informs treatment, coding, or billing decisions.

Insurance and prior authorization AI

Payer-side AI for prior authorization, claims denial routing, medical necessity determination, or coverage adjudication is a high-stakes consequential-decision system under NIST AI RMF and an SB 26-189 disclosure trigger. Notable: UnitedHealthcare's nH Predict (subject to 2023 class action), Cigna's PXDX, Humana algorithms.

Financial services for healthcare

Patient-financing eligibility scoring, medical debt collection AI, and revenue cycle management algorithms that determine financial eligibility for care are consequential-decision systems under NIST AI RMF, an SB 26-189 disclosure trigger, plus FTC Section 5 enforcement on unfair practices.

Education for clinical training

AI tools used in medical school admissions, residency match algorithms, continuing medical education assessment, or fellowship selection are consequential-decision systems warranting NIST AI RMF governance and SB 26-189 disclosure where they decide access to training.

Housing-adjacent: senior living and skilled nursing placement

AI tools that determine eligibility for skilled nursing, assisted living, or supportive housing placement are consequential-decision systems (NIST AI RMF governance priority; SB 26-189 disclosure trigger) — particularly relevant for ACOs and care coordination platforms.

Legal services for healthcare ops

AI used in malpractice risk scoring, peer review automation, or credentialing legal review is a consequential-decision system under NIST AI RMF governance, with SB 26-189 disclosure where it affects a Colorado consumer. Common in large hospital systems with embedded legal ops.

Government services in public health

Public hospitals, FQHCs, and state Medicaid agencies deploying AI for benefit determination, fraud detection, or program eligibility run consequential-decision systems under NIST AI RMF governance and SB 26-189 disclosure, plus federal procurement AI rules (OMB M-24-10).

Clinical AI vendor BAA matrix

What your AI vendors will sign — and what they won't

Curated matrix of the AI vendors most commonly deployed in US healthcare workflows, with BAA availability tier, NIST AI RMF risk class, and the operational caveat that determines whether the vendor is safe for clinical use.

Abridge

Yes — default tierConsequential-decision · NIST AI RMF + Section 1557

HIPAA-aligned BAA available. Output materially informs documentation and billing — human-in-the-loop oversight (NIST AI RMF MANAGE) + Section 1557 non-discrimination audit required; SB 26-189 disclosure where it affects a Colorado consumer.

Suki AI

Yes — default tierConsequential-decision · NIST AI RMF + healthcare

HIPAA-BAA standard. Treat as a consequential-decision system; run NIST AI RMF risk assessment + SB 26-189 consumer disclosure for patient-facing use.

Microsoft DAX Copilot / Dragon Medical

Yes — Microsoft Online Services BAAConsequential-decision · NIST AI RMF + Section 1557

Covered under Microsoft BAA. Maintain technical documentation, bias testing per Section 1557, and audit-log retention via Purview.

Heidi Health

Yes — default tierConsequential-decision · NIST AI RMF + healthcare

BAA available. Human-in-the-loop on output review per Section 1557 (NIST AI RMF MANAGE). Verify state-by-state operational coverage.

Nuance DAX (legacy, pre-Copilot)

Yes — via Nuance BAA addendumConsequential-decision · NIST AI RMF + Section 1557

Now consolidated under Microsoft DAX Copilot for new deployments; legacy DAX continues under Nuance terms.

ChatGPT Enterprise / Team

Yes — enterprise tier onlyLimited-risk · CA SB 1001 / AB 2013

Consumer ChatGPT NOT BAA-eligible. Enterprise tier requires explicit BAA execution + Zero Data Retention. Block consumer tier at identity layer for clinical staff.

Microsoft 365 Copilot (general productivity)

Yes — under M365 E3/E5 BAALimited-risk · transparency-required

Inherits SharePoint and Graph permissions. Run permission audit + Restricted SharePoint Search + Copilot DLP before clinical staff use.

Otter.ai (meetings AI)

Only on HIPAA Compliance PlanSector-specific · two-party consent

Free/Pro tier transcripts go to Otter training pipeline — block for clinical meetings. HIPAA tier required for telehealth consult transcription.

Notion AI

NoNot BAA-eligible

Block for any PHI-touching workflow. Use Microsoft 365 Copilot or Google Workspace Gemini under BAA instead.

Perplexity, consumer Claude, consumer ChatGPT

NoNot BAA-eligible

Block at identity layer for all clinical staff. Treat as third-party disclosure if PHI is pasted in — likely HIPAA breach + Section 1557 disclosure issue.

BAA availability changes — verify current contract terms with each vendor before relying on this matrix for procurement decisions. EFROS maintains an internal live vendor matrix updated quarterly as part of the AI Governance retainer.

90-day healthcare AI governance roadmap

From inventory to risk assessment in 90 days

The phased plan EFROS runs for healthcare deployers, built on NIST AI RMF and mappable to ISO/IEC 42001. Six two-week phases, each producing a defined evidence artifact. Designed to integrate with existing HIPAA Security Rule risk analysis cycles rather than running as a parallel program.

Phase 1Week 1-2

AI inventory + shadow-AI discovery

Map every AI tool touching clinical workflows: EHR-embedded AI features (Epic, Cerner Oracle Health, athenahealth), standalone clinical AI (scribes, imaging, sepsis), copilots (M365, ChatGPT, Claude), and AI-embedded vendor tools (Salesforce Health Cloud Einstein, HubSpot, Intercom Fin). Survey clinical staff for personal-account use of AI.

Phase 2Week 3-4

Tier classification + NIST AI RMF consequential-decision risk mapping

Classify each inventoried AI system against NIST AI RMF (Govern/Map/Measure/Manage) and consequential-decision criteria. Document classification rationale per system with signoff. Flag systems needing a NIST AI RMF risk assessment. Identify state-of-residence exposure for SB 26-189 consumer-disclosure triggers.

Phase 3Week 5-6

Vendor BAA + DPA verification

Execute or verify BAA with every AI vendor processing PHI. Block consumer-tier AI (Perplexity, Notion AI, consumer ChatGPT/Claude) at the identity layer. Document training-data lineage for any vendor whose model was fine-tuned on customer data.

Phase 4Week 7-8

Section 1557 algorithmic non-discrimination audit

For each consequential-decision system, document bias-testing methodology, demographic performance analysis, and remediation triggers per HHS-OCR Section 1557 final rule (effective July 2024). Establish escalation protocol for performance disparities by race, ethnicity, sex, disability, age, or national origin.

Phase 5Week 9-10

Human oversight + audit logging

Implement human-in-the-loop (NIST AI RMF MANAGE) controls on every consequential-decision system output: documented review checkpoints, mandatory clinician sign-off on diagnostic suggestions, audit-log capture of override decisions. Configure Microsoft Purview AI Hub or equivalent for prompt + output logging.

Phase 6Week 11-12

Risk assessment + consumer disclosure

Produce a NIST AI RMF risk assessment + SB 26-189 disclosure artifact per consequential-decision system: purpose, training data summary, evaluation methodology, known limitations, foreseeable risks. Update patient-facing notices and consent forms to disclose AI use where it materially informs care decisions, satisfying SB 26-189 consumer notice.

FAQ

Common questions from healthcare deployers

Does the Colorado AI Act apply to a healthcare organization headquartered outside Colorado?

Colorado's amended AI law (SB 26-189) applies based on where the consumer (patient, employee, or ADS-decision subject) resides — not where the deployer is headquartered. A New York health system that runs an automated decision system on a Colorado resident's chart picks up SB 26-189 disclosure obligations for that interaction. SB 26-189 was signed 2026-05-14 and takes effect January 2027. Note: the original SB 24-205 high-risk/impact-assessment regime was repealed before it ever took effect.

Is there a small-organization exemption?

Yes — SB 26-189 narrows its automated-decision-system disclosure duties and exempts smaller deployers under defined thresholds, a tighter scope than the repealed SB 24-205 regime. But size never exempts the federal baselines: Section 1557 non-discrimination and HIPAA still apply to clinical AI regardless of headcount, and NIST AI RMF governance is what your insurers, procurement partners, and enterprise customers expect of every deployer.

How does HHS-OCR Section 1557 interact with Colorado AI Act?

Section 1557 final rule (effective July 2024) prohibits algorithmic discrimination in covered health programs receiving federal financial assistance — this is unaffected by any Colorado change. Colorado's SB 26-189 adds a transparency/consumer-disclosure layer for automated decision systems on top of the Section 1557 non-discrimination baseline. Compliance with one does not satisfy the other — both apply when both jurisdictional triggers are met, and your operating program should run to NIST AI RMF either way.

What is a 'consequential decision' under Colorado AI Act for healthcare?

Under SB 26-189, a consequential decision is one with a material legal or similarly significant effect on a Colorado consumer — including access to healthcare services — made by an automated decision system. In practice this captures diagnostic decision support, treatment routing, prior authorization, eligibility determination, credentialing, and any AI output that substantially informs the clinician's care decision. These are the same systems NIST AI RMF treats as the highest governance priority.

Do clinical AI scribes (Abridge, Suki, DAX, Heidi) trigger Colorado AI Act disclosure obligations?

They become consequential-decision systems — a NIST AI RMF governance priority and an SB 26-189 disclosure trigger — when their output materially informs documentation, coding, billing, or downstream clinical decisions. A scribe that auto-generates an A&P section the clinician signs off on without substantive review meets the substantial-factor threshold. The remedy is procedural — documented human-review checkpoints — not technical removal of the scribe.

What documentation does EFROS produce as part of the AI Governance program?

AI inventory, per-system NIST AI RMF tier classification with rationale, vendor BAA verification matrix, Section 1557 non-discrimination audit methodology + results, human-oversight runbooks, audit-log retention configuration, a NIST AI RMF risk assessment + SB 26-189 consumer-disclosure artifact per consequential-decision system, and a board-grade quarterly executive summary — mappable to an ISO/IEC 42001 AI management system. Fixed-fee 10-day audit converts to managed retainer with audit fee credited toward first quarter.

Three ways forward

Self-assess your AI exposure in 5 minutes, book a 20-minute scoping call, or reserve the fixed-fee 10-day AI Governance audit with the deliverables described on this page.

Reserve 10-Day Audit ($5,000) →Run Free AI Risk ScoreBook a 20-Minute Call

Related work

From playbook to engagement

AI Governance program

Five-pillar managed program operationalizing the playbook: inventory, NIST AI RMF risk classification, policy, monitoring, evidence.

Open

Free AI Risk Score

Five-minute self-assessment against the same frameworks: NIST AI RMF, ISO/IEC 42001, HIPAA, Section 1557, sector overlays.

Open

Healthcare program

Full HIPAA-aligned managed IT + 24/7 SOC + AI governance for multi-location practices.

Open

For Clinic Owners

Clinic-sized program: PHI access governance, BAA matrix for clinical AI, breach IR.

Open

NIST AI RMF Implementation Guide

The operating standard for US healthcare AI governance. Operationalization roadmap.

Open

Healthcare case study

Real engagement: HIPAA controls + 24/7 SOC + PHI DLP across a multi-location practice.

Open

Cite this resource

Reference this resource with attribution under CC-BY-4.0. Copy any of the formats below for academic papers, blog posts, AI citations, or vendor evidence packages.

APA (7th edition)
Efros, S. (2026, May). Colorado AI Act for Healthcare Deployers. EFROS. https://efros.com/resources/colorado-ai-act-healthcare/
MLA (9th edition)
Efros, Stefan. "Colorado AI Act for Healthcare Deployers." EFROS, May 2026, https://efros.com/resources/colorado-ai-act-healthcare/.
Chicago (author-date)
Efros, Stefan. 2026. "Colorado AI Act for Healthcare Deployers." EFROS. https://efros.com/resources/colorado-ai-act-healthcare/.
IEEE
S. Efros, "Colorado AI Act for Healthcare Deployers," EFROS, May 2026. [Online]. Available: https://efros.com/resources/colorado-ai-act-healthcare/
BibTeX
@misc{efros2026coloradoaiactfor,
  author = {Stefan Efros},
  title = {Colorado AI Act for Healthcare Deployers},
  year = {2026},
  month = {May},
  publisher = {EFROS},
  url = {https://efros.com/resources/colorado-ai-act-healthcare/},
  note = {Accessed: May 2026}
}
Plain text URL
https://efros.com/resources/colorado-ai-act-healthcare/

Site-wide citation metadata is also published as a CITATION.cff file at /CITATION.cff for citation-management tools and academic indexers.

Related EFROS resources

Healthcare AI governance stack

HIPAA MSP for clinics using AI

BAA matrix + technical safeguards for AI scribes, clinical decision support, intake bots.

Open

EFROS AI Governance service

NIST AI RMF consequential-decision classification + risk assessment + SB 26-189 consumer-disclosure workflow.

Open

NIST AI RMF implementation

The foundational framework the healthcare AI governance program is built on.

Open

Full state AI law tracker

Compare Colorado SB 26-189 with NY LL144, CA AB 2013, IL HB 3773, TX TDPSA.

Open

EFROS for healthcare

HIPAA + NIST AI RMF + Section 1557 + FDA SaMD across clinical environments.

Open

vCISO for healthcare

Named operator runs the HIPAA program + AI deployer obligations.

Open