RatedWithAI

RatedWithAI

Accessibility scanner

AI Health DataJuly 5, 2026

AI Medical Scribes and HIPAA Compliance for Healthcare Businesses 2026

Ambient AI scribes that listen to a patient visit and draft the clinical note afterward have moved from novelty to standard-of-care expectation in many practices. They also sit directly on top of the most sensitive category of data HIPAA governs — and most practices adopting them are treating the rollout like a productivity purchase instead of a business associate relationship.

3 Layers
PHI is created at the audio, transcript, and generated-note stage — each needs coverage
Before Use
A signed BAA must exist before any patient data reaches the vendor, not retroactively
State Law
Recording-consent rules vary by state and apply on top of, not instead of, HIPAA

Three Places PHI Gets Created, Not One

Most practices evaluating an AI scribe focus on the output — the clinical note dropped into the EHR — and assume that's the only PHI in play. In reality, the tool creates protected health information at three separate points: the raw audio capturing the patient's voice and disclosures, the intermediate transcript, and the final generated note. Each of these can be stored, transmitted, or retained differently by the vendor, and a compliance review that only looks at the note misses where most of the actual exposure sits.

This matters because vendors differ enormously on retention. Some discard raw audio immediately after generating the note; others retain it for quality assurance, model improvement, or dispute resolution, sometimes for periods the practice never explicitly agreed to. Before deployment, a practice needs a straight answer, in writing, on how long each of the three artifacts is kept and where.

The Business Associate Agreement Isn't Optional or Generic

Any AI scribe vendor that touches PHI on behalf of a covered entity is a business associate under HIPAA, full stop, and needs a signed BAA before the first patient encounter is processed. A generic SaaS BAA template is not sufficient here — the agreement needs to specifically address AI-specific questions a standard EHR-integration BAA never had to answer: whether the vendor uses patient data to train or fine-tune models, whether a third-party AI provider (many scribe vendors sit on top of foundation models from separate companies) is itself a subcontracted business associate with its own BAA in the chain, and what happens to data if the practice terminates the contract.

Model Training Is the Question Vendors Answer Vaguely

The single highest-risk gap in most AI scribe contracts is training data use. A vendor improving its transcription or summarization accuracy across all customers, using real patient encounters, needs either explicit BAA authorization tied to a permitted HIPAA purpose or a documented, defensible de-identification process before that data is used. "We take privacy seriously" in a sales deck is not a substitute for a BAA clause naming exactly what happens to encounter data after the note is delivered. Practices should ask vendors this question directly and get the answer in the contract, not the pitch.

State Recording-Consent Laws Apply on Top of HIPAA

HIPAA governs what happens to PHI once it exists; it does not govern whether recording a conversation in the first place requires consent. That's a separate body of state law, and two-party consent states require the patient be informed the visit is being recorded by an AI tool and agree to it before the recording starts. A practice can be fully HIPAA-compliant on the data-handling side and still violate state wiretapping or eavesdropping law if front-desk staff never update patient intake or verbal consent scripts to disclose the AI scribe.

Vendor Risk Assessment Checklist

Run this before signing with any ambient AI documentation vendor.

Confirm a signed BAA is in place before any patient audio reaches the vendor's systemsStart here
Get written confirmation of whether raw audio, transcripts, and notes are retained, and for how longEssential
Ask directly whether patient data is used for model training, and require the answer in the BAAEssential
Identify whether the vendor relies on a third-party foundation model provider, and confirm that subcontractor has its own BAAEssential
Update patient intake and verbal consent scripts to disclose AI-assisted recording per your state's consent lawEssential
Confirm data deletion or export terms if the practice terminates the vendor relationshipOngoing

A compliant BAA doesn't fix a patient portal nobody can navigate

Healthcare practices carry accessibility exposure on their patient-facing sites independent of how they handle AI vendor risk. RatedWithAI scans your site for the accessibility issues that turn into complaints and lawsuits.

Scan Your Site for Free →

Frequently Asked Questions

What happens if a practice deploys an AI scribe without a BAA?

The practice is in violation of HIPAA the moment PHI reaches the vendor without an executed BAA, regardless of whether any breach occurs. This exposes the practice to OCR enforcement action and civil penalties, and the absence of a BAA is often treated as an aggravating factor in any subsequent breach investigation involving that vendor.

Are free or trial versions of AI scribes exempt from HIPAA requirements?

No. HIPAA applies based on whether PHI is processed, not on whether the vendor is being paid. A free trial that processes even a single real patient encounter requires the same BAA and safeguards as a paid, full deployment.

Can a practice use an AI scribe for telehealth visits under the same rules?

Yes, the same HIPAA business associate and BAA requirements apply regardless of whether the encounter is in-person or via telehealth, though telehealth platforms add an additional layer of vendor risk if the AI scribe integrates with a separate video platform that also touches PHI.

Does de-identifying scribe data remove it from HIPAA entirely?

Yes, properly de-identified data under HIPAA's Safe Harbor or Expert Determination standards is no longer PHI and falls outside HIPAA's restrictions. The risk is that many vendors use looser, non-compliant de-identification methods and market the result as anonymous when it would not meet either HIPAA standard.

Related Guides