plainstamp 0.2.0 → 0.4.0

package/CHANGELOG.md

@@ -16,6 +16,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 Distribution is **npm-only**. Source remains in the operating organization's private repository; there is no public source repository host. Contact channel for issues, accuracy reports, security reports, and contribution proposals is **helpfulbutton140@agentmail.to** (see `docs/CONTRIBUTING.md`, `docs/SECURITY.md`).
 
+## [0.4.0] — 2026-05-08
+
+### Added
+
+- California SB 1120 — Physicians Make Decisions Act (Senate Bill 1120, signed September 28, 2024; effective January 1, 2025). Amends California Health and Safety Code § 1367.01 and Insurance Code § 10123.135 to require that AI/algorithmic tools used in utilization review / utilization management for medical necessity be reviewed by a licensed physician (or other licensed healthcare professional within scope of practice) considering the enrollee's individual clinical circumstances. Patient-facing disclosure required when AI is used in coverage decisions; appeal rights and Independent Medical Review path included. Use cases `healthcare` and `financial-services`. Severity `mandatory`.
+- Third SEO guide: `docs/guides/nyc-local-law-144-aedt-builder-guide.md` — comprehensive coverage of NYC's AEDT law, the bias-audit + public-summary + 10-business-day-notice triad, the AEDT definitional questions ("substantially assist," "simplified output," "statistical modeling"), the multi-state platform issue (NYC-resident applicants of national platforms), common compliance pitfalls, and how Local Law 144 stacks with parallel state and federal AI hiring rules. Targets the highly active employment-AI compliance vertical.
+- Rule count 20 → 21. Tests still 51/51 passing.
+
+## [0.3.0] — 2026-05-08
+
+### Added
+
+- HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (45 CFR § 92.210, May 6, 2024 final rule). Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, HHS-administered programs) must identify uses of AI/ML clinical decision-support tools and make reasonable efforts to mitigate algorithmic discrimination. Compliance deadline May 1, 2025 — now in effect and enforceable. Use case `healthcare`.
+- Second SEO guide: `docs/guides/colorado-ai-act-sb-24-205-builder-guide.md` — long-form coverage of Colorado's comprehensive AI Act, the high-risk AI system definition, deployer/developer obligations, the consumer-disclosure components, the June 30, 2026 deadline, and how SB 24-205 stacks with parallel state and federal AI rules. Targets the high-traffic Colorado-compliance search vertical (deadline pressure + uncertainty about scope).
+- Rule count 19 → 20. Tests still 51/51 passing.
+
 ## [0.2.0] — 2026-05-08
 
 ### Added

package/docs/guides/colorado-ai-act-sb-24-205-builder-guide.md

@@ -0,0 +1,216 @@
+# Colorado AI Act (SB 24-205): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI product is sold to or used by people in Colorado and any of
+its decisions could affect a person's access to housing, employment,
+education, healthcare, financial services, government services, legal
+services, or essential goods and services, **the Colorado AI Act
+applies to you**. The rule is one of the strictest comprehensive AI
+laws in the U.S. and its consumer-disclosure obligation goes into
+effect **June 30, 2026** after a delay from the original February 2026
+date. This guide walks through what the rule requires, what it does
+*not* require, and what to ship before the deadline.
+
+## What SB 24-205 actually does
+
+Colorado SB 24-205 (codified at Colorado Revised Statutes § 6-1-1701
+et seq.) creates obligations for two parties:
+
+- **Developers** of high-risk AI systems — entities that build and
+  deploy a high-risk AI system or substantially modify one.
+- **Deployers** of high-risk AI systems — entities that use a high-
+  risk AI system in their operations affecting Colorado consumers.
+
+A "high-risk AI system" is one that, when deployed, makes or is a
+substantial factor in making a "consequential decision" — defined to
+include decisions affecting access to or cost of:
+
+- Educational opportunities
+- Employment or employment opportunities
+- Financial or lending services
+- Essential government services
+- Healthcare services
+- Housing
+- Insurance
+- Legal services
+
+The Act layers two distinct sets of obligations: substantive (avoid
+algorithmic discrimination) and procedural (impact assessments, risk
+management, regulator notifications, consumer notices).
+
+## The consumer-disclosure obligation — what to ship
+
+The consumer-facing piece — the part most builders need to ship — has
+three components:
+
+### 1. Pre-decision disclosure (deployer obligation)
+
+Before a high-risk AI system makes a consequential decision about a
+consumer, the deployer must give the consumer:
+
+- A statement disclosing that a high-risk AI system has been used
+  in the consequential decision-making process.
+- A description of the high-risk AI system, its purpose, and how
+  it has been used.
+- The nature of the consequential decision.
+- Contact information for the deployer.
+- A description of any human components of the decision-making
+  process and how the AI system contributes to the decision.
+- A description of the consumer's rights under SB 24-205,
+  including the right to opt out of the processing of personal
+  data for profiling that produces legal or similarly significant
+  effects (under the Colorado Privacy Act), the right to correct
+  incorrect personal data, and the right to appeal an adverse
+  consequential decision.
+
+### 2. Adverse-decision notice (deployer obligation)
+
+If the high-risk AI system contributes to an adverse consequential
+decision, the deployer must additionally disclose to the consumer:
+
+- The principal reason(s) for the adverse decision.
+- The degree to which the AI system contributed to the decision.
+- The type of data processed by the AI system in making the
+  decision and the source of that data.
+- The right to correct incorrect personal data, the right to
+  appeal the adverse decision, and the right to opt out of
+  profiling.
+
+### 3. Public-facing statement (developer + deployer)
+
+Both developers and deployers must publish a public statement summarizing:
+
+- The types of high-risk AI systems they currently develop /
+  deploy.
+- How the entity manages known or reasonably foreseeable risks of
+  algorithmic discrimination.
+- The most recent date the public statement was updated.
+
+## What SB 24-205 does *not* require
+
+Common misconceptions worth clearing up:
+
+- **It is not a CCPA-style right of deletion**. SB 24-205 layers on
+  the existing Colorado Privacy Act for personal-data rights; it
+  doesn't create new general-purpose data rights.
+- **It does not require pre-approval or registration of every AI
+  system** with a Colorado regulator. Developers must notify the
+  Colorado Attorney General within 90 days of discovering that a
+  high-risk AI system has caused or is reasonably likely to have
+  caused algorithmic discrimination, but routine deployment doesn't
+  require pre-clearance.
+- **It does not apply to most generative AI consumer products**
+  unless a specific deployment of that product is itself a high-
+  risk AI system making consequential decisions. A general-purpose
+  LLM helping a user write an email is not a high-risk AI system;
+  the same LLM scoring resumes for an employer is.
+
+## The deadlines
+
+- **June 30, 2026** — consumer-disclosure obligations apply to
+  deployers (delayed from the original February 2026 date).
+- **Public statement and risk-management obligations apply on
+  the same date.**
+- **Algorithmic-discrimination notification to the Attorney General**
+  applies on the same date.
+
+## How SB 24-205 stacks with other AI rules
+
+Colorado SB 24-205 is part of a comprehensive U.S.-state AI regime
+that's emerging unevenly across jurisdictions. Builders deploying
+across multiple states need to layer obligations:
+
+- **California**: AB 2013 (training-data transparency, effective
+  2026-01-01); B&P § 17941 (bot disclosure); SB 942 (AI provenance);
+  the California Privacy Protection Agency's automated-decision-
+  making rulemaking.
+- **Illinois**: HB 3773 amending the Illinois Human Rights Act
+  (employment AI, effective 2026-01-01).
+- **Texas**: TRAIGA (HB 149, effective 2026-01-01) — government-
+  agency and healthcare-provider AI disclosure obligations.
+- **Utah**: SB 149 + SB 226 — GenAI disclosure in regulated
+  occupations.
+- **New York City**: Local Law 144 — AEDT bias audits for
+  employment AI.
+- **Maryland**: Labor & Employment § 3-717 — facial recognition
+  in interviews requires written consent.
+- **Federal**: EEOC technical assistance on Title VII selection
+  procedures; CFPB Circular 2023-03 on AI adverse-action notices;
+  HHS Section 1557 on patient-care decision support tools; FINRA
+  Regulatory Notice 24-09 on AI in member-firm communications.
+- **EU**: AI Act Articles 50(1) and 50(2); GDPR Article 22 on
+  automated decisions.
+
+A consumer-facing AI product operating across these jurisdictions
+needs disclosure copy for each — and the disclosures often differ in
+content, timing, and format. That's the maintenance problem
+`plainstamp` exists to solve.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-co-sb24-205-consumer-disclosure` rule that
+returns the live disclosure-element checklist for SB 24-205, ready-
+to-paste plain-language and formal-language templates, citation back
+to the Colorado Office of Legislative Legal Services source URL, and
+a `last_verified` date.
+
+Typical lookup for a deployer notifying a Colorado employment-AI user
+before a hiring decision:
+
+```bash
+npx plainstamp lookup --jurisdiction us-co \
+                      --channel email-transactional \
+                      --use-case employment-decisions
+```
+
+This returns the SB 24-205 consumer-disclosure rule. To pick up the
+parallel federal-floor obligation (EEOC technical assistance) and the
+parallel state-employment rules in other states the deployer
+operates in, query each jurisdiction in turn. plainstamp's
+parent-jurisdiction inheritance rule means a `us-co` query also
+matches federal-level `us` rules.
+
+For the public-facing statement (developer or deployer) and the
+internal-governance items (impact assessments, risk-management
+program), consult Colorado Attorney General published guidance
+directly — those are above plainstamp's scope (which covers per-
+interaction or per-decision disclosure text, not corporate
+governance program documentation).
+
+## The minimum viable Colorado disclosure
+
+If you ship one thing this quarter, ship the pre-decision disclosure:
+
+1. A clear statement that a high-risk AI system is being used in
+   the consequential decision.
+2. A description of the AI system's purpose and role in the
+   decision.
+3. A description of any human components of the decision.
+4. Contact information for the deployer.
+5. A summary of the consumer's appeal, correction, and opt-out
+   rights, with a path to exercise them.
+
+If your AI system can produce adverse outcomes (denials, rejections,
+adverse employment actions, etc.), also ship the adverse-decision
+notice with principal reasons, the AI's contribution, and data-source
+disclosure.
+
+## Source-of-truth links
+
+- **Colorado SB 24-205 — full text and legislative history**
+  ([leg.colorado.gov](https://leg.colorado.gov/bills/sb24-205))
+- **Colorado Attorney General — AI Act guidance and rulemaking**
+  ([coag.gov](https://coag.gov/))
+- **Colorado Privacy Act**, into which SB 24-205 connects for personal-
+  data rights ([leg.colorado.gov](https://leg.colorado.gov/))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/docs/guides/nyc-local-law-144-aedt-builder-guide.md

@@ -0,0 +1,206 @@
+# NYC Local Law 144 (AEDT): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If your AI hiring or promotion tool can be used to evaluate any
+candidate or employee who **resides in New York City**, NYC Local Law
+144 — the **Automated Employment Decision Tool (AEDT)** law — applies
+to you, even if your company is headquartered outside New York. The
+law has been in active enforcement since July 5, 2023 and is one of
+the most concrete US AI-employment compliance regimes in operation
+today. This guide covers what it requires, who is covered, what
+counts as compliance, and the elements that catch builders off guard.
+
+## What Local Law 144 actually requires
+
+NYC Local Law 144 of 2021 (codified at NYC Administrative Code §§ 20-870
+through 20-873) prohibits employers and employment agencies operating
+in New York City from using an Automated Employment Decision Tool
+(AEDT) to substantially assist or replace discretionary decision-making
+for an employment decision unless **three** conditions are all met:
+
+1. **Bias audit.** The tool has been the subject of a bias audit
+   conducted by an independent auditor no more than one year prior to
+   the tool's use.
+2. **Public summary.** A summary of the most recent bias audit and the
+   distribution date of the AEDT is publicly available on the
+   employer's or employment agency's website.
+3. **10-business-day candidate notice.** Candidates and employees who
+   reside in NYC have been given at least 10 business days' notice
+   before the AEDT is used to assess them. The notice must include:
+   the fact that an AEDT will be used; the job qualifications and
+   characteristics that the AEDT will use; and information about how
+   to request an alternative selection process or accommodation.
+
+Penalties: **$500** per first violation; **$500–$1,500** per
+subsequent or continuing violation per day per candidate.
+
+## What's an "AEDT" — the key definitional question
+
+Local Law 144 defines an AEDT as a "computational process, derived
+from machine learning, statistical modeling, data analytics, or
+artificial intelligence, that issues simplified output, including a
+score, classification, or recommendation, that is used to substantially
+assist or replace discretionary decision-making for making
+employment decisions that impact natural persons."
+
+Three elements catch builders off guard:
+
+- **"Substantially assist or replace"** is a fact-specific standard.
+  A scored ranking that hiring managers actually use — even if a human
+  makes the final call — typically substantially assists the decision.
+  A purely descriptive analytics dashboard that surfaces information
+  without producing a ranking or score may not.
+- **"Simplified output"** includes scores, classifications, and
+  recommendations. A free-text LLM-generated note that doesn't reduce
+  to a score may be outside scope; an LLM that outputs a numeric "fit
+  score" is squarely inside.
+- **"Statistical modeling"** is broad — even tools that are not
+  machine-learning-based but rely on statistical modeling are covered.
+
+## The bias audit (the procedural heart of the law)
+
+Bias audits must:
+
+- Be conducted by an independent auditor (not the employer, the
+  vendor, or any party with a material conflict).
+- Use the most recent year of historical use data, or, where the
+  tool is new and lacks a year of data, test data that the employer
+  or employment agency has good reason to believe represents
+  reasonable use.
+- Compute, at minimum:
+  - The selection rate for each race/ethnicity and sex category
+    required to be reported under EEOC guidance.
+  - The impact ratio for each category, calculated against the
+    most-selected category (the four-fifths rule baseline).
+  - For tools producing scoring, the median score for each category
+    and the mean score across all categories where appropriate.
+
+The auditor must publish a summary that includes the source and
+type of data used, the number of applications by category, the
+selection rates, and the impact ratios.
+
+## The candidate notice — what to ship
+
+The 10-business-day notice must reach NYC-resident candidates and
+employees before the AEDT is used in their evaluation. It must:
+
+- State that an AEDT will be used to assess the candidate or
+  employee.
+- Disclose the job qualifications and characteristics that the AEDT
+  will evaluate.
+- Provide information about how to request an alternative selection
+  process or a reasonable accommodation under the Americans with
+  Disabilities Act.
+
+Form: written. Channel: any reasonable means — email, application
+portal, posted notice. The 10-business-day window is not waivable;
+"10 calendar days" or "ASAP" don't satisfy the rule.
+
+## Who is "in New York City" for purposes of the law
+
+This is the question that catches multi-state employers most often.
+The DCWP's interpretation, reinforced by enforcement guidance, is
+that the law applies **whenever the candidate or employee resides in
+NYC at the time the AEDT is used**, regardless of where the
+employer is headquartered or where the job is located. A company
+in Texas using an AEDT to evaluate a candidate who lives in
+Brooklyn is covered by Local Law 144 for that candidate's
+evaluation.
+
+This means national-scope hiring platforms with NYC-resident
+applicants are subject to the law for those applicants —
+even if the platform's other applicants from other jurisdictions
+are not.
+
+## How Local Law 144 stacks with other rules
+
+Local Law 144 is the city-level layer. Builders deploying AI hiring
+tools across multiple jurisdictions need to layer state and federal
+obligations:
+
+- **Federal**: EEOC technical assistance applying Title VII / Uniform
+  Guidelines to AI selection procedures. Federal floor; the Local
+  Law 144 bias audit's four-fifths-rule analysis is consistent with
+  the Uniform Guidelines.
+- **Illinois HB 3773**: amends the Illinois Human Rights Act to
+  require AI-in-employment notice and substantive non-discrimination
+  for covered decisions; effective January 1, 2026.
+- **Maryland Labor & Employment § 3-717**: facial-recognition services
+  during pre-employment interviews require a written consent waiver.
+- **Colorado SB 24-205**: high-risk AI system used in employment
+  decisions triggers consumer-disclosure obligations.
+- **EU**: AI Act + GDPR Article 22 if any candidate is in the EU.
+
+## Common compliance pitfalls
+
+- **Using the vendor's bias audit as the employer's bias audit.**
+  The auditor must be independent of both the employer and the
+  vendor. A vendor-paid audit is generally insufficient.
+- **Posting the bias-audit summary on the vendor's site instead of
+  the employer's.** The summary must be on the employer's or
+  employment agency's website.
+- **Treating "bias audit pending" as compliance.** Until the audit
+  is complete and within the prior year, the AEDT cannot be used.
+- **Counting calendar days instead of business days.** "10 business
+  days" excludes weekends and NYC holidays.
+- **Forgetting the alternative-process information.** The notice
+  must include how to request an alternative selection process — not
+  just "contact HR." Best practice is a specific email or web form.
+- **Multi-state platform error.** A platform that uses AEDT for all
+  candidates regardless of residence applies Local Law 144 to its
+  NYC-resident applicants and may run afoul of differing state
+  obligations for non-NYC applicants.
+
+## How plainstamp helps
+
+`plainstamp` ships an `us-ny-nyc-local-law-144-aedt` rule that
+returns the live disclosure-element checklist for Local Law 144,
+ready-to-paste plain-language and formal-language candidate-notice
+templates, citation back to the NYC Rules / DCWP source URL, and a
+`last_verified` date. Lookup:
+
+```bash
+npx plainstamp lookup --jurisdiction us-ny-nyc \
+                      --channel email-transactional \
+                      --use-case employment-decisions
+```
+
+Returns the AEDT rule. Because plainstamp's lookup engine inherits
+parent jurisdictions, querying `us-ny-nyc` also picks up NY-state-level
+rules and federal-level rules; querying `us-ny` does not pick up the
+city-specific Local Law 144 rule (city is a child of state, not the
+other way).
+
+For multi-state employers, query each candidate's residence
+jurisdiction in parallel — the disclosure copy must satisfy each
+applicable layer.
+
+## The minimum viable Local Law 144 disclosure
+
+If you ship one thing this week, ship the candidate notice (the
+10-business-day notice). It must include:
+
+1. A clear statement that an AEDT will be used.
+2. The job qualifications and characteristics the AEDT will evaluate.
+3. A path to request an alternative selection process or accommodation.
+
+Then book the independent bias audit. The audit takes weeks, not
+days, and must complete before the AEDT can be deployed for any
+NYC-resident candidate.
+
+## Source-of-truth links
+
+- **NYC Local Law 144 of 2021 — DCWP final rules** ([rules.cityofnewyork.us](https://rules.cityofnewyork.us/rule/automated-employment-decision-tools-updated/))
+- **DCWP enforcement guidance** ([nyc.gov/dca](https://www.nyc.gov/site/dca/businesses/automated-employment-decision-tools.page))
+- **EEOC technical assistance on AI in employment selection** ([eeoc.gov](https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-artificial-intelligence-employment-selection-procedures))
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp on npm`](https://www.npmjs.com/package/plainstamp)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",

package/rules/seed.json

@@ -859,6 +859,105 @@
         "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor."
       },
       "notes": "FINRA Regulatory Notice 24-09 is reminder-and-clarification guidance — it does not create new rules. The binding obligations are the existing FINRA rules (2210, 2090, 2111, 3110, 4511, 3220), which apply by their existing terms to AI-driven communications, recommendations, and records. Member firms (broker-dealers and their associated persons) are bound; non-member firms are not directly bound by FINRA rules but may face parallel obligations under SEC rules (e.g., Rule 17a-4 books-and-records, Investment Advisers Act fiduciary duty for IA-registered firms) — this rule's `jurisdiction` is `us` because FINRA is a self-regulatory organization with national scope, not a single-state regulator. The 2023 SEC Staff Bulletin on conflicts of interest for AI/PDA-using broker-dealers and investment advisers (and the SEC's proposed PDA rule, Rel. No. 34-97990) layers additional obligations specifically around conflicts; firms with PDA / AI advisory tools should consult both. FINRA expects firms to update their WSPs to specifically address AI tool use; using AI without WSP coverage is an immediate Rule 3110 supervision deficiency. Firms should also be aware of state-level adverse-action and disclosure overlays (e.g., NYDFS's October 2024 cybersecurity / AI guidance for licensed entities)."
+    },
+    {
+      "id": "us-hhs-section-1557-pcdst-2024",
+      "jurisdiction": "us",
+      "channels": ["ai-generated-content", "about-page", "privacy-policy"],
+      "use_cases": ["healthcare"],
+      "severity": "mandatory",
+      "short_title": "HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule)",
+      "summary": "On May 6, 2024, the U.S. Department of Health and Human Services Office for Civil Rights published a final rule (89 Fed. Reg. 37522) implementing Section 1557 of the Affordable Care Act that imposes nondiscrimination obligations on covered entities' use of 'patient care decision support tools' (PCDSTs) — defined to include automated and non-automated tools, including artificial-intelligence and machine-learning-based clinical decision support. Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, and HHS-administered health programs) must (a) make reasonable efforts to identify uses of PCDSTs in their health programs and activities that employ input variables or factors that measure race, color, national origin, sex, age, or disability; AND (b) make reasonable efforts to mitigate the risk of discrimination resulting from the tool's use. The compliance deadline for the PCDST nondiscrimination obligation was May 1, 2025; the obligation is now in effect and enforceable. Penalties for Section 1557 violations include loss of federal financial assistance, OCR-imposed corrective-action plans, and potential private-right-of-action claims for discrimination.",
+      "required_elements": [
+        {
+          "id": "pcdst-identification",
+          "description": "Reasonable efforts to identify uses of PCDSTs (including AI/ML clinical decision support tools) in the entity's health programs and activities.",
+          "required": false,
+          "example": "Internal inventory and documentation of all AI/ML clinical decision support tools deployed in patient care, with notation of input variables and use cases. (System / governance requirement; does not require per-patient disclosure.)"
+        },
+        {
+          "id": "pcdst-mitigation",
+          "description": "Reasonable efforts to mitigate the risk of discrimination resulting from PCDST use, including documentation of mitigation steps and ongoing monitoring.",
+          "required": false,
+          "example": "Documented mitigation procedures, periodic testing for adverse impact across protected classes, and a designated responsible person or office. (System / governance requirement.)"
+        },
+        {
+          "id": "patient-facing-pcdst-notice",
+          "description": "Patient-facing notice that AI/ML decision-support tools may inform clinical decisions, where the entity's notice-of-availability obligations under § 92.11 apply (translation requirements + civil rights coordinator + grievance procedures).",
+          "required": true,
+          "example": "Notice: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial intelligence. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights."
+        },
+        {
+          "id": "civil-rights-coordinator-designation",
+          "description": "Designation of a Civil Rights Coordinator responsible for the entity's Section 1557 compliance, including PCDST nondiscrimination obligations. (Governance, not per-patient text.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116); 45 CFR Part 92, as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522",
+        "section": "45 CFR § 92.210 (Discrimination through the use of patient care decision support tools)",
+        "source_url": "https://www.federalregister.gov/documents/2024/05/06/2024-08711/nondiscrimination-in-health-programs-and-activities",
+        "publisher": "U.S. Department of Health and Human Services, Office for Civil Rights"
+      },
+      "effective_date": "2025-05-01",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Use of Decision-Support Tools in Your Care: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial-intelligence and machine-learning systems. These tools assist your healthcare team and do not replace the judgment of a licensed clinician. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, please contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights at https://www.hhs.gov/ocr/.",
+        "formal": "Notice under Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116) and the implementing regulations at 45 CFR Part 92 (as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522): The covered entity uses one or more patient care decision support tools, including artificial-intelligence and machine-learning-based clinical decision support, in its health programs and activities. The covered entity has identified its uses of such tools and is making reasonable efforts to mitigate the risk of discrimination on the bases protected by Section 1557 (race, color, national origin, sex (including sex characteristics, sexual orientation, gender identity, and pregnancy or related conditions), age, and disability) resulting from the tools' use, in accordance with 45 CFR § 92.210. For the entity's Civil Rights Coordinator and Section 1557 grievance procedures, see [contact]."
+      },
+      "notes": "Section 1557's PCDST obligation is governance-heavy — most of the compliance work is internal (identifying tools, documenting mitigation, designating coordinators) rather than patient-facing text. The patient-facing element is the Section 1557 notice-of-availability under § 92.11 plus, where the entity exposes AI-informed decisions to patients, a clear acknowledgment that automated tools may inform clinical decisions and a path to discuss with a clinician. Covered entities include most healthcare providers receiving any form of federal financial assistance (Medicare-participating providers, Medicaid-participating providers, federally-qualified health centers, etc.), all health insurers in HHS-administered marketplaces, and HHS itself. The 'reasonable efforts' standard is intentionally flexible — OCR has stated in commentary that what constitutes 'reasonable' will scale with the entity's size and resources, but documentation is essential. PCDSTs explicitly include AI/ML decision-support tools and (per OCR commentary) tools that produce or use clinical scores (e.g., Epic Sepsis Model, Beth Israel Discharge Risk score, etc.). Federal funding loss is the principal sanction; OCR can also impose corrective action plans. State-level overlays may apply (e.g., California SB 1120 — Physicians Make Decisions Act, requiring physician review of AI-driven coverage denials in health plans — effective 2025-01-01). Stack with HIPAA Privacy Rule (45 CFR Part 164) when patient information is processed; stack with state AI hiring/employment-decision laws when the PCDST is used in employment of healthcare workers."
+    },
+    {
+      "id": "us-ca-sb1120-physicians-make-decisions-2024",
+      "jurisdiction": "us-ca",
+      "channels": ["email-transactional", "ai-generated-content"],
+      "use_cases": ["healthcare", "financial-services"],
+      "severity": "mandatory",
+      "short_title": "California SB 1120 — Physicians Make Decisions Act (utilization review)",
+      "summary": "California SB 1120 (signed September 28, 2024; effective January 1, 2025) amends Health and Safety Code § 1367.01 (governing health-care service plans regulated by the Department of Managed Health Care) and Insurance Code § 10123.135 (governing health insurers regulated by the Department of Insurance) to limit the use of artificial-intelligence and algorithmic tools in utilization review and utilization management decisions for medical necessity. A health-care service plan or insurer that uses AI, algorithm, or other software tool for the purpose of utilization review or utilization management may not deny, delay, or modify health-care services based in whole or in part on medical necessity unless a licensed physician (or other licensed healthcare professional acting within the scope of practice) reviews the basis for the decision and the decision considers the enrollee's individual clinical circumstances. The AI tool must be fairly and equitably applied; bias must be avoided in design, training, and ongoing operation; the tool must not directly or indirectly cause harm to the enrollee. Information about the use of the AI tool must be disclosed to enrollees, regulators (DMHC and CDI), and the public. Penalties are administered through DMHC and CDI authority and may include corrective action plans, civil penalties, and (for willful or repeated violations) license-related sanctions.",
+      "required_elements": [
+        {
+          "id": "physician-review-of-denial",
+          "description": "A licensed physician (or other licensed healthcare professional within scope of practice) must review the basis for any AI-driven denial, delay, or modification of medical-necessity coverage; the decision must consider the enrollee's individual clinical circumstances. (Procedural requirement; the consumer-facing element is disclosure that the review occurred.)",
+          "required": true,
+          "example": "This coverage decision was reviewed by [physician name and California license number], who considered your individual clinical circumstances, including [factors] in the determination."
+        },
+        {
+          "id": "ai-tool-use-disclosure",
+          "description": "Disclosure to the enrollee that an AI, algorithm, or other software tool was used in the utilization review or utilization management process, including how it was used and how it informed the decision.",
+          "required": true,
+          "example": "An automated decision-support tool was used in evaluating your prior authorization request. The tool [analyzed claim history / scored medical necessity / surfaced relevant guidelines]; its output was reviewed by a licensed physician before this decision."
+        },
+        {
+          "id": "appeal-rights-notice",
+          "description": "Notice of the enrollee's appeal rights, including the right to internal grievance, external independent medical review, and (for life-threatening conditions) expedited review.",
+          "required": true,
+          "example": "If you disagree with this decision, you have the right to file an internal grievance with [plan name] and to request an Independent Medical Review (IMR) through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For decisions involving an imminent and serious threat to your health, you may request an expedited review."
+        },
+        {
+          "id": "fair-and-equitable-application",
+          "description": "The AI tool must be fairly and equitably applied; the plan or insurer must avoid bias in tool design, training data, and ongoing operation. (System / governance requirement; not a per-decision message.)",
+          "required": false
+        },
+        {
+          "id": "regulator-disclosure",
+          "description": "Disclosure to DMHC and CDI of the plan/insurer's use of AI tools in utilization review, including periodic reporting under regulator-issued guidance. (Regulator-facing, not enrollee-facing.)",
+          "required": false
+        }
+      ],
+      "citation": {
+        "statute": "California Health and Safety Code § 1367.01 (DMHC-regulated plans) and Insurance Code § 10123.135 (CDI-regulated insurers), as amended by Senate Bill 1120 (2024)",
+        "section": "Use of artificial-intelligence and algorithmic tools in utilization review / utilization management",
+        "source_url": "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB1120",
+        "publisher": "California Legislative Information"
+      },
+      "effective_date": "2025-01-01",
+      "last_verified": "2026-05-08",
+      "template": {
+        "plain": "Notice — Use of Decision-Support Tool in This Coverage Decision: An automated decision-support tool was used in evaluating your prior authorization or coverage request. The tool's output was reviewed by [licensed physician or other healthcare professional] who considered your individual clinical circumstances before making this determination. If your request was denied, delayed, or modified, you have the right to appeal through [plan name]'s internal grievance process and to request an Independent Medical Review through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For health conditions that pose an imminent and serious threat to your health, expedited review is available.",
+        "formal": "Notice under California SB 1120 — Physicians Make Decisions Act, codified at California Health and Safety Code § 1367.01 (or Insurance Code § 10123.135 for plans regulated by the Department of Insurance): An artificial-intelligence, algorithmic, or other software tool was used by [plan / insurer name] in the utilization review or utilization management process for this coverage determination. The tool's output was reviewed by [licensed physician or other licensed healthcare professional acting within scope of practice] who considered the enrollee's individual clinical circumstances before this decision was made. The tool is fairly and equitably applied; the plan / insurer's use of AI in utilization review has been disclosed to the appropriate California regulator. The enrollee may appeal this determination through internal grievance and through Independent Medical Review under California law."
+      },
+      "notes": "SB 1120 is one of the first US state laws to specifically restrict AI use in health-coverage decisions. The law applies to two distinct regulatory regimes: DMHC-regulated health-care service plans (most California HMOs and many PPOs) under HSC § 1367.01, and CDI-regulated health insurers under Ins. Code § 10123.135. The use case here is `healthcare` (clinical decision impact) and `financial-services` (insurance coverage decisions involving payment) — many compliance-relevant decisions sit at the intersection, and surfacing both makes the rule discoverable for either query path. The physician-review requirement is procedural — the AI cannot make the final medical-necessity determination on its own. The disclosure obligation is the consumer-facing element. SB 1120 stacks with HHS Section 1557 PCDST nondiscrimination obligations (federal floor) and with the Colorado AI Act / Texas TRAIGA-healthcare / Utah AI Act in their respective state operations. ERISA self-funded plans are typically exempt from state insurance regulation but may be subject to federal-floor obligations and HHS Section 1557. Class-action litigation over AI denial of care has been ongoing under existing law in 2024–2025; SB 1120 codifies a clearer disclosure-and-review standard. Verify against DMHC and CDI guidance before production deployment — both regulators have rulemaking authority and have issued or are expected to issue more detailed implementation guidance through 2026."
     }
   ]
 }