AB 512 creates a single set of statutory requirements for how health care service plans—and entities they contract with to perform utilization review—handle prior authorization, concurrent review, and retrospective review. It requires written policies and oversight by a licensed clinical director, meaningful communications to providers and enrollees, a quality-assurance check on plans’ processes, and an enforcement mechanism for missed obligations.
The bill also draws a clear line around the role of automated tools: plans may use artificial intelligence or algorithms to assist utilization review, but the statute requires clinical inputs, auditability, non-discrimination, limits on data use, and an explicit rule that only a licensed clinician may make determinations of medical necessity. These rules will affect plan operations, delegated vendors, AI vendors, provider workflows, and regulators’ oversight tools.
At a Glance
What It Does
Establishes baseline procedural requirements for prior authorization and utilization management, demands written policies and clinical oversight, mandates provider and enrollee communications, requires quality-assurance monitoring, and imposes administrative penalties for failures. It imposes specific guardrails on AI or algorithmic tools used in utilization review, including data and auditability requirements and a prohibition on AI making medical-necessity determinations.
Who It Affects
Health care service plans (including specialized plans), entities that perform utilization review for plans, delegated medical groups/IPAs, AI and algorithm vendors used for utilization management, and treating providers who request authorizations; Medi‑Cal managed care plans are covered subject to federal approvals.
Why It Matters
The law converts many operational prior‑auth practices into enforceable standards, gives regulators tools to inspect algorithms and processes, and forces vendors and plans to alter procurement, documentation, and clinical-decision workflows. Compliance will require coordination between clinical, legal, IT, and contracting teams.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 512 makes prior authorization and other utilization-review activities a regulated process rather than a purely internal insurer function. Plans must have written policies and procedures that explain how they prospectively, retrospectively, or concurrently review provider requests and how medical‑necessity decisions will be made.
Those policies must be supported by clinical criteria that conform with the state’s rulemaking for clinical guidelines and must be available to providers, enrollees, and filed with the director for review.
The bill emphasizes clinician control: a plan must employ or designate a licensed medical or clinical director responsible for ensuring compliance, and the statute bars nonclinicians from denying or modifying authorization requests on medical‑necessity grounds unless they are licensed and competent to evaluate the specific issues. When a plan approves a request, it must communicate that approval to the provider; when it denies, delays, or modifies care it must communicate the clinical reasoning, criteria used, and contact information for the clinician responsible.Operational controls get specific treatment.
Plans may ask providers only for information reasonably necessary to make a decision, must maintain telephone access for providers to request authorization, and must build compliance assessment into their quality‑assurance programs. The director will include compliance with these provisions in periodic onsite surveys.
The bill also preserves a narrow religious‑healing exemption and clarifies that adoption of these rules does not convert a health plan into a health care provider under other statutes.On algorithmic tools, AB 512 treats artificial intelligence and software-based decision support as permissible only as an assistive element of utilization review. The statute requires that such tools use individual clinical inputs, not solely pooled group datasets; be auditable by state regulators; limit uses of patient data to stated purposes; be periodically reviewed for accuracy and fairness; and comply with applicable state and federal law.
Crucially, the bill requires that determinations of medical necessity be made by a licensed clinician who reviews the provider’s recommendation and the enrollee’s clinical record, meaning automated systems cannot by themselves make adverse medical‑necessity decisions.
The Five Things You Need to Know
Plans must file their written prior‑authorization policies and procedures with the director and must disclose those policies to providers, enrollees, and the public upon request.
Only a licensed physician or licensed health care professional competent to the clinical issues can deny or modify an authorization request on medical‑necessity grounds; nonclinicians are barred from making those decisions.
Standard review timeframes are explicit: for non‑urgent requests, plans must decide within 3 business days after receiving information submitted electronically or 5 business days after non‑electronic submission; expedited reviews must be completed within 24 hours (electronic) or 48 hours (non‑electronic); retrospective decisions must be communicated to the individual within 30 days; Medi‑Cal managed care plans have longer statutory windows (5 business days and up to 72 hours for expedited reviews).
An artificial intelligence, algorithm, or software tool used in utilization review may not make medical‑necessity determinations; it must use individual clinical history and circumstances (not solely group datasets), be open to inspection for audits, protect patient data consistent with CMIA and HIPAA, and be periodically reviewed and revised for accuracy and equity.
The director may assess administrative penalties for failures to meet the law’s requirements through an order and hearing process under Section 1397; assessed penalties are payable to the Managed Care Administrative Fines and Penalties Fund.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Scope: who and what is covered
This subdivision defines the universe of entities subject to the statute: health care service plans and any contracting entities that perform utilization review or utilization management, whether those reviews are prospective, concurrent, or retrospective. It explicitly covers delegated reviews carried out by medical groups, IPAs, or other contracting providers, meaning plans cannot avoid the statute’s requirements simply by delegating utilization functions.
Written policies, clinical criteria, and filing requirement
Plans must adopt written policies and procedures describing their review processes and the clinical criteria or guidelines that will govern medical‑necessity decisions. Those criteria must align with Section 1363.5 standards and be filed with the director for approval. The filing and disclosure requirement creates a public record of how plans make utilization decisions and gives regulators and stakeholders a basis for auditing plan behavior.
Medical/clinical director accountability
The bill requires each plan (with limited exceptions) to have a designated medical director or, for specialized plans, an appropriately licensed clinical director. That person must hold an unrestricted California license and is explicitly tasked with assuring that utilization‑review decisions comply with the statute. That shifts operational accountability to a named clinical officer rather than diffuse internal teams.
Limits on information requests
Plans may request only the information reasonably necessary to determine authorization. That constrains overbroad document demands and is intended to reduce administrative burden on providers, but it leaves an unresolved line-drawing question about what counts as “reasonably necessary,” which will be a focal point for disputes and audits.
Communications and timelines for approvals, denials, and concurrent care
This long subsection sets procedural obligations: plans must communicate approvals, denials, or modifications in specific ways and within specified timeframes (including expedited windows for imminent‑risk cases). It also requires that concurrent care not be discontinued until the treating provider has been notified and an appropriate care plan is agreed. The subsection defines electronic submission and ties it to interoperability rules, which pushes plans to adopt or rely on electronic portals that meet federal standards.
Provider telephone access
Plans must maintain telephone access for providers to request authorizations. This operationally simple requirement preserves a direct channel for clinicians, which matters in urgent or complex cases where portal submissions or asynchronous exchanges are inadequate.
Quality assurance and compliance monitoring
Plans must integrate compliance with this statute into their quality assurance programs. That includes complaint evaluation, trend analysis, corrective actions, communication of results to staff and contracting providers, and measurement of corrective plans’ effectiveness. This creates an internal feedback loop the director can inspect during onsite surveys.
AI, algorithms, and software tools: permitted uses and guardrails
This subdivision allows plans to use AI and algorithmic tools but imposes multiple limits: tools must rely on patient‑level clinical inputs and not solely on group datasets; they must comply with clinical criteria; they cannot replace provider decisionmaking; they must not discriminate; they must be auditable by the department; patient data can’t be repurposed beyond stated uses; and tools must be periodically evaluated. The subdivision also disallows automated medical‑necessity determinations—those must be made by a licensed clinician—and signals compliance with federal HHS rulemaking and guidance.
Contracting and federal approval caveats for Medi‑Cal
The bill authorizes the Department of Managed Health Care and the State Department of Health Care Services to issue implementing guidance and, for AI implementation, to enter or modify contracts outside certain state procurement statutes. However, the AI provisions apply to Medi‑Cal managed care plans only to the extent federal approvals permit and without jeopardizing federal financial participation, which creates an implementation dependency on federal action.
Limited exemptions and non‑provider status
The statute preserves a traditional religious‑healing exemption for treatment decisions based on prayer or spiritual means, and it clarifies that adopting these utilization rules does not transform a health plan into a health care provider for other legal purposes. Those carveouts prevent unintended statutory collisions but also limit certain remedies against plans under provider‑specific statutes.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Enrollees with urgent needs — clearer procedural timelines and expedited-review rules shorten decision windows and require documentation of clinical reasoning, which can speed access in acute situations.
- Treating providers — the statute mandates clinician-to-clinician accountability (the name and contact number of the clinician responsible for a denial) and telephone access, improving the chances for timely clinical conversations and peer-to-peer review.
- State regulators — the filing requirement for policies, onsite review authority, and explicit audit rights over AI tools give regulators stronger oversight levers to detect systemic problems.
- AI and software vendors that build auditable, patient‑centric models — the law creates a market advantage for vendors that can demonstrate individual‑level inputs, non‑discrimination testing, and explainability to regulators.
Who Bears the Cost
- Health plans — they must update written policies, hire or designate licensed medical/clinical directors, maintain phone access and quality‑assurance processes, support audits, and adjust procurement and vendor-management practices, all of which carry administrative and compliance costs.
- Delegated utilization‑management vendors and IPAs — vendors performing reviews will face new documentation, audit, and clinician‑involvement requirements, and may need to retool algorithms and workflows to meet audibility and data‑use rules.
- AI and algorithm vendors — they must redesign systems to include individual clinical inputs, support audits, demonstrate fairness testing, and ensure data uses meet CMIA and HIPAA constraints, which raises development and legal expenses.
- The Department of Managed Health Care and State Department of Health Care Services — the director gains new inspection responsibilities and must review filings and AI tools, increasing oversight workload without an explicit funding source in the statute.
Key Issues
The Core Tension
The central dilemma is balancing faster, standardized authorization processes and the efficiency gains of algorithmic tools against the need to preserve individualized clinical judgment, patient privacy, and algorithmic transparency: tools that improve throughput tend to centralize decision rules and reduce clinician discretion, while protecting clinician judgment and auditability often undermines the speed and proprietary advantages that make automation attractive.
AB 512 packages operational prior‑authorization rules and algorithmic oversight into a single statute, but several implementation frictions remain. First, the statute requires that plans ask only for information “reasonably necessary,” yet it leaves the standard undefined; in practice, disputes over what is reasonably necessary will drive grievances and administrative hearings until state guidance or precedent narrows that phrase.
Second, the bill requires auditability of AI and algorithms but does not reconcile that requirement with vendors’ claims of proprietary trade secrets and with the technical difficulty of making complex models explainable. Regulators will need technical capacity and clear protocols to inspect models without forcing open proprietary IP inappropriately.
Another practical tension concerns the statute’s procurement carveouts for departmental contracts related to AI guidance: exempting certain contracts from state procurement rules may speed tool acquisition but narrows transparency and ordinary contracting controls. Likewise, the bill conditions Medi‑Cal applicability on federal approvals; that dependency risks uneven implementation between commercial lines and publicly financed managed care.
Finally, enforcement depends on the director’s willingness and capacity to levy penalties, but the statute does not provide new appropriations for expanded inspections or technical audits, raising the risk of unfunded mandates on regulators and uneven enforcement across plans.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.