AI in Health Insurance Claims, Prior Authorization, and Risk Adjustment
How health insurers use AI in prior authorization, claims adjudication, and risk adjustment. What the NAIC, CMS, and recent litigation mean for governance.
For Health plan compliance officers, chief medical officers, GCs, and operational leaders at insurers using AI in utilization management, claims, or risk adjustment.
Read if You need to understand how health AI touches the decisions regulators are most likely to enforce, and what governance each touchpoint needs.
Health insurance is where AI governance gets personal. A denied prior authorization can leave a patient without a drug or a procedure. A rejected claim can delay a provider’s payment. A risk-adjustment model that misclassifies a patient can shift millions of dollars between plans. These decisions are high-stakes, high-volume, and increasingly automated. Regulators are not asking whether health plans should use AI. They are asking whether the plans can show that the AI is safe, overridable, and monitored.
The NAIC’s 2025 health AI survey found that 84% of health insurers use artificial intelligence or machine learning in some capacity, and that 92% of those systems were developed at least partly by a third party 1. The most common use cases are prior authorization, utilization management, fraud detection, disease management, and sales and marketing 1. That concentration makes health AI the natural place for examiners to start. If a plan cannot govern its AI here, it is unlikely to govern it anywhere else.
Prior authorization and utilization management
Prior authorization is the most visible AI use case in health insurance. The plan asks a clinician to get approval before a service is covered, and the review is often supported by an algorithm that predicts whether the requested service is medically necessary. The volume is enormous. Medicare Advantage insurers made nearly 53 million prior authorization determinations in 2024, fully or partially denying 4.1 million of them, about 7.7% of requests 2. For the broader health AI governance framework, including the clinical-override and vendor-accountability requirements that apply here, see AI in health insurance governance.
CMS has been trying to impose transparency on the process. The 2024 CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) requires impacted payers to implement prior authorization API standards, with most API requirements effective January 1, 2027 3. The rule is designed to reduce the administrative burden on providers and give patients more visibility into the status of their requests. For plans, it also means the prior authorization workflow becomes more observable to regulators and to litigants.
The governance problem is not the existence of the algorithm. It is the gap between recommendation and decision. A model that flags a case for human review is different from a model that effectively determines the outcome because the human reviewer accepts the recommendation almost every time. Recent litigation against UnitedHealth over the nH Predict algorithm used in post-acute care illustrates the risk. The plaintiffs alleged that the model had a 90% error rate, meaning that nine out of ten denials were reversed on appeal, yet the plan continued to rely on it to deny claims 4. A federal judge dismissed five of seven counts in February 2025 but allowed the class action to proceed 5. The case is not about whether the AI existed; it is about whether the plan treated the AI’s output as if it were a clinical judgment.
CMS and state regulators have drawn a clear line. AI can be used to assist utilization review, but the final determination must be made by a clinician or other appropriate personnel who has the authority to override the tool. The plan must also be able to produce the criteria used, the specific reason for the denial, and the identity of the person who made the decision. Those are exactly the records that a vendor-operated tool often obscures.
Claims adjudication and denial
Claims adjudication is the second major health AI domain, and it shares the same governance pattern as prior authorization. The model may recommend a denial, a reduced payment, or a request for more information, but the plan must be able to show that a human reviewed the recommendation before it became a decision.
The UnitedHealth case is instructive because it blurs the line between clinical review and claims administration. nH Predict was used to forecast how long a patient would need post-acute care and to recommend denial of coverage that exceeded the predicted duration. The allegation is that clinicians used the algorithmic prediction as a substitute for their own judgment, leading to systematic denials that were reversed on appeal 4. The litigation is ongoing, but the reputational and regulatory consequences are already industry-wide. When a large payer’s AI investment collides with governance expectations, every plan using a similar tool is asked to prove it is different.
The examiner’s checklist for claims AI is straightforward. Can the plan reproduce the recommendation the system made for any given claim? Can it show who reviewed the recommendation and what they considered? Can it explain why the final decision matched or differed from the recommendation? If the answer to any of these is no, the system is not documented. These questions map to the documentation requirements in the NAIC AI Evaluation Tool’s Exhibits B and C.
Health plans also need to monitor what the AI does to providers and patients over time. A model that reduces improper payments is valuable. A model that delays legitimate payments or drives a rising appeals rate is a problem that will show up in market conduct data. The metric that matters is not just the savings rate; it is the reversal rate, the complaint rate, and the provider-escalation rate.
Risk adjustment and HCC coding
Risk adjustment is less visible to patients than a denied claim, but it is just as important to regulators. Medicare Advantage and ACA plans use hierarchical condition category (HCC) models to adjust payments based on the expected health cost of enrolled members. The more accurately a plan documents a member’s conditions, the more accurately it is paid. AI is increasingly used to identify undocumented conditions, suggest HCC codes, and prioritize chart review.
The benefit is real. Natural language processing can read encounter notes and identify diagnoses that a rules-based coder might miss. Predictive models can prioritize which members are most likely to have undocumented conditions, making retrospective chart review more efficient. The risk is that AI can also make the same error across thousands of members, or that the incentive to document every possible condition becomes an incentive to document conditions that are not properly supported.
Regulators have been aggressive about risk-adjustment accuracy. CMS audits plans for unsupported HCC codes and recoups overpayments. The Department of Justice has pursued whistleblower cases alleging that plans inflated risk scores through aggressive coding practices. AI does not change the underlying rule: a code must be supported by clinical documentation. What AI changes is the scale. A plan that uses AI to find every plausible diagnosis must also use AI or human review to verify that each diagnosis is real.
The governance framework for risk-adjustment AI should mirror the framework for underwriting and pricing. The model should be validated for accuracy. The outputs should be sampled and audited. The coding decisions should be traceable to a specific encounter and a specific clinician. The plan should be able to show that it did not reward coding volume over coding accuracy.
Vendor accountability and the third-party problem
The NAIC health AI survey found that 92% of health insurers’ AI/ML systems were developed at least partly by a third party 1. That is the defining feature of health AI governance. Most plans are not building their own prior authorization models; they are licensing them. The contractual question is not whether the vendor is liable. It is whether the plan can get the information it needs to answer a regulator.
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers makes clear that insurers are responsible for AI systems they acquire from third parties, and that they should have written standards for the acquisition, use, and reliance on such systems 6. The broader governance framework for this is covered in AI governance in insurance. The bulletin also expects insurers to conduct due diligence, verify outputs, and maintain audit rights. In practice, that means the plan must be able to inspect the model’s inputs, understand the logic, and reproduce the recommendation for a given case.
Many vendor contracts are not written that way. They describe the vendor’s performance in terms of accuracy or turnaround time, but they do not give the plan the right to audit the model’s training data or to challenge the clinical criteria. If a regulator asks why a particular prior authorization was denied, the plan cannot say the vendor will not tell us. The duty to explain stays with the plan.
What a defensible program looks like
A health AI governance program does not need to ban algorithms. It needs to make the boundaries of their authority explicit.
First, every AI system that touches a patient or provider decision must have a documented human override. The override must be real, not theoretical. Plans should track override rates and review cases where the human consistently disagreed with the model. If the model is wrong often enough, the plan must retrain or retire it.
Second, vendor contracts must include audit rights and performance transparency. The plan should know the model’s error rate, its training data, and its drift over time. The vendor should report changes to the model before they go live. If the vendor cannot provide this, the plan should treat the model as a higher risk and increase its own monitoring.
Third, monitoring must include downstream consequences. A prior authorization model should be tracked not only for approval speed but for denial reversals, appeals, complaints, and provider escalations. A claims model should be tracked for payment delays and reversal rates. A risk-adjustment model should be tracked for audit findings and unsupported code rates.
Finally, the program should be reviewed whenever a model moves to a new use case. A model used to suggest prior authorization denials may be acceptable when reviewed by a clinician, but unacceptable if used to deny claims automatically. The risk is not in the model. It is in the workflow.
Where this fits in the broader governance map
Health AI is the most regulated edge of insurance AI because the consumer harm is concrete and the volume is high. The same governance principles apply to P&C and life, but health gives regulators the clearest examples to enforce. A plan that can show documented override, vendor diligence, and outcome monitoring in health AI is likely to satisfy examiners in other lines as well. The operational details of that inventory are covered in the AI inventory by line of business playbook.
Footnotes
-
NAIC, “Health Insurance Artificial Intelligence/Machine Learning Survey Report,” May 2025: https://content.naic.org/sites/default/files/inline-files/Health%20Survey%20Report%20-%20FINAL%205.9.25.pdf ↩ ↩2 ↩3
-
KFF, “Medicare Advantage Insurers Made Nearly 53 Million Prior Authorization Determinations in 2024,” January 2026: https://www.kff.org/medicare/medicare-advantage-insurers-made-nearly-53-million-prior-authorization-determinations-in-2024/ ↩
-
CMS, “CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F),” January 2024: https://www.cms.gov/initiatives/burden-reduction/overview/interoperability/policies-regulations/cms-interoperability-prior-authorization-final-rule-cms-0057-f ↩
-
The Guardian, “New AI tool counters health insurance denials decided by algorithms,” January 2025: https://www.theguardian.com/us-news/2025/jan/25/health-insurers-ai ↩ ↩2
-
Healthcare Finance News, “Class action lawsuit against UnitedHealth’s AI claim denials advances,” February 2025: https://www.healthcarefinancenews.com/news/class-action-lawsuit-against-unitedhealths-ai-claim-denials-advances ↩
-
NAIC, “Use of Artificial Intelligence Systems by Insurers,” Model Bulletin adopted December 4, 2023: https://content.naic.org/sites/default/files/inline-files/2023-12-4%20Model%20Bulletin_Adopted_0.pdf ↩
The Bottom Line
- Health AI is the most enforced insurance-AI domain because the consumer harm is visible: a denied prior authorization or claim can be measured in delayed care.
- Prior authorization and claims adjudication are the flashpoints. The regulatory issue is not whether AI is used but whether a clinician can override it and whether the plan documents the override.
- Risk adjustment is a financial and compliance exposure. AI that improves HCC coding accuracy can also magnify the consequences of an error if auditing is not parallel.
- Vendor-operated tools are common in health AI, but the plan retains the duty to govern. The NAIC Model Bulletin and recent litigation both point to the same question: who is accountable when the AI is wrong?
- The minimum viable control is threefold: documented human override, vendor diligence with audit rights, and outcome monitoring that tracks what the AI does to patients and providers, not just what it saves.
Simon Li · Founding Editor
Simon Li is the founding editor of InsureAI Wire, an independent publication tracking how the NAIC and individual states regulate AI in insurance — and translating it into what compliance teams must actually do. Every figure is traced back to a primary NAIC or state source.
Free · Weekly
Track these developments weekly
Get the InsureAI Wire dispatch in your inbox. Free, sourced, no spam.
Free weekly · No spam · Unsubscribe anytime
Related reading
AI in Homeowners Insurance Pricing and the State Rate Review
How homeowners insurers use AI, aerial imagery, and catastrophe models to price property risk, and what state regulators now require for transparency.
AI in Life Insurance Underwriting and the New Regulatory Test
How life insurers use AI in accelerated underwriting and what regulators now require for proxy testing, fairness, and documentation.
AI in Reinsurance Treaty Pricing and Catastrophe Modeling
How reinsurers use AI in treaty pricing, catastrophe modeling, and contract analysis. What model transparency and capital governance mean for risk carriers.
How to Build an AI Inventory by Line of Business for NAIC Exhibit A
Map your insurance AI systems by line of business for NAIC Exhibit A. Use this template to capture underwriting, pricing, claims, fraud, and customer service AI.
Information aggregation and analysis, not legal advice. See our disclaimer.