AB 3030 Healthcare Disclosure Mandates: What Hospitals, Clinics, and Licensed Providers Must Tell Patients in 2026

California AB 3030 — codified at Health and Safety Code §1339.79 and effective January 1, 2025 — requires every health facility, clinic, physician's office, and licensed healthcare provider in California to include a specific disclaimer in any patient communication that contains clinical information generated by artificial intelligence, identifying the communication as AI-generated and instructing the patient how to reach a human clinician — unless a licensed healthcare provider has reviewed and approved the communication first. That last clause is the most important sentence in the statute, because it converts AB 3030 from a pure disclosure mandate into a disclosure-or-review choice that most health systems are already operationalizing through their existing clinician approval workflows. This article walks through who is actually covered, what the disclaimer has to say, how the licensed-provider exemption works in practice, and the operational compliance posture that hospitals, clinics, and physician practices are converging on.

What AB 3030 actually requires (and what it doesn't)

AB 3030 is the only California statute that imposes AI disclosure obligations specifically on healthcare delivery. That makes it categorically different from California's broader AI laws — SB 942 (content provenance), AB 2013 (training data transparency), SB 53 (frontier AI safety) — which apply to AI providers and deployers across all sectors. AB 3030 is sector-specific, and the obligations apply to the healthcare delivery organization, not to the AI vendor whose technology powers the communication. A health system that uses an AI chatbot to message patients is the regulated entity under AB 3030; the chatbot's vendor is not (though the vendor often becomes contractually responsible through the health system's vendor agreements).

The substantive requirement is that whenever a covered healthcare provider uses generative AI to produce a written or verbal communication with a patient that contains clinical information, the communication must include a disclaimer identifying the communication as AI-generated and providing instructions for the patient to contact a human licensed healthcare provider, employee, or other appropriate person regarding the communication. For written communications the disclaimer must be prominently displayed; for oral communications it must be verbally disclosed. The communication itself can still be sent — the statute is a disclosure mandate, not a prohibition on AI use in clinical communication.

The phrase "clinical information" is not exhaustively defined in the statute, but the legislative analysis and Medical Board guidance treat it as encompassing any patient-facing communication about diagnosis, treatment, prognosis, medications, lab or imaging results, care plans, or similar clinical content. Administrative communications — appointment reminders, billing notices, generic wellness newsletters — fall outside the scope. The line gets harder for hybrid communications that mix administrative and clinical content (an appointment reminder that includes a clinical instruction such as "remember to fast for 12 hours before your blood draw" arguably crosses into clinical information territory), and most health systems are taking the cautious posture of including the disclaimer on any AI-generated communication that touches clinical content even tangentially.

The licensed-provider review exemption: how it actually works

The most operationally important provision in AB 3030 is the licensed-provider review exemption. AB 3030 does not apply when a licensed healthcare provider has reviewed and approved the AI-generated content before it is sent to the patient. "Licensed healthcare provider" in this context includes physicians, nurse practitioners, physician assistants, registered nurses, and other appropriately licensed clinicians acting within their scope of practice. The exemption is what most health systems are using to operationalize compliance: rather than appending a disclaimer to every AI-generated patient communication, they route the communications through clinician inboxes for review and approval before sending.

The exemption has a practical structure that compliance teams should understand. The clinician's review must be substantive — a clinician who routinely auto-approves AI drafts without reading them is not providing the review the statute contemplates, and a regulator probing the workflow could reasonably conclude the exemption does not apply. The review must also happen before the communication is sent to the patient, not after. Post-hoc clinician sign-off does not qualify. And the reviewing clinician must be appropriately scoped — a primary care physician reviewing AI-drafted oncology guidance is reviewing outside their scope of practice, which weakens the exemption's defensibility.

For health systems running AI scribes, AI message drafters, and AI-powered patient portals, the practical compliance posture is to treat clinician review as the default workflow and the disclaimer as the fallback for communications that do not pass through clinician review. AI-generated visit summaries reviewed and signed by the clinician before being released to the patient's portal qualify for the exemption. Auto-generated post-visit emails sent without clinician review require the disclaimer.

What the disclaimer language has to say

AB 3030 does not prescribe exact disclaimer language, which gives health systems flexibility but also creates ambiguity about what counts as compliant. The statute requires two elements: identification of the communication as AI-generated, and instructions for the patient to contact a human licensed healthcare provider. The Medical Board guidance and most law firm interpretations converge on language like the following: "This message was generated by artificial intelligence. If you have questions or would like to speak with a human healthcare provider, please contact [name/title/role] at [phone number/email/portal contact path]."

Three drafting choices deserve attention. First, "prominently displayed" for written communications means the disclaimer cannot be footer-style fine print. The position should be at the top of the message or at minimum in a clearly demarcated callout, not buried below a signature block. Second, the contact information must be specific enough that the patient can actually reach a human — "contact your provider" without a phone number or named role is not specific instructions. Third, for oral communications (such as voice agent calls), the disclaimer must be verbally disclosed near the start of the interaction; appending it to a hangup message after the substantive call is over does not qualify.

Health systems implementing AB 3030 disclaimers typically use a templated disclaimer with a few configurable fields (provider name, contact role, contact channel) so that the disclaimer is consistent across communication channels but routes patients to the right human depending on the context. The compliance posture is more defensible when the disclaimer language is reviewed by the legal department and approved by the chief medical officer, with the approved template integrated into the message-generation pipeline so individual clinicians cannot accidentally ship non-compliant variants.

Operational compliance: what hospitals and clinics are actually building

The operational compliance posture that has emerged across major California health systems through 2025 has three components. The first is workflow segmentation: classifying every AI-generated patient-facing communication into "clinician-reviewed" or "direct-send," with the disclaimer attached automatically to the direct-send path and the clinician-review path treated as exempt. This is straightforward when the AI use case is constrained to specific message types (visit summaries, secure messaging replies, appointment communications) but harder when AI is embedded across many surfaces.

The second component is templated disclaimer infrastructure: a single source-of-truth disclaimer template that all message-generation systems consume, so that updates to the disclaimer language propagate automatically rather than requiring manual updates across many surfaces. Most health systems are building this as a small internal service that returns the appropriate disclaimer text given a context (channel, message type, locale), with audit logging that records every disclaimer issuance for compliance review.

The third component is staff training and policy. AB 3030 compliance is partly an engineering question and partly a behavioral one, because clinicians who routinely auto-approve AI drafts without substantive review can undermine the licensed-provider exemption. Effective compliance programs include training on what substantive review looks like, monitoring of approval-time distributions to identify rubber-stamping patterns, and clear consequences for clinicians whose review patterns suggest the exemption is being abused. The Medical Board's enforcement guidance signals that workflow-level abuse of the exemption will draw attention.

How AB 3030 fits with the rest of California's healthcare AI regime

AB 3030 is one strand of a broader California healthcare AI compliance picture. AB 3030's medical-device specific applications have their own checklist for device manufacturers and clinical vendors. The companion medical chatbot illegality checklist covers the specific case of when a healthcare AI chatbot crosses into legally impermissible territory. And our AB 3030 vs SB 942 disclosure laws comparison walks through the difference between AB 3030's healthcare-specific disclosure requirement and SB 942's content-provenance regime, which can apply simultaneously when AI generates clinical images or audio content.

Beyond the AB 3030 cluster, California health systems are also subject to AB 489 (which prohibits AI systems from misusing healthcare licensure terms like "doctor" or "nurse"), the Medical Board of California's GenAI notification guidance, and the federal HIPAA framework. None of these regimes substitute for the others — a health system using AI for patient communication is potentially subject to all four simultaneously. The integrated compliance posture treats AB 3030 disclosure as the patient-facing surface, AB 489 as the AI-identity constraint, MBC guidance as the operational reference, and HIPAA as the underlying privacy and security floor.

Sources

The primary statute is AB 3030 on California Legislative Information. The Medical Board of California's GenAI notification guidance is the most authoritative regulatory interpretation of the statute. For practitioner-grade analysis, Foley & Lardner's overview, Akin Gump's alert, and Duane Morris's analysis are the most current references. Watch the Medical Board for ongoing guidance on what counts as substantive licensed-provider review under the exemption.