Last updated: May 10, 2026

AB 3030 vs HIPAA: What California Requires That Federal Law Does Not

HIPAA and AB 3030 are not competing or overlapping regulations — they govern entirely different things. HIPAA protects the privacy and security of patient health information. AB 3030 requires disclosure and human oversight when AI generates patient communications. A healthcare organization can be fully HIPAA-compliant and simultaneously in violation of AB 3030 on every AI-generated patient message it sends. Federal compliance does not equal California compliance.

The critical distinction

HIPAA asks: "Did you protect the patient's health data?"
AB 3030 asks: "Did you tell the patient their message was written by AI — and did a human clinician check it first?"

These are different questions. HIPAA does not address the second one at all.

Side-by-Side Comparison

Dimension	HIPAA (Federal)	AB 3030 (California)
What it covers	Privacy and security of Protected Health Information (PHI)	Disclosure and oversight of AI-generated patient communications
Who must comply	Covered entities and business associates handling PHI	California healthcare providers that use generative AI for patient communications
Jurisdiction	Federal — applies in all 50 states	California — applies to providers serving California patients
AI-specific requirements	None. HIPAA does not require AI disclosure, human review of AI outputs, or AI identity disclosure to patients	Every AI-generated clinical communication must be reviewed by a licensed clinician OR carry a specific disclaimer and contact instructions
Human oversight required?	No — HIPAA does not mandate human review of AI-generated content	Yes — licensed clinician review is one of two compliance paths for AI-generated clinical communications
Penalty per violation	$100–$50,000 per violation; capped at $1.9M per category per year	Up to $2,500 per violation (per patient communication) + full provider liability for AI-caused patient harm
Enforced by	HHS Office for Civil Rights (federal)	California Medical Board; California Attorney General
Effective since	1996 (Privacy Rule: 2003; Security Rule: 2005)	January 1, 2026
Does compliance with one satisfy the other?	No	No

What HIPAA Covers (That AB 3030 Does Not)

HIPAA's Privacy Rule governs how covered entities — hospitals, clinics, health plans, and their business associates — may use and disclose Protected Health Information. Its core requirements:

Minimum necessary: PHI may only be used to the extent necessary for the stated purpose
Patient rights: Access to their own health records, right to request corrections, right to accounting of disclosures
Business Associate Agreements: Vendors handling PHI must agree to HIPAA-compliant data handling
Breach notification: Affected patients must be notified of unauthorized PHI disclosures within 60 days
Security Rule: Administrative, physical, and technical safeguards for electronic PHI

None of these provisions mention AI disclosure, AI oversight, or human review of AI-generated clinical content. HIPAA was written before generative AI existed as a healthcare technology. It was not updated by AB 3030.

What AB 3030 Requires (That HIPAA Does Not Cover)

AB 3030 focuses on the moment when AI-generated content is sent to a patient. It imposes two specific requirements for any healthcare provider using generative AI to produce patient communications:

Compliance Path 1: Human Review

A licensed healthcare professional reviews and approves each AI-generated communication before it is sent to the patient. No disclaimer required if this path is followed.

Compliance Path 2: Disclaimer

Every AI-generated communication includes a specific disclaimer stating: (1) the content was AI-generated, (2) it was not reviewed by a human provider, and (3) how to contact a human provider. No review required if this disclaimer is included.

HIPAA has no equivalent to either path. A BAA with your AI vendor may allocate HIPAA data handling responsibilities, but it does not — and legally cannot — transfer your AB 3030 disclosure obligations. You remain the responsible party under California law for every AI-generated communication sent to your California patients.

Where They Overlap (Indirectly)

HIPAA and AB 3030 don't directly overlap, but they can interact in practice. If an AI system generates a patient communication that:

Discloses PHI to the wrong recipient — a potential HIPAA breach AND an AB 3030 violation (no human review caught the error)
Generates clinically inaccurate content that harms a patient — creates HIPAA Security Rule review exposure AND full provider liability under AB 3030
Fails to preserve required patient communication records — may implicate both HIPAA record retention and AB 3030 audit log requirements

In each scenario, the violations are assessed independently. Resolving one does not resolve the other.

What Happens If You Are HIPAA-Compliant But AB 3030-Non-Compliant

A California healthcare provider that follows all HIPAA requirements but sends AI-generated clinical communications without a human reviewer or required disclaimer is:

Exposed to penalties of up to $2,500 per patient communication lacking the required disclosure — assessed per interaction, not per day or incident
Fully liable for any patient harm caused by unreviewed AI output, with no statutory safe harbor
Potentially subject to Medical Board disciplinary action for physicians who authorize AI-generated clinical communications without compliance

For a healthcare system sending thousands of AI-generated messages daily — appointment reminders with AI-personalized clinical context, care gap notifications, chronic disease management follow-ups — a systemic AB 3030 gap creates aggregate exposure in the millions of dollars, independent of HIPAA status.

Free tool: Generate your AB 3030 disclosure in 60 seconds

Use our free AB 3030 Disclosure Generator to create compliant disclaimer language for your AI-generated patient communications. Input your AI type and use case — receive ready-to-deploy disclosure text. No signup required.

Open Disclosure Generator →

Which Law Applies to Your AI System

Your AI System	HIPAA Applies?	AB 3030 Applies?
AI that drafts patient portal messages using EHR data	Yes — PHI in use	Yes — clinical communication sent to patient
AI scheduling assistant that books appointments only	Yes — PHI in use	Probably not — no clinical content generated
AI that generates follow-up care instructions after a visit	Yes — PHI in use	Yes — clinical instructions sent to patient
AI used only by clinicians for diagnosis support (not patient-facing)	Yes — PHI in use	No — output not sent to patient directly
Consumer health app that sends AI-generated wellness tips	Maybe — depends on PHI status	Yes if health content + provider relationship

Frequently Asked Questions

Does HIPAA compliance satisfy AB 3030?

No. HIPAA and AB 3030 regulate completely different things. HIPAA governs the privacy and security of protected health information (PHI) — it does not require any disclosure when AI generates patient communications. AB 3030 requires California healthcare providers to either have a licensed clinician review AI-generated patient communications before sending, or include a specific disclaimer on every AI-generated communication. A healthcare organization can be 100% HIPAA-compliant and simultaneously violating AB 3030 on every AI-generated patient message it sends.

What does HIPAA require that AB 3030 does not cover?

HIPAA covers data privacy protections — access controls, breach notification, minimum necessary use of PHI, business associate agreements, and patient rights to their own health information. AB 3030 doesn't address any of these. They are parallel requirements from different jurisdictions targeting different compliance dimensions.

What does AB 3030 require that HIPAA does not cover?

AB 3030 requires (1) that any AI-generated clinical communication sent to a patient either be reviewed by a licensed clinician before sending or carry a specific disclaimer stating it was AI-generated and not reviewed by a human, and (2) that every AI-generated communication include instructions for reaching a human healthcare provider. HIPAA contains no equivalent requirement. HIPAA has no concept of "human-in-the-loop" oversight for AI-generated clinical content.

Does a Business Associate Agreement (BAA) cover AB 3030 compliance?

No. BAAs are a HIPAA construct governing how business associates handle PHI. They don't address AI disclosure obligations under California law. Your AI vendor's BAA may cover HIPAA-compliant data processing, but it does not and cannot transfer your AB 3030 disclosure obligations to the vendor. You remain the responsible party for AB 3030 compliance on communications sent to your California patients.

Are HIPAA and AB 3030 enforced by the same agency?

No. HIPAA is enforced by the HHS Office for Civil Rights (federal). AB 3030 is enforced by the California Medical Board (for provider conduct), the California Department of Public Health, and the California Attorney General (civil enforcement). These are entirely separate enforcement agencies with separate jurisdictions and penalty structures.

Can violating AB 3030 also create HIPAA exposure?

In some scenarios, yes — but not because of any direct overlap between the laws. If an AI generates a patient communication that discloses PHI inappropriately (which would be an AB 3030 violation), that same communication could also constitute a HIPAA breach depending on who received it. But the violations are assessed independently under their respective regulatory frameworks.