Medical Device AI Compliance in Los Angeles (2026): Complete Checklist

Medical device AI compliance in Los Angeles requires satisfying four California laws — AB 489, AB 3030, AB 2013, and SB 1120 — on top of FDA clearance. All four took effect January 1, 2026. FDA clearance does not satisfy California AI law. Non-compliance carries penalties up to $2,500 per patient interaction plus full liability for AI-caused patient harm. This is the checklist LA hospitals use to evaluate vendors.

Why Los Angeles MedTech Faces a Dual Compliance Burden

Los Angeles is home to more than 1,500 healthcare technology companies and is the second-largest MedTech hub in the United States after the San Francisco Bay Area. The region's density of major academic medical centers — UCLA Health, Cedars-Sinai, USC Keck Medicine, Huntington Health, Providence Health — creates both a massive commercial opportunity and a heightened compliance risk environment.

The critical distinction for LA startups: FDA clearance evaluates the AI device's safety and efficacy in isolation. California's 2026 AI laws govern how that cleared device communicates with patients, handles AI-generated clinical content, and documents its training data. A 510(k)-cleared AI diagnostic tool that sends unreviewed AI-generated reports to patients violates AB 3030 regardless of its FDA status.

The Four Laws: Side-by-Side Reference

AB 489 — AI Identity Disclosure

AB 489 prohibits any AI system from implying it is a licensed healthcare professional and requires clear disclosure at the start of every patient interaction. For LA medical device companies, this applies to:

• Patient-facing chatbots and virtual assistants embedded in devices or companion apps
• AI intake forms and symptom checkers used before clinical encounters
• Post-visit follow-up bots and automated patient messaging
• AI avatars in digital therapeutic or telehealth applications

The law specifically prohibits clinical camouflage — AI avatars wearing white coats, using titles like "Dr." or "Nurse," or displaying clinical imagery — unless a prominent disclosure covers at least 20% of the interaction screen. A small "AI" badge in the corner does not satisfy this requirement.

AB 3030 — Generative AI Human-in-the-Loop

AB 3030 applies whenever generative AI produces clinical content sent directly to patients. For LA medical device companies, the highest-risk scenarios are:

• AI-generated diagnostic summaries delivered to patients through a device companion app without clinician review
• Automated care plan or treatment recommendation messages drafted by an LLM and sent via patient portal
• AI-written post-procedure instructions pushed to patients after a device-guided procedure
• Device-connected health coaching messages generated by an AI model based on sensor data

The two compliance paths: (1) a licensed clinician reviews and approves each AI output before it reaches the patient — which requires workflow infrastructure but eliminates disclaimer obligations — or (2) every AI-generated communication carries a specific disclaimer stating it was produced by AI, was not reviewed by a human provider, and includes instructions for contacting one.

AB 2013 — Training Data Transparency

AB 2013 is the law most frequently missed by LA MedTech startups, because it targets the development side of AI rather than the user-facing side. Any company that trains or fine-tunes a generative AI model — including foundation model adapters, RLHF fine-tunes, and RAG systems built on proprietary clinical datasets — must publish a public training data disclosure covering:

• The categories of data used (licensed medical literature, proprietary EHR data, public web scrapes, synthetic data, etc.)
• The date range of the training dataset
• Whether the training data included HIPAA-regulated health information, and how it was de-identified
• A modification history for any version of the model that was substantially retrained

The disclosure must be published at a publicly accessible URL on the company's own domain — not buried in a terms of service or accessible only through a portal login. LA hospitals are beginning to require the AB 2013 disclosure URL as part of vendor security questionnaires.

SB 1120 — No Autonomous Claim Denials

SB 1120 is relevant for LA startups whose AI tools touch insurance or utilization management workflows. The law prohibits AI from being the final decision-maker on health insurance coverage denials. If your device or platform generates clinical assessments that are used to support utilization review decisions — even if downstream of the actual denial — your vendor contracts with payers and hospital-operated health plans should explicitly address SB 1120 compliance.

What LA Hospitals Require at Vendor Procurement

Major Los Angeles health systems — including Cedars-Sinai Medical Center, UCLA Health, USC Keck Medicine, Kaiser Permanente Southern California, and Providence Health — have updated their AI vendor risk assessments. Based on publicly available procurement frameworks, hospital compliance teams are requesting:

• Screenshots or documentation showing AB 489 disclosure implementation in the patient-facing product
• Written AB 3030 workflow policy — either a Human-in-the-Loop review policy naming authorized reviewers, or the disclaimer language deployed on automated outputs
• The public URL for the company's AB 2013 training data disclosure
• Attestation that no AI component autonomously issues clinical determinations without human oversight
• Audit log samples showing disclosure timestamps and, where applicable, clinician approval records

Vendors that cannot produce this documentation during the security review phase are increasingly disqualified before reaching commercial terms.

The 2026 LA MedTech AI Compliance Checklist

AB 489 — Patient-Facing AI Identity

• ☐ Every patient-facing AI interaction starts with a clear, prominent AI identity disclosure
• ☐ Disclosure appears before any clinical content is exchanged — not after
• ☐ Disclosure reappears at the start of every new session (session cookies don't satisfy this)
• ☐ AI avatars have no clinical camouflage (no white coats, stethoscopes, "Dr." or "Nurse" names)
• ☐ Disclosure text explicitly states the system is not a licensed healthcare professional
• ☐ Every AI interaction includes a pathway to reach a human staff member

AB 3030 — Generative AI Patient Communications

• ☐ All AI-generated patient communications are inventoried and classified by type
• ☐ For each communication type: human review workflow is documented OR disclaimer is deployed
• ☐ Human review policy names specific authorized reviewers and their clinical credentials
• ☐ AI-generated communications sent without review carry the full AB 3030 disclaimer
• ☐ Disclaimer includes instructions for the patient to reach a human provider
• ☐ Audit logs capture AI outputs, human reviewer identities, approval decisions, and timestamps

AB 2013 — Training Data Transparency

• ☐ Training data disclosure is published at a public URL on your domain (not behind a login)
• ☐ Disclosure names all data categories used — including licensed, scraped, synthetic, and proprietary
• ☐ HIPAA-regulated data use is documented with de-identification method specified
• ☐ Modification history section covers all substantial retraining events
• ☐ Disclosure URL is included in all hospital and payer vendor questionnaire responses
• ☐ A process exists to update the disclosure when the model is substantially retrained

SB 1120 — Utilization Management (if applicable)

• ☐ AI does not autonomously issue coverage denials or final clinical determinations
• ☐ Utilization management vendor contracts explicitly require SB 1120-compliant human review
• ☐ Licensed clinician review is documented for every denial where AI was involved

30-Day Compliance Action Plan for LA Startups

Week 1 — Audit and map. Identify every AI touchpoint in your product that communicates with patients or generates clinical content. List which law applies to each. Flag gaps where no disclosure exists and where AI outputs are sent without human review.

Week 2 — Fix AB 489 disclosures. Add clear AI identity disclosures to every patient-facing interaction. Update any AI avatar designs that include clinical camouflage. Use our free Disclosure Generator to create compliant disclosure text.

Week 3 — Implement AB 3030 workflows. Either assign licensed reviewers to AI-generated clinical communications, or deploy AB 3030 disclaimers on automated outputs. Document the chosen approach in writing.

Week 4 — Publish AB 2013 disclosure and prepare procurement docs. Generate and publish your training data transparency page using our free AB 2013 Transparency Generator. Compile your hospital procurement documentation package: disclosure screenshots, workflow policies, the AB 2013 URL, and audit log samples.

Penalties and Enforcement Timeline

All four laws took effect January 1, 2026. The Medical Board of California has publicly indicated that enforcement audits targeting telehealth platforms and large health technology vendors — with Los Angeles specifically named as a focus region given its concentration of medical AI companies — will begin in 2026. Penalties for AB 3030 violations are up to $2,500 per violation. For a product serving thousands of patients daily, a single missing disclosure across all interactions represents substantial aggregate exposure.

The California Attorney General's office has civil enforcement authority over AB 2013. Failure to publish a training data disclosure can be cited as a deceptive business practice under California's Unfair Competition Law (Business and Professions Code §17200), which carries injunctive relief, civil penalties, and restitution obligations.

Free Compliance Tools for LA Startups

Frequently Asked Questions