Posted on
May 7, 2026
Posted on
May 14, 2026
California SB 1120: AI in Utilization Review — The Clinical Operations Playbook for UM Medical Directors
Why SB 1120 Changes the Compliance Calculus for California UM Programs
What the AMA Policy Got Right—And the Critical Implementation Gap It Missed
Scribing.io Clinical Logic: Post-Acute Rehab Denial Review for Ischemic Stroke
Technical Reference: ICD-10 Documentation Standards for Stroke and Hemiplegia
FHIR Provenance and Da Vinci PAS: How Structured Physician Reasoning Becomes an Audit Trail
The Two-Click Audit Pack: DMHC/CDI Readiness Without Re-Work
Implementation Workflow: From LLM Flag to Physician E-Sign to Transmitted Determination
Next Steps for California UM Medical Directors
SB 1120 prohibits AI from serving as the "final arbiter" of any utilization review denial in California. Every adverse determination must reflect documented physician clinical logic—not an algorithmic output. This playbook explains how Scribing.io operationalizes that mandate by capturing the reviewing MD's reasoning as structured, FHIR-exportable data (NPI, specialty, timestamp, cited guidelines, severity metrics), binding it to an e-signature before any denial is transmitted, and producing an immutable audit trail that satisfies DMHC and CDI review without rework.
If you are a Medical Director at a California IPA or health plan, this is the compliance-and-workflow architecture you need for 2026. Scribing.io was built to close the gap between what SB 1120 requires and what your current UM platform actually documents. Book a 20‑minute demo to see our SB 1120 Human‑in‑the‑Loop audit trail with FHIR PAS decision.reason + Provenance (NPI‑bound) live in your UM/EHR stack—deployed in under 14 days.
Why SB 1120 Changes the Compliance Calculus for California UM Programs
California Senate Bill 1120, signed into law and effective for all utilization review and utilization management determinations issued in the state, establishes a principle no other state has codified with this degree of specificity: AI cannot be the final arbiter of a coverage denial.
This is not advisory language. It is a binding statutory requirement enforced by the California Department of Managed Health Care (DMHC) for full-service and specialty health plans, and by the California Department of Insurance (CDI) for insurance products. Violations expose plans and delegated IPAs to regulatory penalties, accelerated audit cycles, and—critically for Medical Directors—personal attestation liability when an adverse determination is later reviewed on appeal.
What the statute requires in practice
A licensed physician or qualified health professional must make every adverse determination based on their own clinical judgment.
Any AI or algorithmic tool used in the review process must be subordinate to the physician's reasoning, not a replacement for it.
The plan must be able to demonstrate, upon regulatory request, that a human clinician reviewed the individual patient's medical information and applied clinical criteria before the denial was issued.
Documentation must be sufficient to reconstruct the specific clinical logic the physician relied upon—not merely a checkbox confirming "MD reviewed."
For UM Medical Directors at California IPAs, this creates a documentation burden that most legacy UM platforms were never designed to handle. Current clinical benchmarks indicate the average UM physician reviews between 15 and 30 cases per day. If the documentation for each review consists of a free-text note or a simple "agree/disagree" toggle on an AI-generated recommendation, the plan has a compliance gap that SB 1120 will expose during the next DMHC routine survey or appeal hearing.
For a deeper analysis of how California's AI regulatory framework interacts with clinical documentation technology, see our full guide on California AI Laws.
What the AMA Policy Got Right—And the Critical Implementation Gap It Missed
In June 2023, the American Medical Association House of Delegates adopted policy calling for greater regulatory oversight of insurers' use of AI in prior authorization. That policy correctly identified several foundational principles:
AI-driven prior authorization reviews should include examination by physicians with relevant clinical expertise.
Insurers should not use AI to deny claims without human review of patient records.
The volume of prior authorization requirements itself remains a systemic burden.
These principles are necessary. They are not sufficient.
The AMA policy operates at the level of advocacy and national policy aspiration. It calls for "a thorough and fair process" and "reviews by physicians." What it does not address—and what California's SB 1120 now mandates—is the evidentiary architecture that proves the human review actually occurred and was clinically substantive.
AMA Policy vs. SB 1120 Operational Requirements: Gap Analysis | |||
Dimension | AMA 2023 Policy Position | SB 1120 Statutory Requirement | Gap |
|---|---|---|---|
Human Review Mandate | Calls for "human examination of patient records prior to a care denial" | Requires physician clinical judgment as the basis of every adverse determination; AI cannot be the final arbiter | Aligned in principle; SB 1120 is enforceable statute, not aspirational policy |
Documentation of Reasoning | Not specified | Plan must demonstrate, upon DMHC/CDI request, the specific clinical logic the physician applied | Critical gap: The AMA policy does not address what constitutes adequate documentation of the physician's reasoning |
Audit Trail Architecture | Not addressed | Implied by enforcement mechanisms; regulators can request the UM file during appeal or routine audit | Critical gap: No guidance on structured data formats, interoperability, or immutability of the audit record |
Interoperability Standards | AMA supports automation to "speed up" prior auth; references CMS electronic PA rule generally | California regulatory framework intersects with CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) requiring FHIR-based PA APIs by 2027 | Critical gap: No mention of HL7 FHIR, Da Vinci PAS, or how physician reasoning maps to interoperable data structures |
AI Transparency | Calls for transparency of AI use in PA decisions | Requires the plan to show AI was not the final decision-maker | Moderate gap: AMA asks for transparency; SB 1120 demands proof of subordination |
Physician-Specific Attestation | Not addressed at individual-physician level | The reviewing physician's identity, credentials, and clinical rationale must be attributable to the specific determination | Critical gap: No framework for NPI-level binding of physician identity to decision rationale |
The anchor truth the competitor analysis missed
The AMA correctly identified the problem—AI is being used to deny care without adequate physician involvement. SB 1120 codified the prohibition. But neither the AMA policy nor any competitor analysis we have reviewed addresses the operational question that every California UM Medical Director now faces: How do you produce a contemporaneous, structured, immutable record of the physician's clinical reasoning—tied to their NPI and e-signature—that can be exported in a regulator-readable format without rework?
This is the implementation gap. It is precisely the gap that Scribing.io was architectured to close.
Scribing.io operationalizes SB 1120's "no AI as final arbiter" mandate by forcing a physician e-sign before any adverse determination is transmitted, and by capturing the MD's clinical reasoning as structured data—NPI, specialty, timestamp, cited guidelines, and condition severity metrics—that auto-maps to HL7 FHIR Provenance (Practitioner/NPI agent) and Da Vinci PAS Prior Authorization decision.reason fields. The result is an exportable, immutable audit trail that DMHC or CDI can request without re-work.
This is not a documentation enhancement. It is a compliance architecture. For additional context on how HIPAA's 2026 requirements intersect with AI-generated clinical documentation, see our HIPAA 2026 Update. For a full breakdown of data handling and privacy safeguards in AI scribing, review our Safety & Privacy Guide.
Scribing.io Clinical Logic: Post-Acute Rehab Denial Review for Ischemic Stroke
The scenario
A California UM Medical Director at a large IPA reviews a post-acute rehabilitation request for a 68-year-old patient following an acute ischemic stroke. The patient was discharged from the acute care hospital five days after the event. The referring physiatrist is requesting transfer to an inpatient rehabilitation facility (IRF) for intensive multidisciplinary therapy.
The IPA's internal LLM-powered UM platform has preliminarily flagged the request as "not medically necessary," recommending a skilled nursing facility (SNF) level of care instead. UM staff are about to issue the denial.
Why this scenario matters for SB 1120
This is the exact inflection point the statute was designed to regulate. If the denial is transmitted based on the LLM's recommendation without the Medical Director's independent clinical evaluation and documented reasoning, the plan has violated SB 1120. The AI has served as the final arbiter. But "the Medical Director reviewed it" is not enough either. DMHC expects to see what the physician considered, why they reached their conclusion, and which clinical criteria informed the determination—especially when the physician overrides the AI's preliminary flag, but also when they concur with it.
How Scribing.io handles this case: step-by-step
Step 1: Physician dictates clinical logic.
The Medical Director reviews the clinical record and dictates into Scribing.io's ambient capture:
"This is a 68-year-old male, five days post-acute ischemic stroke, right MCA territory. NIHSS score of 9 at discharge with new right hemiplegia. Patient is unable to perform basic ADLs—cannot transfer, dress, or toilet independently. He requires a minimum of three hours per day of multidisciplinary therapy including PT, OT, and speech-language pathology. Prior home setup is a second-floor apartment, no elevator, and there is no available caregiver—his spouse has significant mobility limitations herself. I am citing AHA/ASA Guidelines for Adult Stroke Rehabilitation and Recovery, specifically the recommendation that patients with moderate-to-severe functional deficits who can tolerate intensive rehabilitation should be admitted to an IRF rather than a SNF. I am overriding the preliminary system flag. This patient meets medical necessity for IRF-level care. I am approving the request."
Step 2: Scribing.io converts dictation to structured clinical rationale.
The AI scribe parses the physician's dictation and generates a structured rationale document with discrete data elements. It does not alter, supplement, or editorialize the physician's reasoning. The scribe's function is transcription and structuring, not decision-making—a critical distinction under SB 1120.
Structured Clinical Rationale — Scribing.io Output | ||
Data Element | Captured Value | FHIR Mapping |
|---|---|---|
Reviewing Physician NPI | 1234567890 (example) |
|
Physician Specialty | Internal Medicine / UM Medical Director |
|
Timestamp of Review | 2026-03-14T10:42:07-08:00 |
|
Primary Diagnosis |
| |
Secondary Diagnosis |
| |
Laterality Specification |
| |
Severity Metric | NIHSS: 9 (moderate deficit) |
|
Functional Status | Unable to perform ADLs (transfer, dress, toilet) |
|
Therapy Requirement | ≥3 hours/day multidisciplinary (PT, OT, SLP) |
|
Social Determinants | No caregiver support; inaccessible home (2nd floor, no elevator) |
|
Clinical Guideline Cited | AHA/ASA Guidelines for Adult Stroke Rehabilitation and Recovery (2016, reaffirmed) |
|
AI Flag Override | Yes — physician overrode LLM preliminary "not medically necessary" flag |
|
Determination | Approved — IRF-level care |
|
Step 3: Physician reviews, edits if needed, and applies e-signature.
Scribing.io presents the structured rationale to the Medical Director for review. The physician can modify any element—change a diagnosis code to higher specificity, add additional clinical reasoning, or adjust the cited guideline. Once satisfied, the physician applies their NPI-bound electronic signature. No determination—approval or denial—can be transmitted until the e-sign is captured. This is the hard gate that satisfies SB 1120's human-in-the-loop requirement.
Step 4: Scribing.io pushes a FHIR PAS payload with decision.reason and full Provenance.
Upon e-signature, the structured rationale is packaged as an HL7 Da Vinci PAS compliant payload. The ClaimResponse includes the decision.reason extension populated with the physician's cited guideline reference, the override event, and the clinical justification. A linked Provenance resource records the physician as the agent (Practitioner/NPI), the timestamp, and the activity type (review with override). This payload transmits to the payer or delegated entity's PA system and simultaneously writes to Scribing.io's immutable audit log.
Step 5: The two-click audit pack is ready.
When the DMHC auditor requests the UM file during a subsequent appeal or routine survey, the plan's compliance team does not need to reconstruct the record. They open Scribing.io's audit interface, locate the case by member ID or authorization number, and export a PDF or FHIR bundle containing the physician's structured rationale, e-signature, timestamp, NPI, cited guidelines, the LLM's preliminary flag, and the documented override. Two clicks. No rework. No ambiguity about whether a human made the decision.
Technical Reference: ICD-10 Documentation Standards for Stroke and Hemiplegia
Diagnosis code specificity is a leading cause of prior authorization denials and downstream claim rejections. In stroke rehabilitation requests, payers routinely reject authorizations when the submitted ICD-10-CM codes lack laterality, etiology specificity, or functional status documentation. Scribing.io addresses this at the point of physician dictation by prompting for—and auto-extracting—the clinical details needed to reach maximum code specificity.
The specificity problem in stroke coding
Consider the default codes that appear in many UM systems when a physician simply dictates "stroke with right-sided weakness":
I63.9 — Cerebral infarction — This is an unspecified code. It tells the payer nothing about the vascular territory, whether the infarction was thrombotic or embolic, or the affected artery. CMS and most commercial payers will deny or pend an IRF authorization submitted with I63.9 alone because it does not demonstrate the clinical specificity required to justify the requested level of care.
unspecified; G81.90 — Hemiplegia — Again unspecified. The payer cannot determine laterality or whether this is a documented new deficit versus a chronic condition.
unspecified affecting unspecified side — This represents the lowest level of specificity in the hemiplegia code hierarchy and is virtually guaranteed to trigger a payer edit or denial for any post-acute rehabilitation authorization.
How Scribing.io drives specificity
When the Medical Director dictates "right MCA territory ischemic stroke with new right hemiplegia," Scribing.io's NLP engine extracts the vascular territory (middle cerebral artery), laterality (right), chronicity (new/acute), and mechanism (ischemic/infarction) and maps to the highest-specificity codes available:
ICD-10-CM Code Specificity: Unspecified vs. Scribing.io-Optimized | |||
Clinical Detail | Default (Unspecified) Code | Scribing.io-Optimized Code | Why It Matters |
|---|---|---|---|
Cerebral infarction | I63.9 | I63.511 (Cerebral infarction due to unspecified occlusion or stenosis of right middle cerebral artery) | Specifies vascular territory and laterality; meets medical necessity documentation threshold for IRF admission |
Hemiplegia | G81.90 | G81.91 (Hemiplegia, unspecified, affecting right dominant side) | Laterality and dominance documented; supports functional deficit claim; CMS IRF-PAI requires this level of detail |
ADL deficit | Not coded | R26.89 (Other abnormalities of gait and mobility) + Z74.1 (Need for assistance with personal care) | Functional limitation documentation strengthens medical necessity; aligns with IRF coverage criteria |
Scribing.io presents the optimized codes to the physician alongside the unspecified defaults, with a visual indicator showing the specificity level. The physician confirms or adjusts before e-signature. The system never auto-submits a code without physician review—again, the human remains the decision-maker, consistent with SB 1120's mandate and with AMA ICD-10-CM coding guidelines requiring physician attestation of diagnostic accuracy.
FHIR Provenance and Da Vinci PAS: How Structured Physician Reasoning Becomes an Audit Trail
The CMS Interoperability and Prior Authorization Final Rule (CMS-0057-F) requires impacted payers to implement a FHIR-based Prior Authorization API by January 1, 2027. The HL7 Da Vinci Prior Authorization Support (PAS) Implementation Guide specifies the technical standard. California plans operating under SB 1120 face a dual mandate: interoperability and human-in-the-loop documentation. Scribing.io satisfies both simultaneously.
How physician clinical logic maps to FHIR resources
Each UM determination documented through Scribing.io generates the following FHIR resources:
ClaimResponse— Contains the authorization outcome (approved, denied, pended) and thedecision.reasonextension populated with the physician's cited clinical guideline, the specific clinical findings (NIHSS score, functional status, social determinants), and the rationale narrative.Provenance— Links to theClaimResponseand records:Provenance.agent: The reviewing physician, identified by NPI viaPractitionerreference.Provenance.recorded: ISO 8601 timestamp of the e-signature event.Provenance.activity: Coded activity type, including whether an AI preliminary flag was overridden.Provenance.signature: The physician's electronic signature, binding the clinical rationale to their identity.
Observationresources — Discrete NIHSS score, functional status assessment, and SDOH observations, each linked to theClaimResponseviasupportingInfo.
This architecture ensures that when a DMHC auditor or an Independent Medical Review (IMR) panel requests the UM file, the plan can produce a machine-readable FHIR bundle that contains every element of the physician's clinical reasoning, timestamped and NPI-bound, without manual reconstruction.
Why Provenance is the SB 1120 compliance keystone
The FHIR Provenance resource was designed to answer exactly the question SB 1120 asks: Who made this decision, when, and based on what? Without a Provenance resource bound to the ClaimResponse, a FHIR PAS payload is technically compliant with CMS-0057-F but non-compliant with SB 1120, because there is no structured evidence that a human physician—rather than an algorithm—was the decision-maker. Scribing.io generates Provenance as a mandatory resource on every determination. There is no configuration option to disable it.
The Two-Click Audit Pack: DMHC/CDI Readiness Without Re-Work
California UM programs face audit exposure from three vectors: DMHC routine medical surveys (typically triennial), CDI market conduct examinations, and individual member appeals that escalate to the DMHC's Independent Medical Review (IMR) process. In each scenario, the regulator requests the complete UM file for the disputed determination.
What the regulator expects to see
The clinical information reviewed. What records did the physician have in front of them?
The clinical criteria applied. Which guidelines, evidence, or criteria did the physician cite?
The physician's reasoning. Why did they reach the specific determination? If they overrode an AI flag, why?
Physician identification. Who made the decision? What are their credentials? Is their NPI and specialty documented?
Timestamp. When was the review completed relative to the statutory timeframe for the determination?
Evidence that AI was not the final arbiter. If AI tools were used, documentation showing the physician exercised independent judgment.
How Scribing.io produces the audit pack
The compliance officer or Medical Director opens the Scribing.io audit dashboard, searches by member ID, authorization number, or date range, and clicks Export Audit Pack. The system generates a single document (PDF for human reviewers, FHIR Bundle for electronic submission) containing:
Audit Pack Contents — Scribing.io Export | ||
Audit Element | Source in Scribing.io | Regulatory Requirement Satisfied |
|---|---|---|
Physician structured rationale | Dictation-to-structured-data output | SB 1120: documented clinical logic |
NPI and physician credentials | NPI-bound e-signature record | SB 1120: physician identification; DMHC UM file requirements |
Timestamp of review and e-sign |
| Knox-Keene Act timely determination requirements |
Clinical guideline citation |
| SB 1120: criteria applied; NCQA UM accreditation |
AI preliminary flag + override documentation |
| SB 1120: AI not final arbiter |
ICD-10 codes with specificity level | Structured rationale diagnosis fields | CMS IRF-PAI; payer clinical documentation requirements |
NIHSS, functional status, SDOH observations | Linked | Medical necessity evidence; AHA/ASA rehab guideline compliance |
Two clicks. The entire UM file is reconstructed from structured data, not retroactively assembled from scattered EHR notes, emails, and UM platform screenshots. This is the operational difference between a plan that survives a DMHC audit and one that receives a corrective action plan—or worse, a penalty assessment under Health and Safety Code § 1386.
Implementation Workflow: From LLM Flag to Physician E-Sign to Transmitted Determination
The following workflow describes the end-to-end process for a UM determination using Scribing.io, from the moment the case reaches the Medical Director to the transmission of the authorization decision. Deployment into your existing UM/EHR stack takes under 14 days.
End-to-End UM Determination Workflow with Scribing.io | ||||
Step | Actor | Action | Scribing.io Function | SB 1120 Compliance Element |
|---|---|---|---|---|
1 | UM Platform (LLM) | Preliminary medical necessity flag generated | Flag ingested as structured input; no action transmitted to payer | AI output is advisory only; no determination issued |
2 | UM Nurse/Coordinator | Case routed to Medical Director with clinical records and LLM flag | Case queue populated in Scribing.io review interface | Human review initiated; AI flag presented as one input among many |
3 | Medical Director | Reviews clinical records; dictates clinical reasoning into Scribing.io | Ambient capture; NLP extraction of diagnosis, severity, guidelines, SDOH | Physician exercises independent clinical judgment; reasoning captured contemporaneously |
4 | Scribing.io | Generates structured rationale with ICD-10 codes, FHIR mappings | Dictation → structured data transformation; specificity optimization presented | Documentation sufficient to reconstruct physician's clinical logic |
5 | Medical Director | Reviews structured rationale; edits if needed; applies NPI-bound e-signature | Hard gate: determination cannot transmit without e-sign | SB 1120 compliance keystone: physician attestation that they—not the AI—made the decision |
6 | Scribing.io | Generates FHIR PAS payload ( | Auto-mapping to Da Vinci PAS IG; | Interoperability compliance (CMS-0057-F) + audit trail generation |
7 | Scribing.io | Transmits determination to payer PA system; writes to immutable audit log | API push to payer; concurrent write to tamper-evident log | Determination issued with complete human-in-the-loop documentation |
8 | Compliance Officer (on audit) | Exports audit pack via two-click interface | PDF + FHIR Bundle export | Complete UM file produced without rework; DMHC/CDI/IMR ready |
Integration architecture
Scribing.io integrates with existing UM platforms and EHR systems via:
FHIR R4 APIs for bidirectional data exchange with payer PA systems and EHRs.
HL7 v2 ADT/ORM interfaces for legacy UM platforms that have not yet migrated to FHIR.
SMART on FHIR launch for embedded access within EHR workflows (Epic, Oracle Health, MEDITECH).
Webhook-based event triggers for real-time case routing from UM nurse queues to physician review.
Deployment follows a 14-day implementation sprint: environment provisioning (days 1–3), interface configuration and testing (days 4–10), physician onboarding and workflow validation (days 11–13), go-live with parallel run (day 14). A dedicated clinical implementation specialist—not a generic project manager—manages the sprint.
Next Steps for California UM Medical Directors
SB 1120 is not a future compliance concern. It is a current statutory obligation for every health plan and delegated IPA issuing UM determinations in California. The enforcement risk is not theoretical: DMHC has increased its survey and enforcement activity around AI use in UM, and member appeals referencing AI-generated denials are accelerating through the IMR pipeline.
The question is not whether your UM program needs to document physician clinical logic as structured, auditable data. The statute requires it. The question is whether your current platform can produce that documentation without adding hours of physician rework per day—or whether you need a purpose-built compliance architecture.
Immediate actions
Audit your current UM documentation. Pull five recent adverse determinations. Can you reconstruct the physician's specific clinical reasoning, the guidelines they cited, the severity metrics they considered, and the social determinants they evaluated—from structured data, not free-text notes? If not, you have a compliance gap.
Assess your AI subordination documentation. For cases where your LLM or algorithmic tool flagged a case, can you produce evidence that the physician independently evaluated the clinical record and exercised their own judgment? A checkbox is not sufficient. You need the reasoning.
Evaluate your FHIR readiness. CMS-0057-F's FHIR PA API mandate arrives January 2027. If your UM determination data is not already structured as FHIR resources, you face a dual compliance deadline: SB 1120 now, CMS interoperability in twelve months.
Book a 20‑minute demo to see our SB 1120 Human‑in‑the‑Loop audit trail with FHIR PAS decision.reason + Provenance (NPI‑bound) live in your UM/EHR stack—deployed in under 14 days. Contact us at Scribing.io.
This playbook was authored by the Scribing.io Clinical Operations team. Clinical workflow specifications reflect Scribing.io platform capabilities as of Q1 2026. Regulatory citations reference California Health and Safety Code, DMHC enforcement guidance, and CMS final rules as published. This document does not constitute legal advice. California UM Medical Directors should consult with health care regulatory counsel for plan-specific compliance obligations.
