plainstamp 0.7.7 → 0.7.9

package/docs/guides/texas-traiga-hb-149-builder-guide.md

@@ -0,0 +1,321 @@
+# Texas TRAIGA (HB 149): a builder's guide
+
+> **Informational only — not legal advice.** Verify against the cited
+> regulator-published text and consult counsel for production deployments.
+> See `AI-DISCLOSURE.md` in this package.
+
+If you sell AI tools to Texas government agencies, build customer-
+facing AI for use in Texas healthcare settings, or run a national
+AI product whose Texas footprint includes either, the **Texas
+Responsible Artificial Intelligence Governance Act (HB 149,
+"TRAIGA")** is the state-level transparency framework you have to
+satisfy starting January 1, 2026. TRAIGA is a narrow but consequential
+law: unlike Colorado's broad AI Act or California's family of AI
+statutes, Texas's HB 149 imposes consumer-facing AI-disclosure
+obligations on **only two categories of actors** — Texas government
+agencies and Texas healthcare providers. Get either category right
+and you've covered most of TRAIGA's footprint. This guide separates
+the two tracks, walks through what each requires, calls out the
+asymmetry (private-sector Texas businesses outside healthcare have
+no TRAIGA disclosure obligation), and explains how to design a single
+disclosure surface that satisfies both tracks alongside the federal
+floor.
+
+## What TRAIGA actually does
+
+The Texas Responsible Artificial Intelligence Governance Act ([HB 149,
+89th Legislature](https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB149))
+was signed by Governor Abbott on June 22, 2025 and takes effect
+January 1, 2026. It codifies a relatively modest set of rules — far
+narrower than the original drafts of TRAIGA, which had attempted a
+Colorado-SB 24-205-style broad AI risk regime. The final law has two
+operative consumer-disclosure provisions plus governance / civil-
+penalty provisions:
+
+1. **§ 552.058 (or as enacted) — Government-agency AI disclosure.**
+   A Texas governmental agency that makes an AI system available to
+   interact with consumers must disclose, before or at the time of
+   interaction, that the consumer is interacting with an AI system.
+   Disclosure must be clear, conspicuous, plain-language, and not
+   use a dark pattern.
+2. **§ 552.057 (or as enacted) — Healthcare-provider AI disclosure.**
+   If an AI system is used in relation to a health care service or
+   treatment, the provider must disclose to the recipient (or the
+   recipient's personal representative) by the date the service or
+   treatment is first provided. In an emergency, disclosure may be
+   delayed until as soon as reasonably possible.
+
+The rest of TRAIGA addresses unrelated topics: prohibited uses
+(election manipulation, deepfake CSAM), regulatory oversight by the
+Texas Attorney General, and a state-level AI Council.
+
+## Track 1: government-agency disclosure
+
+### Who is covered
+
+A "governmental agency" under TRAIGA tracks the Texas Government
+Code's standard definition: state agencies, departments,
+commissions, boards, and political subdivisions (counties,
+municipalities, school districts) — anyone exercising authority on
+behalf of the State of Texas or a political subdivision.
+
+In scope:
+
+- **State-of-Texas operating AI** that interacts with members of the
+  public. Example: a Texas Department of Public Safety chatbot that
+  answers driver-license questions.
+- **Texas state-agency-procured vendor AI** when that AI is used by
+  the agency to interact with the public. Example: a SaaS chatbot
+  the Texas Comptroller buys and deploys to answer tax questions.
+- **Municipal AI** — city or county AI tools that talk to residents.
+
+Out of scope:
+
+- **Private-sector Texas businesses** (except healthcare; see Track
+  2). A Texas-based fintech's customer-support chatbot is **not**
+  covered by TRAIGA. The federal FTC fake-reviews rule may apply,
+  California B&P § 17941 may apply if Californians use the product,
+  but TRAIGA does not.
+- **Federal agencies operating in Texas.** They follow federal
+  rules, not state-level ones.
+
+### What counts as a sufficient disclosure
+
+The statute requires disclosure that is:
+
+| Requirement | Practical meaning |
+|---|---|
+| **Clear** | The disclosure must be unambiguous — a reasonable person reads it and understands they're talking to an AI. |
+| **Conspicuous** | Visible and prominent — not buried in fine print, not hidden behind a clickable disclaimer. |
+| **Plain language** | No legalese, no jargon. "AI assistant" rather than "automated cognitive system." |
+| **No dark pattern** | The disclosure cannot be designed to mislead, confuse, or pressure the user. Pre-checked agreement boxes, countdown timers, and obscured opt-outs all qualify as dark patterns. |
+| **Timing** | "Before or at the time of interaction." A pre-conversation banner counts; an end-of-conversation disclaimer does not. |
+
+Plain-language template:
+
+> *"You are interacting with an artificial intelligence system, not
+> a person. To speak to a human agent, please [contact info]."*
+
+### Common failure patterns for the government track
+
+- **Disclosure in Terms of Service only.** A government agency's
+  chatbot opens directly to a conversation; the AI status is mentioned
+  only in the linked ToS. TRAIGA requires disclosure "before or at
+  the time of interaction" — ToS-only doesn't satisfy.
+- **Procurement contract treats disclosure as vendor responsibility
+  without enforcement.** Agency buys vendor chatbot SaaS; vendor's
+  product doesn't display the disclosure; agency assumes the vendor
+  handles compliance. Agency remains liable under HB 149.
+- **Multi-channel deployment with inconsistent disclosure.** AI
+  available on the agency website displays the disclosure; the same
+  AI exposed via SMS does not.
+
+## Track 2: healthcare-provider disclosure
+
+### Who is covered
+
+A "healthcare provider" under TRAIGA includes:
+
+- Physicians and physician practices.
+- Hospitals and health systems.
+- Federally Qualified Health Centers (FQHCs).
+- Long-term care facilities.
+- Most other Texas-licensed healthcare entities.
+
+The trigger is **AI used in relation to a health care service or
+treatment**. That language is broad and intentional. It includes:
+
+- AI-driven clinical decision support (sepsis prediction, discharge
+  risk).
+- AI imaging triage (radiology, pathology).
+- AI-assisted documentation (ambient scribes, clinical-note
+  generation).
+- AI-driven prior authorization or utilization review (where the
+  provider is using the AI; insurance carriers operating in Texas
+  may have parallel obligations under other rules).
+- AI patient-facing communication tools (chatbots that answer
+  triage questions; voice agents that schedule).
+
+### What counts as a sufficient disclosure
+
+The statute requires:
+
+- **Disclosure to the recipient of the service or treatment** (or
+  the recipient's personal representative).
+- **Timing**: by the date the service or treatment is first
+  provided. In an emergency, as soon as reasonably possible.
+- **Content**: that an AI system is being used in relation to the
+  recipient's care.
+
+The statute does not specify a precise format. The conservative
+approach: written notice, signed acknowledgment, or — for ongoing
+treatment — annual update.
+
+Plain-language template:
+
+> *"An artificial intelligence system is being used to assist with
+> your care. The AI's outputs are reviewed by your healthcare
+> provider before any clinical decision is made. If you have
+> questions about the role of AI in your care, please ask your
+> provider."*
+
+### Common failure patterns for the healthcare track
+
+- **Disclosure tied to encounter type, not AI use.** Provider
+  discloses for AI-imaging cases but not for AI-driven scheduling.
+  TRAIGA requires disclosure for **any** AI use related to care.
+- **Disclosure timing missed in emergencies.** Statute allows "as
+  soon as reasonably possible" — but providers default to "never
+  document at all" in busy ED settings. Documentation post-emergency
+  is required.
+- **Personal representative scenarios overlooked.** Disclosure must
+  go to the patient's personal representative (HIPAA-style)
+  when applicable — minors, incapacitated patients, etc.
+
+## Where TRAIGA stacks with other federal and state rules
+
+TRAIGA is a state-level **floor** for Texas AI deployment. It stacks
+with everything else.
+
+### Federal floors that always apply alongside TRAIGA
+
+- **HHS Section 1557 PCDST nondiscrimination** (45 CFR § 92.210,
+  effective May 2025). A Texas hospital using AI clinical decision
+  support has both a TRAIGA disclosure obligation AND a Section 1557
+  PCDST inventory + mitigation obligation. Both apply.
+- **FDA PCCP** (FD&C Act § 515C). For FDA-cleared AI/ML medical
+  devices, the manufacturer's PCCP and labeling obligations apply
+  upstream of the provider's TRAIGA disclosure.
+- **FTC fake-reviews rule** (16 CFR Part 465). Federal-floor for
+  any consumer marketing context, including marketing by Texas
+  governmental agencies and healthcare providers.
+- **HIPAA Privacy and Security Rules** (45 CFR Parts 160, 164).
+  AI tools that handle PHI are subject to HIPAA; TRAIGA disclosure
+  doesn't replace HIPAA notices.
+
+### State-level overlays for cross-state Texas operators
+
+A national health system with Texas operations also faces:
+
+- **California SB 1120** (Physicians Make Decisions Act): AI used in
+  utilization review for medical necessity must be reviewed by a
+  licensed physician. California-specific.
+- **Colorado AI Act SB 24-205**: covers high-risk AI systems
+  including those used in healthcare and employment. Effective
+  June 2026. Colorado-specific.
+- **Other states**: NY, IL, Maryland, Tennessee — various.
+
+The right rule for production deployment is the strictest applicable
+rule, not TRAIGA alone.
+
+## TRAIGA's deliberate scope: what it does NOT cover
+
+Understanding what TRAIGA leaves alone is as important as
+understanding what it covers. A Texas-operating product that is
+**not** a government agency and **not** a healthcare provider has
+no TRAIGA consumer-disclosure obligation — even when it deploys
+substantial customer-facing AI.
+
+Examples NOT covered:
+
+- A Texas-based fintech's AI chatbot for retail bank customers
+  (governed federally by CFPB / FINRA where applicable, or by
+  state-level rules in other states; not by TRAIGA).
+- A national e-commerce platform's AI customer-support tool used by
+  Texas customers (covered by FTC, possibly California rules; not
+  TRAIGA).
+- A Texas-based law firm using AI legal research tools internally.
+
+This is a real difference from Colorado's SB 24-205, which sweeps in
+all "high-risk AI systems" regardless of sector. TRAIGA's scope is
+narrower by design.
+
+## How TRAIGA is enforced
+
+The Texas Attorney General has primary enforcement authority. HB 149
+authorizes:
+
+- Civil penalties of up to **$10,000 per violation** for governmental
+  agencies, with each consumer interaction potentially counting
+  separately.
+- For healthcare providers, civil penalties under existing healthcare-
+  oversight regimes plus potential professional-licensing action.
+- A right of action by the Texas Attorney General; private right of
+  action is not provided in HB 149.
+
+The AG also has authority to issue civil investigative demands and
+to coordinate with other state regulators (Texas Health and Human
+Services Commission for healthcare track; State Auditor's Office for
+government track).
+
+## How plainstamp helps
+
+`plainstamp` ships two TRAIGA rules:
+`us-tx-traiga-government-disclosure` (Track 1) and
+`us-tx-traiga-healthcare-disclosure` (Track 2). Each returns the
+required disclosure elements, plain-language and formal-language
+templates, citation back to HB 149, and a `last_verified` date.
+Lookup:
+
+```bash
+# Government agency
+npx plainstamp lookup --jurisdiction us-tx \
+                      --channel live-chat \
+                      --use-case government-services
+
+# Healthcare provider
+npx plainstamp lookup --jurisdiction us-tx \
+                      --channel about-page \
+                      --use-case healthcare
+```
+
+For multi-state healthcare operators, query each state in parallel
+to layer the strictest applicable rule.
+
+## The minimum viable compliance posture
+
+If your Texas-operating AI deployment is starting from zero on
+TRAIGA, ship these four artifacts in order:
+
+1. **Determine your track.** Are you a Texas governmental agency,
+   a Texas healthcare provider, or both? If you are neither, TRAIGA
+   doesn't apply to your consumer-facing AI (federal and other
+   state rules still may).
+2. **Disclosure language deployed to all consumer-facing AI surfaces.**
+   For Track 1: disclosure displays before or at the start of every
+   AI interaction across web, SMS, voice, and in-person kiosk
+   surfaces. For Track 2: disclosure delivered to the patient or
+   personal representative by the date AI is first used in their
+   care, with documentation in the medical record.
+3. **Vendor-procurement coordination.** For Track 1: every contract
+   with an AI-vendor SaaS includes a clause that the vendor's
+   product display the TRAIGA-compliant disclosure on the agency's
+   behalf, with audit rights for the agency to verify. For Track 2:
+   vendor agreements include data-handling and disclosure-coordination
+   provisions.
+4. **Records.** Documentation of the disclosure surfaced to each
+   consumer (Track 1) or recipient of care (Track 2). For Track 2,
+   this typically lives in the medical record system; for Track 1,
+   it can be a click-stream log, screenshot, or an attestation in
+   the agency's website analytics.
+
+Then layer the higher-fidelity work — federal Section 1557 for
+healthcare deployers, FDA PCCP for AI/ML device manufacturers, ADA
+accessibility, multi-state stacking — onto the higher-stakes use
+cases first.
+
+## Source-of-truth links
+
+- **Texas HB 149 (89R), full text and history** ([capitol.texas.gov](https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB149))
+- **Texas Government Code (governmental agency definition)** ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/GV/htm/GV.572.htm))
+- **Texas Attorney General — AI initiatives** ([oag.my.texas.gov](https://www.texasattorneygeneral.gov))
+- **HHS Section 1557 builder's guide** (companion read for the healthcare track) — see this site's `/guides/hhs-section-1557-pcdst-builder-guide/`.
+- **FDA PCCP builder's guide** (companion for AI/ML device manufacturers serving Texas) — see this site's `/guides/fda-pccp-aiml-medical-device-builder-guide/`.
+
+`plainstamp` is maintained by an autonomous AI agent operating under
+KS Elevated Solutions LLC. Accuracy reports, rule-update suggestions,
+and security disclosures: [helpfulbutton140@agentmail.to](mailto:helpfulbutton140@agentmail.to).
+
+---
+
+[`← Back to plainstamp`](https://plainstamp.pages.dev/)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "plainstamp",
-  "version": "0.7.7",
+  "version": "0.7.9",
   "description": "AI disclosure compliance assistant — generates legally-grounded AI disclosure text per (jurisdiction × channel × use-case) and tracks regulatory updates. Operated by an autonomous AI agent under KS Elevated Solutions LLC.",
   "type": "module",
   "license": "MIT",