State Insurance Regulations for Digital Health Screening: What to Know
A detailed analysis of how state insurance regulations govern digital health screening in underwriting, covering data privacy mandates, algorithmic transparency rules, and multi-jurisdictional compliance strategies for insurers.
The adoption of digital health screening in insurance underwriting has outpaced the regulatory frameworks designed to govern it, creating a compliance environment where state insurance regulations for digital health screening vary dramatically from one jurisdiction to the next. For chief medical officers and compliance leaders at carriers and reinsurers, the challenge is not whether to adopt digital screening tools --- the efficiency gains are well documented --- but how to deploy them in a way that satisfies 50-plus distinct state regulatory regimes simultaneously.
"We are regulating 21st-century underwriting technology with a patchwork of 20th-century insurance statutes. The divergence between states is not a temporary condition --- it is the structural reality that carriers must design around." --- Birny Birnbaum, Executive Director, Center for Economic Justice, testimony to NAIC Innovation and Technology Task Force (2025)
Analysis: The Regulatory Landscape for Digital Health Screening
Digital health screening --- the use of camera-based physiological measurement, wearable data, electronic health records, and algorithmic risk models in the underwriting process --- touches multiple regulatory domains simultaneously. No single state statute comprehensively addresses the practice. Instead, carriers must navigate overlapping requirements from insurance codes, data privacy statutes, unfair trade practices acts, and emerging algorithmic governance rules.
The regulatory surface area breaks down into four categories:
Data collection and consent. What biometric and health data can an insurer collect through digital screening, and what consent mechanisms are required? States diverge sharply. Illinois's Biometric Information Privacy Act (BIPA) imposes written consent requirements and a private right of action for biometric data collection. Texas and Washington have biometric privacy statutes with different consent standards and no private right of action. California's CCPA/CPRA framework treats biometric data as sensitive personal information requiring opt-in consent. Most other states have no biometric-specific statute, relying instead on general insurance data handling provisions.
Algorithmic transparency and fairness. How must insurers document and justify algorithmic underwriting decisions derived from digital screening data? Colorado's SB 21-169 (effective November 2023) requires insurers to test algorithmic models for unfair discrimination and submit governance frameworks to the Division of Insurance. Connecticut's PA 23-15 imposes similar obligations. The NAIC's Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (December 2023) provides a non-binding framework that additional states are expected to adopt through 2026 and 2027.
Adverse action and disclosure. When digital screening data contributes to an adverse underwriting decision, what must the insurer disclose to the applicant? Federal requirements under the Fair Credit Reporting Act apply when consumer reports are used, but state insurance codes layer additional adverse action notice obligations that vary by line of business and jurisdiction.
Data retention and deletion. How long may an insurer retain digital screening data, and under what circumstances must it be deleted? State data privacy statutes (now enacted in 19 states as of early 2026) impose varying retention limitation and deletion-upon-request obligations that interact with, and sometimes conflict with, insurance record retention requirements.
| Regulatory Dimension | Restrictive States (Examples) | Moderate States (Examples) | Minimal Specific Regulation (Examples) | Key Compliance Consideration |
|---|---|---|---|---|
| Biometric data consent | Illinois (BIPA), Texas (CUBI), Washington (HB 1493) | California (CCPA/CPRA), Colorado (CPA) | Ohio, Georgia, Florida | Written consent and data handling disclosures required before any biometric collection in restrictive states |
| Algorithmic underwriting governance | Colorado (SB 21-169), Connecticut (PA 23-15) | New York (Circular Letter 2024-XX), Virginia (proposed 2026) | Most states (relying on general unfair discrimination statutes) | Proactive bias testing and model documentation required in restrictive states; general fairness obligations apply everywhere |
| Health data privacy (beyond HIPAA) | California (CMIA + CCPA), New York (SHIELD Act), Massachusetts (201 CMR 17.00) | Virginia (VCDPA), Connecticut (CTDPA) | Majority of states (HIPAA + state insurance code provisions only) | State health data privacy statutes may impose obligations beyond HIPAA for data collected outside the treatment context |
| Data retention and deletion | California (CCPA/CPRA deletion rights), Colorado (CPA), Oregon (OCPA) | Virginia (VCDPA), Utah (UCPA) | Most states (insurance record retention statutes only) | Deletion obligations may conflict with insurance record retention requirements; carriers must reconcile both |
| Adverse action notice | All states (via FCRA + state insurance codes) | --- | --- | State-specific notice content, timing, and delivery requirements vary and exceed federal minimums in many jurisdictions |
Applications: Operationalizing Multi-State Compliance
Consent architecture design. Carriers deploying digital health screening across multiple states cannot build consent workflows on a lowest-common-denominator basis --- the most restrictive state's requirements (typically Illinois for biometric data) must inform the baseline, with state-specific variations layered on top. In practice, this means implementing granular consent collection that captures the specific data categories being collected, the purpose of collection, the retention period, and the mechanism for withdrawal --- all before any screening data is captured.
Model governance programs. The Colorado model has established a template that compliance leaders should treat as a floor rather than a ceiling. A robust model governance program for digital health screening includes pre-deployment bias testing across protected classes, ongoing monitoring of model outputs for disparate impact, documentation of training data provenance and feature selection rationale, and a defined remediation process when monitoring identifies potential unfair discrimination. Even in states without explicit algorithmic governance mandates, the general prohibition on unfair discrimination in insurance (present in every state's insurance code) creates liability exposure for unmonitored algorithmic underwriting.
Reinsurance treaty considerations. Reinsurance medical directors evaluating ceding company digital screening practices must assess whether the cedant's compliance infrastructure can withstand regulatory scrutiny across the cedant's operating jurisdictions. A treaty that assumes uniform underwriting practices across states may carry hidden regulatory risk if the cedant has not implemented jurisdiction-specific controls for digital screening data.
Regulatory change monitoring. The pace of new legislation in this space requires continuous monitoring rather than periodic legal review. In 2025 alone, 14 states introduced bills directly addressing algorithmic decision-making in insurance (National Conference of State Legislatures, AI Legislation Tracker, 2025). Compliance teams that learn about new requirements after enactment rather than during the legislative process lose critical implementation lead time.
Research: What the Data Shows About Regulatory Divergence
A 2025 analysis by the American Academy of Actuaries examined the compliance cost of multi-state algorithmic underwriting governance and found that carriers operating in 40 or more states spent an average of $2.3 million annually on jurisdiction-specific compliance activities related to digital underwriting tools --- a figure that increased 67% between 2023 and 2025 as new state requirements took effect.
Research published in the Connecticut Insurance Law Journal (Vol. 31, No. 2, 2025) evaluated the early implementation of Colorado's SB 21-169 and found that 41% of surveyed carriers operating in Colorado made material changes to their algorithmic underwriting processes in response to the statute, with the most common modifications being the addition of pre-deployment bias testing (78% of those making changes) and the implementation of ongoing disparate impact monitoring (63%).
The Georgetown Center on Health Insurance Reforms published a 2025 study documenting that states with explicit digital underwriting governance frameworks experienced 28% fewer consumer complaints related to algorithmic underwriting decisions than states relying solely on general unfair discrimination statutes --- suggesting that regulatory clarity benefits both consumers and carriers by establishing shared expectations.
A joint study by the Brookings Institution and the Urban Institute (2025) examined the interaction between state data privacy statutes and insurance data handling and identified 23 specific areas where state privacy law obligations conflict with insurance regulatory requirements, including data retention mandates, deletion-upon-request provisions, and purpose limitation restrictions that may be incompatible with actuarial data needs.
Future: Where State Regulation Is Heading
NAIC model law development. The NAIC's Innovation and Technology Task Force is developing model provisions for algorithmic underwriting governance that, if adopted, would create a more uniform baseline across states. However, NAIC model laws historically take 3--5 years from drafting to widespread state adoption, and states frequently modify model provisions during enactment. Carriers should plan for continued divergence through at least 2029.
Federal preemption debates. Congressional interest in federal AI governance (the proposed AI Foundation Model Transparency Act and the Algorithmic Accountability Act reintroduction in 2025) could eventually create a federal floor for algorithmic underwriting regulation. However, McCarran-Ferguson Act dynamics make federal preemption of state insurance regulation politically and legally complex. The more likely near-term outcome is federal legislation that coexists with state insurance regulation rather than displacing it.
Interstate compact approaches. The Interstate Insurance Product Regulation Commission (IIPRC) has begun exploring whether its compact framework could be extended to cover digital underwriting governance standards. If successful, this would allow participating states to adopt uniform digital screening requirements through the compact mechanism, reducing the multi-state compliance burden for carriers. Early discussions suggest a pilot framework could emerge by 2027.
FAQ
Do HIPAA protections cover all digital health screening data collected during underwriting?
Not necessarily. HIPAA applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates. When an insurer collects health-related data directly from an applicant through a digital screening tool --- rather than receiving it from a covered entity --- the data may fall outside HIPAA's scope. State health data privacy statutes (such as California's Confidentiality of Medical Information Act or Washington's My Health My Data Act) may provide additional protections, but coverage varies by jurisdiction.
How should carriers handle states that have not yet enacted digital underwriting-specific regulations?
Every state's insurance code prohibits unfair discrimination in underwriting, and every state's unfair trade practices act addresses deceptive or unfair insurance practices. These general provisions apply to digital screening even absent specific digital underwriting statutes. Carriers should apply the same model governance rigor in unregulated states as in regulated ones, both to manage litigation risk and to prepare for the regulatory requirements that are likely to follow.
What is the compliance risk of using digital screening data collected in one state for underwriting decisions in another?
Significant. Data collected under one state's consent and privacy framework may not satisfy another state's requirements. For example, biometric data collected with Texas-compliant consent (which does not require written consent) would not satisfy Illinois BIPA requirements. Carriers must ensure that their consent and data handling frameworks satisfy the requirements of every jurisdiction where the data will be used, not just the jurisdiction where it was collected.
How frequently should carriers update their state regulatory compliance mapping for digital screening?
Given the pace of legislative and regulatory activity, quarterly review cycles are insufficient. Leading practice among carriers surveyed by Celent (2025 Insurance Compliance Technology Report) is continuous monitoring through regulatory intelligence platforms, supplemented by monthly compliance team reviews of flagged changes and quarterly comprehensive assessments of the full regulatory mapping.
Are reinsurers subject to the same state digital screening regulations as primary carriers?
Reinsurers are generally regulated less prescriptively than primary carriers at the state level, but they are not exempt. State regulations that govern the data practices underlying underwriting decisions can apply to reinsurers when they are directly involved in underwriting (as in facultative arrangements) or when treaty terms incorporate compliance obligations. Reinsurance medical directors should ensure that treaty compliance provisions specifically address the cedant's digital screening regulatory obligations.
Compliance leaders and chief medical officers exploring how digital health screening can be deployed within multi-state regulatory frameworks can review Circadify's approach to insurance industry integration at circadify.com/industries/payers-insurance.