Is AI Scribing Legal in All States? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Is AI scribing legal across all U.S. states? Yes — AI scribing can be used legally in every U.S. state, but the specific consent requirements vary significantly depending on whether the state follows a one-party or two-party (all-party) consent framework for recording conversations. Clinic managers operating across multiple states must understand and comply with each state's wiretapping and eavesdropping statutes, in addition to federal HIPAA requirements. Scribing.io is designed to support compliance with recording laws in all 50 states. Try it free.

Recording Consent Laws in All States

AI scribing tools work by recording or processing audio from patient-provider encounters, then using artificial intelligence to generate clinical documentation. Because these tools capture spoken conversations, they are subject to both federal and state wiretapping and electronic surveillance laws.

At the federal level, 18 U.S.C. § 2511 (the federal Wiretap Act, part of the Electronic Communications Privacy Act of 1986) establishes a one-party consent baseline: it is lawful to record a conversation if at least one party to the conversation consents. However, states are free to impose stricter requirements, and many do.

The critical distinction for clinic managers is whether a given state requires one-party consent or two-party (all-party) consent to legally record a conversation.

One-Party Consent States (Majority of States)

In most U.S. states, only one participant in the conversation needs to consent to the recording. In a clinical context, the healthcare provider using the AI scribe can typically serve as the consenting party. However, obtaining explicit patient consent is still strongly recommended as a best practice for HIPAA compliance and risk management. One-party consent states include, among others:

• New York — N.Y. Penal Law § 250.00 & § 250.05

• Texas — Tex. Penal Code § 16.02

• Ohio — Ohio Rev. Code § 2933.52

• Georgia — O.C.G.A. § 16-11-62

• North Carolina — N.C. Gen. Stat. § 15A-287

• Virginia — Va. Code § 19.2-62

• Tennessee — Tenn. Code § 39-13-601

• Arizona — Ariz. Rev. Stat. § 13-3005

• Colorado — Colo. Rev. Stat. § 18-9-303

• Indiana — Ind. Code § 35-33.5-5-5

• Missouri — Mo. Rev. Stat. § 542.402

• Wisconsin — Wis. Stat. § 968.31

• Alabama, Alaska, Arkansas, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan (note: Michigan requires one-party consent under MCL § 750.539c but case law has nuances), Minnesota, Mississippi, Montana (note: Montana requires notification under Mont. Code § 45-8-213), Nebraska, New Jersey, New Mexico, North Dakota, Oklahoma, Oregon (note: Oregon has specific rules — ORS § 165.540 requires one-party consent for in-person and some telephonic conversations), Rhode Island, South Carolina, South Dakota, Utah, Vermont (note: Vermont has no specific wiretapping statute but follows federal one-party consent standards), West Virginia, Wyoming

Two-Party (All-Party) Consent States

The following states require all parties to a conversation to consent before it can be lawfully recorded. For AI scribing in these jurisdictions, you must obtain explicit patient consent before activating any recording or audio-processing tool:

• California — Cal. Penal Code § 632

• Connecticut — Conn. Gen. Stat. § 52-570d (civil liability) and § 53a-187 to § 53a-189 (criminal)

• Delaware — Del. Code tit. 11, § 2402

• Florida — Fla. Stat. § 934.03

• Illinois — 720 ILCS 5/14-2 (amended significantly in 2014; as of 2026, requires all-party consent in private conversations)

• Maryland — Md. Code, Cts. & Jud. Proc. § 10-402

• Massachusetts — Mass. Gen. Laws ch. 272, § 99

• Michigan — MCL § 750.539c (Michigan is sometimes classified as one-party, but the statute language can be interpreted as all-party in certain contexts; consult legal counsel)

• Montana — Mont. Code § 45-8-213 (requires knowledge of all parties for in-person recording)

• Nevada — Nev. Rev. Stat. § 200.620 (applies specifically to telephone/electronic communications)

• New Hampshire — N.H. Rev. Stat. § 570-A:2

• Oregon — ORS § 165.540 (all-party consent required for telephonic and electronic conversations; in-person conversations require one-party consent)

• Pennsylvania — 18 Pa.C.S. § 5703

• Washington — Wash. Rev. Code § 9.73.030

Important note: Some states like Michigan, Montana, and Oregon have nuanced statutes that don't fit neatly into one category. The classification above reflects the most conservative reading as of 2026. Clinic managers should consult state-specific legal counsel, especially in these jurisdictions.

Telehealth Considerations: Interstate Encounters

When a provider in one state delivers care via telehealth to a patient in another state, the most restrictive applicable law generally governs. If either the provider's state or the patient's state is a two-party consent jurisdiction, best practice is to obtain all-party consent. There is limited case law on interstate telehealth recording conflicts, so a conservative approach is strongly advised.

One-Party vs Two-Party Consent: What It Means for Your Practice

Understanding the difference is essential for operationalizing AI scribing compliantly:

Practical recommendation: Regardless of your state's consent classification, always obtain explicit patient consent before using AI scribing. This protects against legal liability, supports HIPAA compliance, and preserves the patient-provider trust relationship.

HIPAA Requirements on Top of State Law

State recording consent laws and HIPAA operate independently, and compliance with one does not guarantee compliance with the other. AI scribing involves the creation, transmission, and storage of protected health information (PHI), which triggers multiple HIPAA obligations:

1. Business Associate Agreement (BAA)

Under 45 C.F.R. § 164.502(e) and 45 C.F.R. § 164.504(e), any AI scribing vendor that receives, processes, transmits, or stores PHI is a business associate. You must have a signed BAA in place before using the tool. The BAA must specify how the vendor protects PHI, its obligations regarding breach notification, and limitations on the use and disclosure of PHI.

2. Minimum Necessary Standard

Under 45 C.F.R. § 164.502(b), covered entities must limit the PHI shared with the AI scribing vendor to the minimum necessary to accomplish the intended purpose. Evaluate whether the tool records the entire encounter or only clinically relevant portions, and whether audio recordings are retained or deleted after transcription.

3. Security Rule Compliance

Under 45 C.F.R. Part 164, Subpart C (§§ 164.302–164.318), the AI scribing tool and its vendor must implement appropriate administrative, physical, and technical safeguards. Key considerations include:

• Encryption of audio data in transit and at rest (aligned with NIST standards)

• Access controls ensuring only authorized personnel can access recordings and transcriptions

• Audit logging of all access to PHI

• Secure data deletion policies

4. Patient Rights Under the Privacy Rule

Under 45 C.F.R. § 164.524, patients have a right to access their medical records, which may include AI-generated notes. Under 45 C.F.R. § 164.526, patients can request amendments to inaccurate records. Clinic managers should ensure workflows allow for provider review and correction of AI-generated documentation before finalization.

5. Notice of Privacy Practices

Under 45 C.F.R. § 164.520, your Notice of Privacy Practices (NPP) should be updated to reflect the use of AI scribing technology, including how audio is captured, processed, and stored.

6. Breach Notification

Under 45 C.F.R. §§ 164.400–414, if an AI scribing vendor experiences a breach of unsecured PHI, the covered entity must notify affected patients, HHS, and (in some cases) the media. Your BAA should clearly define breach notification responsibilities and timelines.

Patient Consent Best Practices for All States

Given the patchwork of state laws and the overarching requirements of HIPAA, the following best practices apply universally:

1. Always obtain informed consent in writing. Use a clear, plain-language consent form that explains: what AI scribing is, that audio will be captured and processed, who will have access to the data, how long recordings are retained, and the patient's right to decline.

2. Make consent opt-in, not opt-out. Do not assume consent through silence or inaction. Have the patient affirmatively agree.

3. Provide consent forms in the patient's preferred language when possible, consistent with federal requirements under Title VI of the Civil Rights Act of 1964 and Section 1557 of the Affordable Care Act (42 U.S.C. § 18116).

4. Document consent in the medical record. Note that the patient was informed about and consented to AI scribing for that encounter.

5. Allow patients to withdraw consent at any time. Have a clear process for disabling the AI scribe mid-encounter and documenting through traditional means instead.

6. Re-consent periodically. If your practice sees patients on a recurring basis, consider re-affirming consent at reasonable intervals or when technology changes.

7. Post visible signage. In two-party consent states especially, post notices in examination rooms indicating that AI-assisted recording may occur, as an additional layer of transparency.

8. Train all clinical and front-desk staff on consent procedures, including how to answer patient questions about AI scribing and how to handle refusals without disrupting care.

9. For telehealth encounters: Obtain verbal consent at the start of the call and document it. Consider using recorded verbal consent (with the patient's agreement) or an electronic signature workflow.

What Happens if You Don't Comply?

Non-compliance with recording consent laws and HIPAA can result in serious consequences:

State-Level Penalties for Illegal Recording

• Criminal penalties: Many state wiretapping statutes impose criminal liability. For example, under California Penal Code § 632, illegal recording is punishable by a fine of up to $2,500 and/or imprisonment for up to one year. Under Florida Stat. § 934.03, a first offense is a third-degree felony. Under Maryland Cts. & Jud. Proc. § 10-402, violations are felonies punishable by up to five years in prison.

• Civil liability: Patients may bring civil lawsuits for damages. California Penal Code § 637.2 allows statutory damages of $5,000 per violation or three times actual damages, whichever is greater. Massachusetts Gen. Laws ch. 272, § 99 provides for civil remedies including actual and punitive damages.

• Exclusion of evidence: Illegally obtained recordings may be inadmissible in any legal proceeding, which could undermine malpractice defense efforts.

HIPAA Penalties

• Civil monetary penalties under 42 U.S.C. § 1320d-5 range from $137 to $68,928 per violation (as adjusted for inflation), with an annual maximum of $2,067,813 per identical violation category.

• Criminal penalties under 42 U.S.C. § 1320d-6 can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for commercial advantage or malicious harm.

• OCR investigations and corrective action plans can impose operational burdens and reputational damage.

Professional and Operational Consequences

• State medical board investigations and potential disciplinary action against providers

• Loss of patient trust and negative publicity

• Exclusion from insurance panels or payer networks

• Increased malpractice liability exposure

Implementation Checklist

Use this checklist when deploying AI scribing in your practice across any U.S. state:

• ☐ Identify the consent classification of every state in which you provide care (including telehealth). Apply the most restrictive standard when encounters cross state lines.

• ☐ Execute a Business Associate Agreement with your AI scribing vendor that meets 45 C.F.R. § 164.504(e) requirements.

• ☐ Verify vendor security practices: encryption standards, data retention policies, access controls, SOC 2 Type II certification, and HIPAA compliance documentation.

• ☐ Develop a written patient consent form specific to AI scribing. Have it reviewed by healthcare counsel.

• ☐ Update your Notice of Privacy Practices to disclose the use of AI-assisted documentation technology.

• ☐ Train all staff — providers, medical assistants, front-desk personnel — on consent workflows, patient communication, and handling refusals.

• ☐ Post signage in exam rooms notifying patients that AI-assisted recording may be used (especially in two-party consent states).

• ☐ Establish a telehealth consent protocol for interstate encounters, including verbal consent documentation and electronic signature options.

• ☐ Implement a process for provider review of all AI-generated notes before they are finalized in the EHR, to ensure accuracy and compliance with 45 C.F.R. § 164.526.

• ☐ Create a patient refusal workflow so care is not delayed or denied when a patient declines AI scribing.

• ☐ Document everything: consent, refusals, vendor agreements, training completion, and policy updates.

• ☐ Conduct periodic compliance audits — at least annually — to review consent rates, vendor compliance, and any changes in state law.

• ☐ Consult with a healthcare attorney licensed in each state where you operate to validate your compliance program.

Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. State laws are subject to change, and judicial interpretations may vary. Clinic managers should consult with qualified healthcare attorneys in their respective jurisdictions to ensure full compliance with applicable laws and regulations.