Coverage Denial AI: When Algorithms Ration Care

Coverage denial AI — algorithms used by insurance companies, managed care organizations, and benefit administrators to make or support decisions about whether patients receive coverage for recommended care — is among the most consequential applications of AI in healthcare. When an algorithm denies post-surgical rehabilitation to an elderly patient, or terminates chemotherapy coverage for a cancer patient whose treating oncologist recommends continuation, the downstream consequences are clinical, not just administrative.

The litigation and regulatory response to coverage denial AI accelerated significantly in 2024–2025. The February 2025 Lokken v. UnitedHealth ruling, the CMS 2024 prior authorization rule for Medicare Advantage, GDPR Article 22 enforcement in European insurance contexts, and the pattern of Medicare Advantage class actions all reflect courts and regulators converging on the same conclusion: AI-generated coverage denials that substitute statistical outputs for individualized clinical assessment, at rates of denial that could not be justified by genuine clinical review, expose organizations to substantial legal liability.

This article addresses the governance requirements for coverage denial AI across jurisdictions, the core litigation theory being applied in the US, and the PM responsibilities for organizations deploying these systems.

Lokken v. UnitedHealth and the nH Predict Algorithm

UnitedHealth Group’s nH Predict algorithm was used by UnitedHealthcare to make coverage decisions for post-acute care — skilled nursing facility coverage and rehabilitation services — for Medicare Advantage enrollees. Lokken v. UnitedHealth, filed as a federal putative class action and surviving a motion to dismiss in February 2025, alleged that nH Predict systematically denied coverage at rates far exceeding what clinical review of individual cases would have produced, and that UnitedHealth used the algorithm knowing it generated inappropriate denials in order to retain premium revenue.

The legal theory is significant: the lawsuit does not allege that UnitedHealth denied claims it was contractually permitted to deny. It alleges that the company used an algorithm to generate systematic denials that it knew were clinically unjustified, on a scale that could only be achieved through automation. This is a fraud and elder care claim, not just a coverage dispute.

The case is part of a broader pattern. Independent analysis of Medicare Advantage claims data published in 2023 and 2024 found that Medicare Advantage plans denied post-acute and home health claims at rates 40–80% higher than traditional Medicare for the same services. The Senate Permanent Subcommittee on Investigations published an October 2024 report on Medicare Advantage coverage denials, finding that certain insurers used AI algorithms that denied claims at rates investigators described as impossible to justify through individual clinical assessment.

CMS 2024 Rules: Prior Authorization in Medicare Advantage

The Centers for Medicare and Medicaid Services issued two relevant rules in 2024 addressing AI use in Medicare Advantage prior authorization:

• The CMS 2024 Medicare Advantage rule requires that prior authorization decisions be consistent with clinical criteria used in traditional Medicare for coverage of the same service. AI algorithms that apply clinical criteria more restrictively than Medicare’s own standards for the same service are non-compliant.
• The CMS Interoperability and Prior Authorization Final Rule (effective January 2024) requires that prior authorization decisions be accompanied by specific reasons enabling meaningful appeal. AI-generated denials that produce generic rationales insufficient for the treating clinician to frame an appeal do not satisfy this requirement.
• CMS has indicated it is monitoring Medicare Advantage prior authorization denial rates and patterns and has reserved authority to investigate systematic patterns of denial inconsistent with clinical standards.

The EU Framework: GDPR Article 22 and EU AI Act

In EU member states and EEA countries, coverage denial AI is subject to GDPR Article 22 and, prospectively, the EU AI Act:

• GDPR Article 22 (currently in force): Individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on them. Coverage denial clearly falls within “significantly affecting” an individual. Insurers and health benefit organizations must provide: the option to obtain human review of automated decisions; the ability to express the individual’s point of view; and an explanation of the factors that led to the decision.
• EU AI Act Article 86 (effective August 2026): Individuals subject to decisions based on high-risk AI systems that significantly affect them have the right to request a plain-language explanation of the AI’s role and main factors in the decision. Health and life insurance AI making decisions about access to essential services is listed as high-risk under EU AI Act Annex III.
• EU AI Act Annex III Section 5 (high-risk): AI used in access to essential services, including health and life insurance, is classified as high-risk and subject to full compliance obligations by August 2026 — risk management, data governance, transparency, human oversight, accuracy requirements, and post-market monitoring.

EU member states with private health insurance markets — Germany, France, the Netherlands, Ireland, and others — are subject to these requirements now under GDPR and will face EU AI Act high-risk compliance obligations by August 2026. UK insurers operating in the UK are subject to UK GDPR equivalent provisions.

Australia and Canada: Fairness and Accountability Frameworks

Australian private health insurers and publicly administered benefit schemes are subject to Australian Privacy Principles and, from 2024, enhanced transparency requirements under the Privacy and Other Legislation Amendment Act 2024 for automated decisions using personal information. The Australian Government’s proposed mandatory guardrails for AI in high-risk settings — which identify healthcare as high-risk — would add further obligations when enacted.

In Canada, the insurance sector is provincially regulated. Quebec’s Act respecting health and social services information and its private sector privacy statute both require notice of automated decisions, disclosure of the principal factors relied upon, and a right to human review for automated decisions significantly affecting individuals. Ontario’s Bill 194 and proposed provincial regulations are expected to add equivalent requirements for public sector health benefit systems. The death of AIDA means no comprehensive federal standard currently applies to private insurer AI in Canada.

Governance Design for Coverage Denial AI

The Core Obligation: Genuine Clinical Review

The central governance requirement for coverage denial AI is the same in every jurisdiction: any denial that overrides a treating clinician’s recommendation must receive genuine human clinical review before it is final. This means:

• The reviewer must have clinical qualifications appropriate to the clinical question being decided. A non-clinician cannot meaningfully review a denial of chemotherapy continuation for a stage III cancer patient.
• The reviewer must have access to the clinical record, not just the AI’s output. A reviewer who approves an AI-generated denial without reviewing the underlying clinical documentation is not exercising clinical judgment.
• The reviewer must be authorized and genuinely expected to override the AI recommendation when clinical judgment warrants it. A review process that produces 0% overrides of AI denials is not a clinical review process.
• Override rates must be tracked and reported. A differential between AI-generated denials and clinically reviewed decisions is a governance metric, not an internal operational detail.

Explanation Requirements

AI-generated denials must come with explanations sufficient for affected patients and their treating clinicians to understand the basis for the denial and frame a meaningful appeal:

• The explanation must identify the clinical criteria applied, the specific data or documentation considered, and the specific reason the clinical criteria were not met.
• Generic rationales — “not medically necessary,” “does not meet coverage criteria” without specification — do not satisfy the CMS 2024 requirement, GDPR Article 22, or EU AI Act Article 86.
• The explanation must be provided in language accessible to the patient, not just the treating clinician.
• The explanation must identify the patient’s right to appeal and the appeal pathway. For EU/EEA residents, this includes the right to request human review under GDPR Article 22.

Monitoring and Governance Metrics

Appeal Mechanism Design

• The appeal pathway must be practically accessible to the affected patient. Requiring legal representation, extensive documentation, or long timelines before a clinical review occurs is not a meaningful right of appeal.
• For urgent clinical situations — a patient currently admitted, a treatment mid-course, a clinician-certified urgent need — the review and appeal timeline must be compatible with the clinical urgency. CMS requires a 72-hour turnaround for expedited prior authorization reviews. EU timelines vary by member state.
• Appeal outcomes must feed back into AI model governance. A systematic pattern of successful appeals on a particular service type or clinical criteria is evidence of an AI decision quality problem requiring model review.

PM Responsibilities for Coverage Denial AI

• Classify coverage denial AI accurately: it is clinical AI affecting patient health outcomes, not back-office automation. Governance requirements apply accordingly.
• For US Medicare Advantage deployments: confirm the algorithm’s clinical criteria are consistent with CMS standards for the same services in traditional Medicare. Document the clinical criteria and their alignment with Medicare coverage policy.
• For EU/EEA deployments: confirm GDPR Article 22 compliance — human review on request, explanation capability, contestability. This applies now, regardless of AI Act timelines.
• Establish AI-to-clinical denial rate differential tracking before go-live. This is the primary governance metric and must be operational from day one.
• Design the explanation generation capability before the model is finalized. If the model cannot produce a specific, clinically meaningful explanation for an individual denial, that is a design-phase finding, not a deployment-phase problem.
• Scope appeal mechanism design as a project deliverable. The mechanism must be practically accessible, timely for urgent cases, and connected to a feedback loop into model governance.

Right-Sizing Your AI Governance Approach

The AI Governance Advisor can help you map coverage denial AI obligations to your deployment context and design compliant human review and explanation frameworks — start with a free Essential account.

Framework References

Lokken v. UnitedHealth Group (federal court, motion to dismiss denied February 2025) — AI coverage denial claims allowed to proceed as fraud and elder care claims; nH Predict algorithm used to systematically deny Medicare Advantage post-acute coverage at rates alleged to be clinically unjustifiable.

CMS 2024 Medicare Advantage Rule — Prior authorization decisions must be consistent with clinical criteria used in traditional Medicare; explanation adequate for meaningful appeal required; CMS monitoring of systematic denial patterns.

CMS Interoperability and Prior Authorization Final Rule (effective January 2024) — Specific denial reasons required; timelines for prior authorization decisions; interoperability requirements for electronic prior authorization.

US Senate Permanent Subcommittee on Investigations — Report on Medicare Advantage Coverage Denials (October 2024) — Documented systematic AI-driven denial patterns in Medicare Advantage inconsistent with clinical standards.

GDPR Article 22 (EU/EEA, currently in force) — Right not to be subject to solely automated decisions with significant effects; right to human review on request; explanation obligation; contestability right. Direct legal requirement for coverage denial AI affecting EU/EEA residents.

EU AI Act (Reg. (EU) 2024/1689) Annex III Section 5 — AI in access to essential services including health and life insurance classified as high-risk; full compliance August 2, 2026. Article 86: right to explanation for high-risk AI decisions.

NIST AI RMF 1.0 — GOVERN 1.3 (processes for AI risk oversight including appeals), MEASURE 2.11 (demographic bias testing in utilization management), MANAGE 4.1 (monitoring AI decision patterns against clinical standards).

This article is part of AIPMO’s Healthcare series. See also: AI Governance in Healthcare  |  Algorithmic Bias in Clinical AI  |  Clinical Validation of Healthcare AI  |  Ambient AI and Consent in Healthcare