California AI Compliance FAQ

No. AB 489 explicitly prohibits AI agents from using visual cues that imply or suggest medical licensure. A white coat, stethoscope, scrubs, or any professional medical attire are all considered 'clinical camouflage' under the law and are forbidden unless the AI simultaneously displays a prominent disclosure covering at least 20% of the interaction screen stating 'AI VIRTUAL ASSISTANT' or equivalent language. The statute was drafted in direct response to early AI companion products that used professional attire to increase user trust and compliance — a practice regulators found deceptive. Violations are enforced by the Medical Board of California and can result in fines starting at $2,500 per interaction. If you operate a patient-facing AI avatar, audit every visual element — including background imagery and badge-style graphics — for implied medical authority.

AB 3030 specifically targets generative AI — systems that produce original text, audio, or video in response to patient inputs. If your system uses a rule-based decision tree, scripted response library, or classical NLP that does not generate novel content, AB 3030's disclosure and human-oversight requirements technically do not apply. However, AB 489 applies to all artificial intelligence systems that interact with patients, regardless of whether they are generative. That includes rule-based chatbots, virtual scheduling assistants, symptom checkers, and any other automated system that a patient might reasonably believe is a human healthcare professional. In practice, even non-generative AI systems serving patients in California should disclose their automated nature at the start of every interaction to comply with AB 489 and avoid deception-based liability.

Even a simple appointment-scheduling bot must disclose that it is an automated system under AB 489 if it interacts directly with patients. The disclosure does not need to be elaborate — a clear statement such as 'I am an automated scheduling assistant, not a healthcare provider' at the start of the interaction is generally sufficient. The key threshold under AB 489 is whether a reasonable patient could mistake the system for a human healthcare professional. Scheduling bots that send appointment reminders, collect insurance information, or respond to cancellation requests often approach that threshold, especially when designed with conversational UX. AB 3030's stricter disclosure requirements apply only if the scheduling bot uses generative AI to compose its responses. Use our free AB 3030 Disclosure Generator to create ready-to-deploy disclosure language in under 60 seconds.

No. Under California law, prescribing medication requires a licensed human provider — artificial intelligence cannot independently issue a prescription regardless of the AI's capabilities or the clinical context. AI systems may be used as Clinical Decision Support tools that suggest potential medications for a physician's consideration, but the final prescribing decision, review, and sign-off must come from a licensed California provider. AB 489 and related regulations specifically prohibit AI from performing clinical acts reserved by statute for licensed professionals. An AI system that presents a medication suggestion without clearly framing it as a recommendation for physician review — rather than a directive — risks violating both AB 489 and the Business and Professions Code provisions governing the unlicensed practice of medicine. Always ensure your AI's output language reflects its advisory role, not a clinical determination.

SB 942 requires covered AI providers to implement both types of watermarking for AI-generated content. Manifest disclosure is a visible, human-readable indicator — such as a label reading 'AI Generated,' a banner overlay, or a footer note — that informs the viewer directly that the content was created by artificial intelligence. Latent disclosure is invisible to the naked eye: it is technical metadata or a steganographic signal embedded in the file itself that detection software can identify. The rationale is that manifest marks can be removed (by cropping an image, for example), while latent watermarks survive most casual edits and allow automated content-authenticity verification downstream. For healthcare AI, this is especially significant: AI-generated patient summaries, care instructions, and clinical images distributed outside the platform must carry both types of watermarking under SB 942 if the generating system meets the covered-provider threshold.

AB 2013 requires the public disclosure of training data sources and categories, but the statute includes explicit trade secret protections. You are not required to publish proprietary dataset names, specific vendor contracts, or the exact composition of a proprietary corpus. What you must disclose is a meaningful summary: the general categories of data used (such as 'licensed medical journals,' 'publicly available web data,' 'proprietary clinical records'), approximate date ranges, geographic scope, whether personal or health information was included, and how it was de-identified. Simply labeling your entire training data description as a trade secret is not a valid compliance strategy — regulators expect category-level transparency even when specific file lists are protected. AB 2013 also requires a modification history when the model is substantially retrained. Our free AB 2013 Transparency Generator helps structure a compliant disclosure while preserving legitimately proprietary details.

SB 942's requirement to provide a publicly accessible, free AI-detection tool applies specifically to 'Covered Providers' — defined as developers of large-scale AI content generation systems with over one million monthly active users in California. If your platform falls below that threshold, the detection-tool obligation does not apply. However, SB 942's content-watermarking requirements for individual AI-generated outputs may still apply depending on the type of content generated and how it is distributed. The law distinguishes between obligations for platform-level providers (the detection tool) and obligations tied to specific content outputs (the manifest and latent marks). Healthcare AI developers generating patient-facing content should review whether their distribution channel — rather than their user count — triggers SB 942 watermarking duties. The California AG's office has indicated that user-count thresholds will be recalibrated as the law matures.

California's healthcare AI laws impose penalties through multiple overlapping enforcement channels. Under AB 489 and AB 3030, violations can result in administrative fines of up to $2,500 per violation — and each non-compliant patient interaction is typically counted as a separate violation. In a practice with hundreds of daily patient contacts, aggregate exposure grows rapidly. Beyond administrative fines, healthcare providers who violate AB 489 face professional license discipline from the Medical Board of California, which can include suspension or revocation. Developers whose AI systems use unlicensed patient health data for training may face CMIA penalties of $1,000 to $250,000 per incident. AB 2013 violations for failure to publish training data transparency reports may be enforced by the California Privacy Protection Agency with additional fines. The overlapping penalty regime is intentional — regulators wanted multiple enforcement pathways to ensure compliance.

The correct reporting channel depends on the type of violation. For violations by licensed healthcare professionals — such as a physician using a non-compliant AI without proper disclosure — complaints should be filed with the Medical Board of California at medicalboard.ca.gov. For violations by healthcare facilities or health systems, the California Department of Public Health (CDPH) accepts complaints at cdph.ca.gov. For violations involving consumer-facing AI products or deceptive AI practices outside a licensed professional context, the California Attorney General's consumer protection division accepts reports at oag.ca.gov. For violations of CMIA or CCPA related to health data used in AI training, the California Privacy Protection Agency (CPPA) at cppa.ca.gov is the appropriate regulator. If you are unsure which agency has jurisdiction, the AG's office can direct your complaint to the correct body.

California's healthcare AI disclosure laws — AB 489 and AB 3030 in particular — are focused on patient-facing and consumer-facing interactions. A purely internal administrative tool that summarizes billing codes, schedules staff, or flags appointment conflicts without ever producing output that reaches a patient is generally outside the scope of these disclosure requirements. However, the line blurs quickly. If an internal tool generates clinical notes, creates draft treatment plans, or produces content that will be transmitted to patients even after review, it is considered part of the patient interaction chain. HIPAA and the CMIA apply to any system that processes protected health information, regardless of whether it is patient-facing. If your internal AI tool touches PHI — even indirectly — you must implement appropriate access controls, audit logging, and de-identification safeguards. Human-in-the-Loop workflows are strongly recommended for any AI system that contributes to clinical decision-making.