Meridian Health Systems, Inc.
High-Risk AI System Assessment
Generated by HAIEC Compliance Wizard
Report ID: RPT-CO-2026-0211-a7f3k
Date: February 11, 2026
Compliance Deadline: June 30, 2026
CONFIDENTIAL — For Internal Use Only
This document contains proprietary compliance assessment data prepared exclusively for Meridian Health Systems, Inc. Unauthorized distribution, reproduction, or disclosure is strictly prohibited.
Distribution Notice
This report is intended solely for authorized personnel of Meridian Health Systems, Inc. and their designated legal counsel. If you have received this document in error, please notify the sender immediately and destroy all copies.
| Document Title | Colorado AI Act (SB24-205) Compliance Assessment |
|---|---|
| Report ID | RPT-CO-2026-0211-a7f3k |
| Client | Meridian Health Systems, Inc. |
| Classification | CONFIDENTIAL |
| Generated | February 11, 2026 |
| Engine Version | HAIEC Analysis Engine v2026.1.0 |
| Valid Until | May 12, 2026 (90 days) |
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | 2026-02-11 | HAIEC Analysis Engine | Initial assessment report |
| Section | Score | Status | Priority |
|---|---|---|---|
| 1. AI System Classification | 100% | COMPLIANT | — |
| 2. Impact Assessment | 25% | CRITICAL GAP | Immediate |
| 3. Risk Management Program | 67% | PARTIAL | High |
| 4. Consumer Disclosures | 33% | CRITICAL GAP | Immediate |
| 5. Opt-Out & Appeal Process | 0% | CRITICAL GAP | Immediate |
| 6. Documentation & Records | 83% | MOSTLY COMPLIANT | Medium |
| 7. Developer-Specific Requirements | 75% | MOSTLY COMPLIANT | Medium |
| 8. Deployer-Specific Requirements | 50% | PARTIAL | High |
Our deterministic assessment of Meridian Health Systems reveals a Colorado AI Act compliance score of 62%, with 3 critical gaps requiring immediate attention before the June 30, 2026 deadline. The organization operates a high-risk AI system in the Essential Services (Healthcare) category, specifically a patient triage and appointment prioritization system that makes consequential decisions about healthcare access.
| Organization | Meridian Health Systems, Inc. |
| Industry | Healthcare / Essential Services |
| Size | Mid-Market (500-2,000 employees) |
| Headquarters | Denver, CO |
| Role | Deployer & Developer |
| Maturity | Level 3 — Defined / Standardized |
| System | Type | Risk Level | Status |
|---|---|---|---|
| Patient Triage AI | Appointment prioritization (consequential) | HIGH-RISK | In Production |
| Clinical Decision Support | Treatment recommendation assist | HIGH-RISK | Pilot Phase |
| Appointment Scheduling Bot | Patient communication | LOW | In Production |
Requirement: SB24-205 §6-1-1703 requires deployers of high-risk AI systems to complete an impact assessment before deployment and annually thereafter.
Current State: No formal impact assessment document exists. The organization has informal notes about the AI system's purpose but no structured assessment covering all required elements.
Required Elements:
Recommended Action: Complete a structured impact assessment using HAIEC's Colorado AI Act template. Estimated effort: 2-3 weeks.
Requirement: §6-1-1704 requires deployers to notify consumers that an AI system is being used to make or substantially assist in consequential decisions.
Current State: The patient intake form mentions "technology-assisted triage" but does not specifically disclose that an AI system prioritizes appointments based on symptom analysis.
Recommended Action: Update patient intake forms, waiting room signage, and digital check-in to include clear AI disclosure language. Estimated effort: 1-2 weeks.
Requirement: §6-1-1704(3) requires deployers to provide a process for consumers to appeal adverse decisions and request human review.
Current State: No formal appeal mechanism exists. Patients can request to speak with a nurse, but this is not documented as an AI decision appeal process.
Recommended Action: Formalize the existing nurse-review pathway as an AI appeal process. Document the process, train staff, and add appeal information to patient-facing materials. Estimated effort: 3-4 weeks.
Requirement: §6-1-1702.5 requires a risk management policy that includes bias testing and discrimination monitoring.
Current State: A general risk management policy exists, but it does not include specific provisions for AI bias testing or algorithmic discrimination monitoring. No bias testing has been conducted on the triage model.
Recommended Action: Extend the existing risk management policy to include AI-specific provisions. Conduct initial bias testing across demographic categories. Estimated effort: 4-6 weeks.
Requirement: Deployers must monitor AI system performance, maintain human oversight, and report discovered discrimination to the Attorney General within 90 days.
Current State: Performance monitoring exists for system uptime but not for decision quality or fairness. Human review level is ad-hoc rather than systematic. No discrimination reporting process is documented.
Recommended Action: Implement fairness monitoring dashboards, define systematic human review triggers, and create a discrimination reporting protocol. Estimated effort: 6-8 weeks.
Overall Risk Level: HIGH
The Colorado AI Act (SB24-205) takes effect June 30, 2026. The Colorado Attorney General has enforcement authority with penalties up to $20,000 per violation. A 60-day cure period applies to first-time violations, but only if the deployer demonstrates good faith compliance efforts.
| Risk | Likelihood | Annualized Cost | Expected Loss | Mitigation | Residual |
|---|---|---|---|---|---|
| AG enforcement (no impact assessment) | 60% | $60,000 | $36,000 | Complete impact assessment within 30 days | LOW |
| Patient discrimination claim | 25% | $500,000 | $125,000 | Bias testing + appeal process | MEDIUM |
| Consumer disclosure violation | 70% | $40,000 | $28,000 | Deploy disclosure language immediately | LOW |
| Reputational damage (healthcare trust) | 20% | $1,500,000 | $300,000 | Proactive compliance + public transparency | LOW |
| Regulation | Per Violation | Max Exposure | Notes |
|---|---|---|---|
| SB24-205 §6-1-1706 | $20,000 | $60,000 | Per violation; 3 critical gaps = 3 violations |
| HIPAA (related AI breach) | $50,000 | $250,000 | If AI triage causes PHI exposure or discrimination |
| Patient litigation | Varies | $500,000 | Discrimination or harm from biased triage decisions |
| Metric | Your Score | Industry Avg | Delta | Status |
|---|---|---|---|---|
| Overall Compliance Score | 62% | 58% | +4% | ▲ |
| Impact Assessment Complete | No | 32% Yes | Behind | ▼ |
| Consumer Disclosure | Partial | 28% Full | Partial | ▬ |
| Appeal Process | None | 18% Yes | Behind | ▼ |
| Risk Management Policy | 67% | 55% | +12% | ▲ |
| Documentation Quality | 83% | 62% | +21% | ▲ |
This assessment was conducted using HAIEC's deterministic Compliance Wizard engine, which evaluates organizational readiness against the specific requirements of Colorado SB24-205.
| Provision | Section | Requirement |
|---|---|---|
| High-Risk Classification | §6-1-1702(1) | AI systems making consequential decisions in employment, education, finance, healthcare, legal |
| Impact Assessment | §6-1-1703 | Required before deployment and annually; must cover purpose, benefits, risks, data, outputs |
| Consumer Disclosure | §6-1-1704 | Notify consumers of AI use at point of interaction |
| Appeal Rights | §6-1-1704(3) | Provide process for consumers to appeal and request human review |
| Penalties | §6-1-1706 | Up to $20,000 per violation; 60-day cure period for first-time violations |
| Effective Date | SB 25B-004 | June 30, 2026 (delayed from February 1, 2026) |
| Activity | Estimated Effort | Estimated Cost | Priority |
|---|---|---|---|
| Impact Assessment Documentation | 2-3 weeks | $3,000 - $5,000 | CRITICAL |
| Consumer Disclosure Implementation | 1-2 weeks | $1,500 - $3,000 | CRITICAL |
| Appeal Process Design & Training | 3-4 weeks | $4,000 - $7,000 | CRITICAL |
| Risk Management Policy Update | 2 weeks | $2,000 - $4,000 | HIGH |
| Bias Testing (Initial) | 4-6 weeks | $5,000 - $10,000 | HIGH |
| Fairness Monitoring Setup | 3-4 weeks | $3,000 - $6,000 | MEDIUM |
| Total Estimated | 12-18 weeks | $18,500 - $35,000 | — |
Note: Unlike NYC Local Law 144, Colorado does not require third-party bias audits, which typically cost $15K-$20K annually. Internal compliance is permitted, significantly reducing costs.
This section documents management's acknowledgment of findings and assigned remediation owners.
| ID | Finding | Severity | Owner | Target Date | Status |
|---|---|---|---|---|---|
| F-001 | Impact Assessment Documentation | CRITICAL | To be assigned | TBD | Pending |
| F-002 | Consumer Disclosure at Point of Interaction | CRITICAL | To be assigned | TBD | Pending |
| F-003 | Opt-Out and Appeal Process | CRITICAL | To be assigned | TBD | Pending |
| F-004 | Risk Management Program (Bias Testing) | HIGH | To be assigned | TBD | Pending |
| F-005 | Deployer-Specific Requirements | HIGH | To be assigned | TBD | Pending |
Management should complete the Owner, Target Date, and Status columns and return a signed copy to the compliance team within 10 business days.
All evidence artifacts are SHA-256 hashed for integrity verification. The chain below documents the provenance of each evidence item used in this assessment.
| ID | Type | Description | SHA-256 |
|---|---|---|---|
| EVD-001 | Questionnaire | Colorado AI Act compliance questionnaire responses (24 questions) | a1b5c9d3...e7f1 |
| EVD-002 | AI System Metadata | Patient Triage AI system configuration and model card | b9c3d7e1...f5a9 |
| EVD-003 | Scoring Model | MARPP deterministic scoring output (8 sections) | c7d1e5f9...a3b7 |
| EVD-004 | Benchmark Data | Healthcare industry comparison dataset (Q1 2026) | d5e9f3a7...b1c5 |
| EVD-005 | Financial Model | Risk exposure calculation inputs (Colorado-specific) | e3f7a1b5...c9d3 |
Contact HAIEC: compliance@haiec.com | www.haiec.com
| Section | Requirement | Applies To | Penalty |
|---|---|---|---|
| §6-1-1702(1) | High-risk AI system classification | Developer & Deployer | — |
| §6-1-1702.5 | Risk management policy with bias testing | Developer & Deployer | Up to $20,000 |
| §6-1-1703 | Impact assessment before deployment (annual) | Deployer | Up to $20,000 |
| §6-1-1704 | Consumer disclosure at point of interaction | Deployer | Up to $20,000 |
| §6-1-1704(3) | Appeal process and human review | Deployer | Up to $20,000 |
| §6-1-1705 | Developer duties (documentation, testing) | Developer | Up to $20,000 |
| §6-1-1706 | Enforcement and penalties | Both | $20,000/violation |
| SB 25B-004 | Effective date delay to June 30, 2026 | Both | — |
| ☐ | Evidence Item | Status | Notes |
|---|---|---|---|
| ☐ | Impact assessment document | MISSING | Required per §6-1-1703 |
| ☐ | Consumer disclosure language | PARTIAL | Mentions "technology-assisted" but not AI specifically |
| ☐ | Appeal process documentation | MISSING | Required per §6-1-1704(3) |
| ☐ | Risk management policy (AI-specific) | PARTIAL | General policy exists; needs AI bias testing addendum |
| ☐ | Bias testing results | MISSING | No testing conducted on triage model |
| ☐ | AI system model card | EXISTS | Maintained internally |
| ☐ | Training data documentation | EXISTS | Maintained internally |
| ☐ | AG discrimination reporting protocol | MISSING | Required within 90 days of discovery |
| ☐ | Human oversight procedures | PARTIAL | Ad-hoc; needs formalization |
| Term | Definition |
|---|---|
| High-Risk AI System | An AI system that makes or is a substantial factor in making a consequential decision in areas including employment, education, financial services, healthcare, housing, insurance, or legal services (§6-1-1702(1)). |
| Consequential Decision | A decision that has a material legal or similarly significant effect on a consumer's access to or the cost, terms, or availability of essential services. |
| Deployer | A person doing business in Colorado that deploys a high-risk AI system. Meridian Health Systems is a deployer of the Patient Triage AI. |
| Developer | A person doing business in Colorado that develops or intentionally and substantially modifies an AI system. Meridian is also a developer of the Patient Triage AI. |
| Algorithmic Discrimination | Any condition in which the use of an AI system results in an unlawful differential treatment or impact that disfavors an individual or group on the basis of a protected characteristic. |
| Impact Assessment | A documented evaluation of the purpose, intended benefits, known limitations, potential risks, data categories, outputs, and discrimination mitigation measures of a high-risk AI system. |
| Cure Period | A 60-day period during which a deployer may remedy a violation before the AG takes enforcement action, applicable only to first-time violations where good faith is demonstrated. |
| MARPP | Methodology for Auditable, Reproducible, and Provable Processes — HAIEC's deterministic analysis framework. |
Document Status: This compliance assessment contains deterministic analysis generated by the HAIEC Analysis Engine. All evidence is SHA-256 hashed for integrity verification. This document is complete as per the defined scope and ready for independent review and certification under Colorado SB24-205.
This report does NOT constitute legal advice. The Colorado AI Act (SB24-205) is subject to regulatory interpretation by the Colorado Attorney General's office. Consult qualified legal counsel for compliance decisions. Statutory references are to SB24-205 as amended by SB 25B-004.
This section is reserved for the independent reviewer of this Colorado AI Act compliance assessment.
| Reviewer Name | |
| Organization | |
| License / Certification # | |
| Review Date | |
| Verification Status | ☐ Verified & Approved ☐ Approved with Conditions ☐ Requires Revision |
| Signature | |