Legislation in Massachusetts Addresses Data Privacy Protections, Use of AI for Mental Health, and Use of AI for Utilization Review

On September 25, 2025, the Massachusetts Senate unanimously passed the Massachusetts Data Privacy Act (“MDPA”), originally introduced as SB 2608 and now refiled as SB 2619. The bill proposes sweeping reforms to consumer data protection, including bans on the sale of sensitive data (such as biometric, health, and geolocation information), enhanced data privacy rights for minors, and strict limits on data collection practices. The Senate referred the bill to the Massachusetts House of Representatives.

On October 16, Massachusetts joined growing number of states taking legislative action on the use of artificial intelligence in healthcare. SB 2632 sets clear boundaries around AI’s role in behavioral and mental health services, as well as in healthcare decision-making and utilization review. Under SB 2632, artificial intelligence cannot be used to make independent therapeutic decisions in a mental or behavior health setting. All treatment plans and patient interactions involving AI must be reviewed by a licensed professional. The bill also mandates transparency: patients must be informed when AI is used in their care and must provide explicit consent. The legislation further restricts how insurance carriers use AI in utilization review and other administrative functions. Specifically, it prohibits AI from replacing human decision-making or being used in ways that could result in discrimination against insured individuals.

As state legislatures gear up for the 2026 session, more proposals addressing artificial intelligence in healthcare and data privacy issues are likely. These developments reflect growing public and policymaker concern over the ethical, legal, and social implications of emerging technologies. However, states are taking varied approaches to regulation and enforcement, signaling an evolving and diverse policy landscape.