UPDATE — JULY 2025: Colorado continues to lead the way in AI regulation for the insurance industry. Since passing SB 21-169 and adopting Regulation 10-1-1, state regulators have proposed expanding governance and risk requirements to auto and health insurers. As more states explore similar protections, Colorado’s framework is increasingly viewed as a model for AI policy across the insurance sector.

ORIGINAL BLOG POST:

More and More U.S. Lawmakers Considering AI Regulations in Health Decisions

While several U.S. states are considering safeguards for AI’s use in elections, a collection of several states are also considering formal regulations aimed at AI systems used by insurance companies. States like New York, California, Connecticut, and New Jersey have issued warnings or are considering legislation aimed at insurance algorithms. Several government bodies are using Colorado’s path because it was the first state to adopt formal regulations aimed at insurance AI.

Senate Bill 21-169

It all started back in 2021 when Colorado lawmakers passed Senate Bill 21-169, titled “Concerning Protecting Consumers from Unfair Discrimination in Insurance Practices.” It aims to prohibit unfair discrimination based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression in any insurance practice.

The bill recognizes that insurers increasingly use external consumer data, information sources (ECDIS), algorithms, and predictive models in their insurance rating, underwriting, claims, and other business practices. While these tools can simplify processes, their accuracy and rationale may vary, potentially leading to negative impacts on insurance availability, affordability, and utilization for protected classes.

To ensure fair and equitable access to insurance products, the bill prohibits unfair discrimination based on the protected classes mentioned above. It also prohibits the use of ECDIS, algorithms, and predictive models that unfairly discriminate based on these protected classes.]

Role of the Insurance Commissioner

The bill directs the Commissioner to lead a stakeholder process and create rules for each insurance type. These rules require insurers to:

• Disclose their data sources

• Explain how they use external data and models

• Establish governance and risk frameworks

• Perform assessments and correct any discriminatory impacts

Insurers must also cooperate with investigations, and documents obtained during reviews are treated as confidential.

Importantly, the bill does not force insurers to collect sensitive information about applicants. It also avoids overriding existing practices—unless they involve external data and predictive models that could introduce unfair discrimination.

Regulation 10-1-1: Turning Principles Into Practice

In 2023, Colorado adopted Regulation 10-1-1, a governance and risk management framework for life insurers using external consumer data. It emphasizes transparency, accountability, and fairness in algorithmic decision-making.

Key features include:

Senior Management Oversight

Insurers must build strong governance frameworks, approved and overseen by the board of directors. Senior leaders are responsible for developing strategies, assigning roles, and reviewing risks related to algorithms and data use.

Cross-Functional Governance Groups

Each insurer must form a documented governance group. This group includes legal, compliance, risk, product, actuarial, underwriting, marketing, data science, and customer service representatives. It ensures decisions are made with a holistic view of risk.

Ongoing Monitoring & Documentation

Insurers must document policies for designing, testing, deploying, and monitoring algorithms. Regular reviews for model drift, performance, and governance structure are required to maintain compliance.

Third-Party Vendor Accountability

Even if an insurer uses external vendors for algorithms or data sources, the insurer remains fully responsible for compliance. They must document how vendors are selected and supervised to meet regulatory expectations.

Reporting & Compliance

Insurers must submit narrative reports outlining their progress toward compliance. These reports highlight challenges, timelines, and areas still in development. Annual reports must also be signed by a senior officer and detail full compliance.

Even companies not using algorithms or external data must submit an annual attestation confirming non-use.

The Big Picture

If Colorado’s model proves effective, more states are likely to adopt similar rules—especially in auto, health, and other high-impact sectors. The state’s combination of legislation and regulatory guidance provides a blueprint for AI oversight in insurance.

Need Help?

If these two bills prove to be successful in the long-term, it wouldn’t be surprising to see more and more states considering AI regulations on a variety of insurance industries. For assistance in navigating compliance, don’t hesitate to contact BABL AI. One of their audit experts can offer valuable guidance and support.