Posted on
Mar 10, 2026
AI Scribing Laws by State: Complete 2026 Guide for Clinic Managers
AI Scribing Laws by State: Complete 2026 Guide for Clinic Managers
As AI-powered clinical documentation tools become standard in outpatient settings, clinic managers face a genuinely complex compliance question: which laws govern the use of these tools, and how do those laws differ from one state to the next? Platforms like Scribing.io are built with HIPAA compliance at their core, but federal privacy law is only one layer in a multi-layered legal landscape that varies significantly depending on where your providers and patients are located.
This guide maps the key legal frameworks that affect AI medical scribe usage across all 50 states, explains the critical distinction between one-party and two-party recording consent, covers emerging state health data privacy laws that go beyond HIPAA, and provides a practical consent workflow you can implement in your clinic this week. Scribing.io recommends the same approach regardless of jurisdiction: obtain explicit patient consent before every recorded encounter. What follows is the legal context for why that matters and how to operationalize it.
TL;DR: AI medical scribes are not explicitly banned in any U.S. state as of 2026, but your compliance obligations depend on two intersecting legal frameworks: (1) state wiretapping and recording consent laws (one-party vs. two-party/all-party consent) and (2) state-level health data privacy statutes that may go beyond HIPAA. The safest practice is to obtain explicit verbal or written patient consent before every recorded encounter, regardless of which state you operate in. This hub page breaks down each framework, maps the most consequential state requirements, and provides a consent workflow template for immediate implementation.
Need a Scribe that is 100% Legal in all states? Try Scribing.io for Free.
Book a quick 1-on-1 call to see the product in action.
Table of Contents
Why AI Scribe Legality Is a State-by-State Question
One-Party vs. Two-Party Consent States
State Health Data Privacy Laws That Go Beyond HIPAA in 2026
Building a Compliant AI Scribe Consent Workflow
State-by-State Reference Guides
Telehealth and Cross-State Compliance
Vendor Due Diligence: What to Demand from Your AI Scribe Provider
Common Compliance Mistakes Clinic Managers Make
How Scribing.io Handles Compliance at the Platform Level
Get Started Today
Why AI Scribe Legality Is a State-by-State Question (Not Just a Federal One)
Many clinic managers assume that HIPAA compliance is the beginning and end of the legal analysis for AI documentation tools. It is not. HIPAA — the Health Insurance Portability and Accountability Act — governs how Protected Health Information (PHI) is stored, transmitted, and disclosed by covered entities and their business associates. It does not directly regulate whether a conversation can be recorded in the first place. That question falls squarely under state law.
The legal authority for recording consent requirements comes from state wiretapping statutes, most of which derive from the federal Wiretap Act (Title III of the Omnibus Crime Control and Safe Streets Act of 1968) and the Electronic Communications Privacy Act (ECPA). These federal laws set a floor — one-party consent at the federal level — but explicitly allow states to impose stricter requirements. Many states have done exactly that, creating a patchwork of one-party and two-party (all-party) consent mandates that directly affect whether and how an AI scribe can listen to a clinical encounter.
Layered on top of these wiretapping statutes, a new generation of state health data privacy laws has emerged between 2023 and 2026. Washington's My Health My Data Act, California's Confidentiality of Medical Information Act (CMIA) and CCPA/CPRA framework, and various state AI governance bills all impose obligations that may affect AI scribe vendors and the clinics that use them — often in ways that go well beyond HIPAA's requirements.
Telehealth adds further complexity. When a provider in New York conducts a visit with a patient physically located in California, which state's recording consent law applies? The widely accepted legal guidance is that the more restrictive state's law controls, meaning multi-state telehealth practices must track consent requirements for every state where their patients are located.
For clinic managers, the stakes are real. Non-compliance with state wiretapping laws can result in civil liability, criminal penalties in some jurisdictions, regulatory action, and erosion of patient trust. For a deep dive into California's specific requirements — one of the most complex regulatory environments — see our dedicated California AI scribe laws guide.
Important note: This content is educational and does not constitute legal advice. We recommend consulting a healthcare attorney licensed in your state(s) of practice for guidance specific to your clinic's situation.
One-Party vs. Two-Party Consent States — What Clinic Managers Must Know
The single most consequential legal distinction for AI medical scribe usage is whether your state requires one-party consent or two-party (all-party) consent to record a conversation.
Definitions
One-party consent: Only one participant in a conversation needs to consent to it being recorded. In a clinical setting, if the provider consents to activating the AI scribe, that is generally sufficient under the wiretapping statute — though separate health privacy obligations may still apply.
Two-party (all-party) consent: Every participant in the conversation must consent before recording begins. In a clinical encounter, this means the patient (and any family members, interpreters, or other participants present) must affirmatively agree to the AI scribe's use.
Two-Party/All-Party Consent States
The following states are widely recognized as requiring all-party consent for recording conversations. This classification is based on published legal references and the statutory language cited below. Clinic managers should verify current requirements, as state legislatures may amend these statutes.
State | Consent Type | Key Statute | Notes for AI Scribing |
|---|---|---|---|
California | All-party | Cal. Penal Code § 632 | Also subject to CMIA and CCPA/CPRA. Highest compliance burden for AI tools. |
Connecticut | All-party | Conn. Gen. Stat. § 52-570d | Applies to in-person and telephonic communications. |
Florida | All-party | Fla. Stat. § 934.03 | Criminal penalties possible for violations. High telehealth volume makes this critical. |
Illinois | All-party | 720 ILCS 5/14-2 | Also subject to BIPA for biometric data; voice data may trigger BIPA if used for identification. |
Maryland | All-party | Md. Code, Cts. & Jud. Proc. § 10-402 | Consent must be obtained from all parties to the communication. |
Massachusetts | All-party | Mass. Gen. Laws ch. 272, § 99 | One of the strictest wiretapping statutes in the country. Criminal penalties for violations. |
Michigan | All-party | Mich. Comp. Laws § 750.539c | Consent of all parties required for eavesdropping on private conversations. |
Montana | All-party | Mont. Code Ann. § 45-8-213 | Applies to electronic communications broadly. |
New Hampshire | All-party | N.H. Rev. Stat. Ann. § 570-A:2 | Telephonic and electronic communications covered. |
Oregon | All-party | Or. Rev. Stat. § 165.540 | Specific exceptions exist for certain contexts; clinical AI recording is not among them. |
Pennsylvania | All-party | 18 Pa.C.S. § 5703 | Criminal felony for unauthorized interception. One of the most severe penalty structures. |
Washington | All-party | Wash. Rev. Code § 9.73.030 | Also subject to My Health My Data Act. Dual compliance required for AI scribe vendors. |
Table last verified: 2026. State laws are subject to change. Verify current statutory language before relying on this table for compliance decisions.
One-Party Consent States
The remaining states follow one-party consent rules, meaning a provider who consents to activating the AI scribe generally satisfies the wiretapping statute. However — and this is the critical point many clinic managers miss — one-party consent under wiretapping law does not eliminate the need for patient disclosure. Health data privacy laws, medical ethics obligations, and the AMA's ethical guidelines on patient-physician relationships all strongly support transparency about AI tool usage during clinical encounters.
The HIPAA Consent Misconception
A common error: clinic managers assume that HIPAA's Notice of Privacy Practices (NPP) — which patients sign during intake — covers AI recording consent. It does not. The NPP discloses how PHI may be used and shared. A recording consent is a separate legal instrument that addresses whether the conversation itself may be captured. These are distinct obligations, and conflating them creates compliance gaps.
State Health Data Privacy Laws That Go Beyond HIPAA in 2026
Even after satisfying recording consent requirements, clinic managers must contend with a growing body of state health data privacy legislation that imposes additional obligations on AI tool usage.
Washington's My Health My Data Act (MHMDA)
Enacted in 2023 and now fully in effect, the MHMDA broadly defines "health data" and "consumer" in ways that extend beyond HIPAA's covered entity framework. The Act requires specific consent for the collection and sharing of health data and includes a private right of action — meaning patients can sue directly. For clinics using AI scribes in Washington, this means ensuring that your vendor's data handling practices comply with MHMDA's consent and data minimization requirements, not just HIPAA's.
California (CCPA/CPRA + CMIA)
California's Confidentiality of Medical Information Act (CMIA) imposes obligations on providers and their vendors that are, in some respects, stricter than HIPAA. The CCPA/CPRA adds consumer rights around data deletion, data access, and the right to opt out of data sales — provisions that interact with AI scribe data retention policies. If your AI scribe vendor retains audio recordings or transcripts, California patients may have rights under the CCPA/CPRA to request deletion of that data. See our California compliance guide for specifics.
Illinois Biometric Information Privacy Act (BIPA)
BIPA does not directly regulate audio recording in the same way wiretapping statutes do, but if an AI tool processes voice data for biometric identification or creates a voiceprint, BIPA's strict consent and data handling requirements may be triggered. Clinics in Illinois should confirm with their AI scribe vendor whether any biometric identifiers are generated from audio input.
States to Watch: Emerging AI-Specific Healthcare Legislation
Between 2024 and 2026, multiple states have introduced bills that specifically address AI use in clinical settings. Colorado's AI Act includes provisions relevant to "high-risk" AI systems, which may encompass clinical documentation tools depending on how risk classifications are interpreted. Several other states — including Texas, New York, and Virginia — have introduced or advanced legislation addressing AI transparency, algorithmic accountability, and health data governance. This legislative landscape is evolving rapidly. Clinic managers should monitor their state legislature's activity and consult legal counsel when new bills are enacted.
Practical impact for clinic managers: These laws may require additional patient disclosures, data deletion capabilities, vendor due diligence documentation, and records of AI tool usage that go beyond what HIPAA alone demands.
Building a Compliant AI Scribe Consent Workflow for Your Clinic
Understanding the legal landscape is necessary. But what clinic managers actually need is a repeatable, operationally sound consent workflow they can train staff on and implement across every encounter. Here is a framework that satisfies the most restrictive state requirements — meaning it works everywhere.
Step 1: Determine Your Consent Obligation
Identify whether your state requires one-party or all-party consent using the table above. If your practice offers telehealth, also identify the consent requirements for every state where your patients are located. When in doubt, default to all-party consent. The cost of obtaining unnecessary consent is zero. The cost of failing to obtain required consent can be substantial.
Step 2: Develop a Standardized Patient Disclosure Script
Train front-desk staff and providers to deliver a brief, clear disclosure before every encounter. A sample verbal disclosure:
"We use an AI documentation tool that listens during your visit to help your provider create accurate medical notes. The recording is processed securely and is not shared outside your care team. You can opt out at any time, and your care will not be affected. Do you consent to the use of this tool during today's visit?"
This script accomplishes four things: (1) discloses the existence of the AI tool, (2) describes its purpose, (3) addresses data handling, and (4) obtains affirmative consent while making clear that opting out carries no penalty.
Step 3: Document Consent
In all-party consent states, verbal consent should be documented in the encounter record. Options include:
EHR notation: A checkbox or free-text field in the encounter note confirming that the patient consented to AI scribe use.
Written consent form: A standalone consent form signed during intake, either annually or per-visit depending on your state's requirements and your risk tolerance.
Audio capture of consent: Some AI scribe platforms can capture the consent exchange itself as the first segment of the recording. This is an efficient approach if your platform supports it — see how Scribing.io's consent workflow features handle this.
Step 4: Handle Opt-Outs Gracefully
Patients who decline AI scribe use must receive the same quality of care. Train providers to simply turn off the AI tool and document manually or via traditional dictation. Having a seamless opt-out process protects your clinic legally and demonstrates respect for patient autonomy.
Step 5: Review and Update Annually
State laws change. Review your consent workflow at least annually against current statutory requirements. If your practice expands into new states, update your workflow before seeing patients in those jurisdictions.
State-by-State Reference Guides
This hub page provides the legal framework applicable across all states. For state-specific detail, including local enforcement trends and practical implementation guidance, see our individual state guides:
California AI Scribe Laws — All-party consent, CMIA, CCPA/CPRA, and the intersection with telehealth
Additional state guides covering Florida, Illinois, Massachusetts, New York, Pennsylvania, Texas, and Washington are in active development. As they publish, links will be added here. If your state is a priority, our team welcomes input — contact details are on our services page.
Telehealth and Cross-State Compliance
Telehealth has made cross-state compliance a daily operational concern rather than an edge case. Here is a practical decision framework for multi-state practices:
The "More Restrictive State" Rule
When a provider and patient are in different states, apply the more restrictive consent standard. If either state requires all-party consent, obtain all-party consent. If both states are one-party consent states, one-party consent is legally sufficient — though explicit patient disclosure remains best practice.
Practical Implementation
Confirm patient location at the start of every telehealth encounter. Patient location determines which state's law applies, and patients may travel or relocate between visits.
Maintain a reference matrix that maps patient states to consent requirements. Share this matrix with scheduling staff so consent workflows can be tailored before the encounter begins.
Default to the universal consent script described in the consent workflow section above. If you always obtain explicit all-party consent, cross-state complexity becomes a documentation exercise rather than a compliance risk.
Interstate Compacts and AI Tools
Interstate medical licensure compacts do not modify state recording consent requirements. A provider licensed through a compact to practice across state lines still must comply with the recording consent laws of each state where patients are located.
Vendor Due Diligence: What to Demand from Your AI Scribe Provider
State compliance is not solely the clinic's burden. Your AI scribe vendor's architecture, data handling practices, and contractual commitments directly affect your compliance posture. Here is what to require:
Business Associate Agreement (BAA): Non-negotiable under HIPAA. Your vendor must execute a BAA before any PHI is processed. If a vendor resists signing a BAA, do not use that vendor.
Data residency and retention policies: Know where audio recordings and transcripts are stored, how long they are retained, and how deletion requests are handled — especially for states with data deletion rights (California, Washington).
No third-party data sharing: Confirm in writing that patient audio and transcript data are not shared with third parties for model training, advertising, or any purpose outside the scope of the BAA.
SOC 2 Type II certification or equivalent: This provides independent verification of the vendor's security controls.
Consent workflow support: Does the platform include features that help you document consent within the encounter? Does it support opt-out workflows without disrupting clinical documentation?
Audit trail: Can the platform generate logs showing when recordings were initiated, when consent was obtained, and when data was deleted?
If your current AI scribe vendor cannot satisfy these requirements, that is a compliance gap, not a feature request. Evaluate alternatives — including platforms purpose-built for healthcare compliance. See how Scribing.io's features address each of these requirements.
Common Compliance Mistakes Clinic Managers Make
Based on patterns reported by healthcare compliance professionals and legal practitioners, these are the most frequent errors clinics make when deploying AI scribes:
Mistake 1: Relying on Signage Instead of Affirmative Consent
Posting a sign in the waiting room that says "This clinic uses AI documentation tools" is not consent. In all-party consent states, consent must be affirmative — the patient must actively agree, not merely fail to object. Even in one-party consent states, signage alone does not satisfy health data privacy obligations under laws like MHMDA or CCPA/CPRA.
Mistake 2: Assuming the EHR Vendor Handles Compliance
If your AI scribe integrates with Epic, athenahealth, or another EHR, the EHR vendor's compliance posture does not automatically extend to the AI scribe. Each tool in your stack requires its own compliance analysis, BAA, and vendor due diligence.
Mistake 3: Failing to Account for Specialty-Specific Sensitivity
AI scribe usage in psychiatry, substance abuse treatment, and reproductive health encounters involves heightened legal protections under 42 CFR Part 2, state mental health confidentiality laws, and post-Dobbs reproductive health data protections. Consent workflows for these specialties may need to be more explicit and more carefully documented. Similarly, pediatric encounters require consent from a parent or legal guardian, adding another layer to the workflow.
Mistake 4: No Process for Revoking Consent Mid-Encounter
Patients have the right to withdraw consent at any time during an encounter. Your staff must know how to stop the AI scribe immediately and how the platform handles data that was recorded before consent was revoked. If your platform cannot delete a partial recording, that is a compliance vulnerability.
Mistake 5: Not Reviewing Compliance Annually
State laws change. Between 2024 and 2026, at least a dozen states have introduced new legislation affecting AI use in healthcare, data privacy, or recording consent. A compliance posture that was sound in 2024 may have gaps in 2026. Annual review with legal counsel is essential.
How Scribing.io Handles Compliance at the Platform Level
Clinic managers should not have to architect compliance from scratch. Scribing.io is designed to reduce compliance burden through platform-level commitments:
Standard BAA: Every Scribing.io account includes a Business Associate Agreement. No enterprise tier required, no negotiation needed.
No third-party data sharing: Patient audio and transcripts are not shared with external parties for any purpose outside the scope of clinical documentation.
Consent workflow support: Built-in tools to capture and document patient consent within the encounter workflow, supporting clinics in both one-party and all-party consent jurisdictions.
Data handling aligned with state privacy laws: Scribing.io's data retention and deletion policies are designed to accommodate the requirements of states with the strictest health data privacy standards.
ICD-10 coding tools integrated into the documentation workflow, reducing the need for additional third-party tools that may introduce separate compliance obligations.
For specialty-specific implementation, see our guides for family medicine and cardiology practices.
Get Started Today
Multi-state compliance does not have to be paralyzing. The combination of a universal consent workflow, a compliant AI scribe platform, and annual legal review puts your clinic in a strong position — legally, ethically, and operationally. Scribing.io provides the platform-level infrastructure so you can focus on the clinical and operational layers that only your team can deliver.
