What happens if a simple home health scan says I’m high-risk, unfairly?
A regulatory analysis of unfair high-risk insurance assessments from at-home health scans, and the compliance controls carriers need to contest and correct them.
A thirty-second face scan or a short remote vitals check can now move an applicant from submission to a risk class in minutes, and when that classification comes back as high-risk, the applicant has almost no visibility into why. The fear is reasonable: a single noisy reading, a lighting artifact, or a model trained on an unrepresentative population can produce an unfair high-risk insurance assessment that follows a consumer across carriers and years. For chief medical officers, reinsurance medical directors, and compliance leaders, that consumer fear is not a public relations footnote. It is a direct signal of where regulators, plaintiffs, and market conduct examiners are about to focus, and it sets the standard your underwriting controls must meet.
In its December 2023 Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, the National Association of Insurance Commissioners stated that decisions made or supported by AI systems must comply with all existing legal standards, including prohibitions on unfair discrimination, and that insurers remain responsible for outcomes regardless of whether a third-party tool produced them.
Why an unfair high-risk insurance assessment is a compliance problem, not a customer service one
When an applicant is classified as high-risk based on a home health scan, three things happen at once from a regulatory standpoint. A risk decision is made, that decision is potentially adverse, and the basis for it lives inside a model whose inputs the applicant never sees. Each of those creates a distinct obligation.
The first obligation is explainability. If a contactless vitals reading contributes to a substandard rating or a decline, the carrier must be able to reconstruct the specific data points and model logic that drove the result. The second is contestability. The applicant needs a route to challenge a reading they believe is wrong, and the carrier needs a documented process for re-evaluation. The third is non-discrimination. Under the framework established by Colorado Senate Bill 21-169 (2021) and its implementing regulation for life insurers, effective November 14, 2023, carriers using external consumer data and predictive models must test those systems for disparate outcomes across protected classes and take corrective action when they find them.
An unfair high-risk insurance assessment fails all three tests at once. It is unexplainable to the applicant, often hard to contest, and may rest on a model that performs differently across skin tones, ages, or device types. That is why this is a governance question. A false high-risk label is not a one-off error to be apologized for. It is evidence of a control gap that a market conduct examiner can generalize across an entire book.
How a false high-risk reading travels through the system
The damage from a single bad scan is rarely contained. Consider how a flawed reading propagates:
- The reading feeds an underwriting model that assigns a rating class or triggers a decline.
- That decision may generate an adverse action obligation if external consumer data was used, implicating the Fair Credit Reporting Act.
- The outcome can be reported to industry data exchanges, where it influences future applications at other carriers.
- The applicant, often unaware of the specific cause, has limited ability to correct the underlying data.
- The aggregate pattern of these decisions becomes discoverable in a regulatory exam or a disparate-impact analysis.
The Casualty Actuarial Society, in its work on regulatory perspectives on algorithmic bias, has noted that unfair discrimination can arise even without intent, through proxy variables and unrepresentative training data. A vitals scan that systematically over-estimates risk for a subgroup is exactly the kind of proxy problem regulators are now equipped to detect.
Comparing how carriers handle a disputed high-risk classification
The difference between a carrier that absorbs a regulatory finding and one that does not usually comes down to whether the controls below were designed in from the start or bolted on after an inquiry.
| Capability | Reactive program | Compliance-ready program |
|---|---|---|
| Explainability of a scan-driven decision | Vendor "black box," no reason codes retained | Decision-level reason codes stored and reproducible |
| Applicant contest pathway | Informal, handled case by case | Documented re-evaluation and manual review workflow |
| Adverse action handling | Inconsistent, FCRA exposure | Standardized notices with specific data sources cited |
| Bias and disparate-impact testing | None, or annual at best | Continuous monitoring across protected classes |
| Model and data lineage | Fragmented across teams | Centralized, audit-ready evidence trail |
| Third-party tool accountability | Assumed transferred to vendor | Retained by carrier with contractual evidence rights |
The right-hand column is the operating definition of digital underwriting compliance. It also maps almost directly to what the NAIC Model Bulletin asks carriers to document: governance, risk management, third-party oversight, and testing.
Industry Applications
Life and disability underwriting
Life carriers are furthest along in adopting accelerated underwriting and contactless vitals, which is precisely why Colorado phased its rules to life insurance first. A medical director here needs the ability to pull any scan-driven decision and show the clinical rationale behind the risk class. Underwriting compliance software that captures reason codes at the point of decision turns a contested high-risk label from a liability into a defensible, reviewable record.
Reinsurance treaty oversight
Reinsurers are increasingly writing data-quality and model-governance expectations into treaty language. A reinsurance medical director evaluating a cedent's use of home health scans will want assurance that false-positive rates are monitored and that the cedent can demonstrate the absence of disparate impact. Without that evidence, the reinsurer inherits the cedent's classification risk.
Compliance and market conduct readiness
For compliance teams, the priority is an evidence trail that survives an examination. When a regulator asks how a carrier prevents unfair high-risk classifications, the answer cannot be a policy statement. It has to be a reproducible record of testing, contest resolutions, and corrective actions, all tied to an insurtech regulatory framework the carrier can name and defend.
Current research and evidence
The regulatory record on this issue has moved quickly. The NAIC Model Bulletin (2023) has now been adopted by a growing number of states, each importing its expectations for AI governance, testing, and third-party accountability into their own market conduct authority. Colorado's Division of Insurance set the operational template through SB21-169 and Regulation 10-1-1, requiring life insurers to file governance and risk-management reports demonstrating that their external-data systems do not unfairly discriminate.
On the data-accuracy side, clinicians and device researchers have repeatedly flagged that optically derived vital signs can vary with skin tone, ambient lighting, and motion, which means a high-risk reading may reflect measurement conditions rather than true physiology. Legal analysts at firms including Venable have separately warned that insurtech underwriting using external consumer data can trigger Fair Credit Reporting Act obligations, including the duty to provide adverse action notices and to honor disputes over accuracy. Taken together, the research points to a single conclusion for medical and compliance leaders: the accuracy limits of consumer health scans are now a documented, foreseeable risk, and "we trusted the vendor" is not a defense regulators are inclined to accept.
The future of unfair high-risk insurance assessment controls
Three shifts are likely over the next several regulatory cycles. First, contestability will become an explicit filing requirement rather than an implied courtesy, with carriers expected to show how often classifications are challenged and overturned. Second, bias testing will move from periodic to continuous, because static annual reviews cannot catch drift in models fed by live consumer scans. Third, the burden of proof will keep shifting toward the carrier, consistent with the NAIC's position that responsibility for AI-driven outcomes cannot be outsourced.
The carriers best positioned for that future are treating a false high-risk label as a measurable control metric today, not as an exception to be smoothed over later. That means instrumenting the underwriting pipeline so that every scan-driven decision is explainable, contestable, and tested for fairness before a regulator or a reinsurer asks. Insurance health data governance built to that standard converts consumer fear into a competitive and compliance advantage.
Frequently asked questions
What makes a high-risk classification from a home health scan "unfair" in regulatory terms? A classification becomes a compliance concern when it cannot be explained at the decision level, cannot be readily contested by the applicant, or rests on a model that produces disparate outcomes across protected classes. The NAIC Model Bulletin and Colorado's SB21-169 framework treat all three as governance failures the carrier is accountable for, even when a third-party tool generated the score.
Does an adverse decision based on a vitals scan trigger Fair Credit Reporting Act obligations? It can. When external consumer data contributes to an adverse underwriting decision, FCRA duties around adverse action notices and dispute handling may apply. Legal analysts have specifically flagged this exposure for insurtech underwriting, which is why standardized notices citing the specific data sources are part of a compliance-ready program.
How should a carrier let an applicant contest a high-risk reading? Through a documented re-evaluation pathway that routes disputed scans to manual clinical review, retains reason codes for the original decision, and records the resolution. A defensible contest process is fast becoming an examination expectation rather than an optional service feature.
Who is responsible when a vendor's scan produces a biased result, the carrier or the vendor? Regulators place responsibility on the carrier. The NAIC Model Bulletin is explicit that insurers remain accountable for outcomes regardless of whether a third-party system produced them, so third-party oversight and contractual evidence rights are essential controls.
Circadify is addressing this space by helping carriers build the explainability, contest, and bias-testing controls that turn a contested high-risk classification into a defensible, audit-ready record. Explore the compliance guides and regulatory insights for payers and insurers at circadify.com/industries/payers-insurance.