CALIFORNIA SNF AI RULES EFFECTIVE JAN 1, 2026 • COMPLIANCE 2027

CPPA ADMT: California's quiet 2027 deadline for any AI that makes a "significant decision"

Most independent skilled nursing operators have never heard of the California Privacy Protection Agency's Automated Decision-Making Technology rules. The regulations were approved on September 22, 2025. They took effect on January 1, 2026. The substantive compliance for significant-decision ADMT starts on January 1, 2027. If your facility uses AI to screen applicants, score admissions, or place residents, this is the California compliance deadline most likely to sneak up on you.

What the ADMT regulations do

Under the CCPA, as amended by the CPRA, the California Privacy Protection Agency was authorized to issue regulations on automated decision-making technology. After several years of rulemaking, the agency finalized the rules on September 22, 2025. They became effective January 1, 2026.

The rules require businesses to do three things when they use automated decision-making technology to make a "significant decision" about a Californian. (Significant decisions include employment, healthcare services, insurance, housing, and financial services.) The business has to provide a pre-use notice explaining the ADMT and how it works. It has to let the consumer or employee access information about how the decision was made. And it has to offer an opt-out, with narrow exceptions for cases where the opt-out would defeat the purpose. The rules also expand obligations around risk assessments and cybersecurity audits.

The staggered deadlines

Date Obligation
Jan 1, 2026 Regulations formally effective. Risk-assessment substantive obligations begin for new high-risk processing.
Jan 1, 2027 Significant-decision ADMT compliance kicks in. Pre-use notice, access rights, opt-out workflows.
Apr 1, 2027 Risk-assessment and pre-use notice obligations deadline for in-scope ADMT.
Apr 1, 2028 First risk-assessment and cybersecurity-audit certifications due to CPPA. Largest businesses first.

Are you in scope?

The rules apply to "businesses" as defined by the CCPA. Generally, that means entities doing business in California that meet at least one of three thresholds. Annual gross revenue above roughly $26.6 million (adjusted for inflation). Buying or selling the personal information of 100,000 or more California consumers or households annually. Or deriving 50% or more of annual revenue from selling or sharing personal information.

Most single-site independent SNFs sit below the revenue threshold today. Multi-site operators, larger independents, and SNFs that are part of a regional operating group should plan on being in scope. Even if you are below the threshold this year, employee data is covered, and your applicant-tracking system likely processes thousands of California job-seekers a year. It is easier to assume you are in scope than to be surprised by it.

The ADMT you probably already have in your building

Walk this list with your administrator and HR lead. These are the places ADMT shows up in a typical skilled nursing operation, whether anybody has called it that or not.

  • Applicant-tracking systems that rank or screen candidates. Most major ATS platforms now include AI scoring by default.
  • Background-check vendors that use algorithmic scoring.
  • Scheduling and staffing-optimization tools that algorithmically assign shifts or rank employees.
  • Admissions-decisioning tools that score referrals against bed-fit or payor-mix targets.
  • Resident acuity, fall-risk, or readmission-risk scoring tools that drive placement or care-level decisions.
  • Automated billing and collections workflows that determine resident payment risk.

What to do this year

2026 is the inventory year. Treat it as one project with three deliverables. The first is an ADMT inventory. List every tool that uses automated decision-making for significant decisions, the vendor behind it, and the decision it influences. The second is vendor diligence. Ask each ADMT vendor for a description of the logic, the inputs, the validation results, and their plan to support pre-use notices and opt-outs by January 1, 2027. The third is a risk assessment for any ADMT and AI-training processing your facility undertakes. The CPPA's template structure sits inside the regulations themselves.

The work is real but bounded. Starting now means you finish before the deadline rather than scrambling in Q4 2026. Independents who wait will find their HRIS, EHR, RCM, and scheduling vendors all asking for diligence support inside the same six-week window.

Sources

Not legal advice. Verify applicability and current obligations with counsel before adjusting policy.

Need help building your ADMT inventory before the 2027 deadline?

Talk to us