Posted on
Feb 24, 2026
Is AI Scribing Legal in Colorado? (2026 Compliance Guide for Healthcare Providers)
Quick Answer
Yes, AI scribing is legal in Colorado when implemented with proper consent protocols, HIPAA safeguards, and compliance with state recording and privacy laws. Colorado is a one-party consent state for recording conversations, which means that only one party to the conversation needs to consent to the recording. However, mental health professionals face additional ethical obligations, state privacy protections, and HIPAA requirements that go beyond the baseline recording statute. This guide explains what Colorado therapists, counselors, psychologists, and psychiatrists need to know before deploying AI scribing technology in 2026.
Practice in Colorado? Scribing.io is fully compliant with Colorado recording laws. Try it free.
Recording Consent Laws in Colorado
Colorado's wiretapping and eavesdropping law is codified at C.R.S. § 18-9-303 (Colorado Revised Statutes, Title 18, Article 9, Part 3). This statute makes it a criminal offense to knowingly overhear, record, or aid in recording a telephone or electronic communication without the consent of at least one party to the conversation.
Key provisions relevant to AI scribing:
C.R.S. § 18-9-303(1) — Prohibits wiretapping, eavesdropping, or recording of any telephone, electronic, or oral communication without the consent of at least one party.
C.R.S. § 18-9-304 — Addresses penalties for unlawful use of a wiretapping device. Violations can be charged as a class 6 felony.
C.R.S. § 18-9-305 — Governs the admissibility and use of illegally obtained recordings.
Because Colorado follows one-party consent, a therapist who is a party to the clinical conversation may legally record or allow an AI tool to process that conversation if the therapist consents. However, as detailed below, ethical standards and HIPAA requirements strongly recommend — and in many practical scenarios effectively require — that you also obtain patient consent.
Colorado Privacy Act (CPA)
In addition to the wiretapping statute, mental health professionals should be aware of the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), which took effect on July 1, 2023. While the CPA primarily targets commercial data controllers and processors, its principles around data minimization, purpose limitation, and consumer rights to access and delete personal data are instructive. If your AI scribing vendor processes patient data in ways that extend beyond treatment, payment, or healthcare operations — for example, using data for model training — the CPA's requirements may apply to that vendor's activities.
Colorado Mental Health Statutes
Colorado provides specific protections for mental health records under C.R.S. § 27-65-101 et seq. (Mental Health Statutes) and therapist-patient privilege under C.R.S. § 13-90-107(1)(g). These provisions create heightened confidentiality obligations for mental health providers that exceed the protections available in general medical contexts. AI-generated session notes become part of the mental health record and are subject to these protections.
One-Party vs Two-Party Consent: What It Means for Your Practice
Understanding the distinction is critical for compliance:
Consent Type | Requirement | States |
|---|---|---|
One-Party Consent | Only one participant in the conversation must consent to recording. | Colorado, Texas, New York, and the majority of U.S. states |
Two-Party (All-Party) Consent | All parties to the conversation must consent to recording. | California, Florida, Illinois, Washington, and approximately 11 other states |
What This Means for Colorado Therapists
Under Colorado law (C.R.S. § 18-9-303), you as the therapist are a party to the clinical conversation. Your consent alone satisfies the statutory requirement for recording. Technically, you could use an AI scribe without telling your patient.
However, this is strongly inadvisable for mental health professionals for the following reasons:
Therapeutic Alliance: Undisclosed recording can severely damage trust if discovered, undermining the therapeutic relationship.
Ethical Codes: The American Psychological Association (APA) Ethical Principles of Psychologists (Standard 4.03 — Recording), the American Counseling Association (ACA) Code of Ethics (Section B.6.b), and the National Association of Social Workers (NASW) Code of Ethics all require informed consent before recording sessions.
Licensing Board Standards: The Colorado State Board of Psychologist Examiners, the Colorado State Board of Licensed Professional Counselor Examiners, and other relevant boards may view undisclosed recording as a violation of professional standards, potentially jeopardizing your license.
HIPAA Requirements: As discussed below, HIPAA's minimum necessary and transparency principles create additional obligations.
Malpractice Risk: Failure to inform patients about recording — even where legally permitted — creates liability exposure if a patient alleges breach of confidentiality or breach of fiduciary duty.
Best practice: Always obtain informed patient consent before using AI scribing, regardless of Colorado's one-party consent statute.
HIPAA Requirements on Top of State Law
The Health Insurance Portability and Accountability Act (HIPAA) — specifically the Privacy Rule (45 C.F.R. Part 164, Subpart E) and the Security Rule (45 C.F.R. Part 164, Subpart C) — applies to all covered entities and their business associates, including AI scribing vendors that process protected health information (PHI).
Business Associate Agreement (BAA)
Under 45 C.F.R. § 164.502(e) and 45 C.F.R. § 164.504(e), before any AI scribing tool can access, process, transmit, or store PHI, you must have a signed Business Associate Agreement (BAA) with the vendor. A BAA that does not exist or is inadequate constitutes a HIPAA violation — regardless of whether a breach actually occurs.
A compliant BAA must specify:
Permitted and required uses and disclosures of PHI
The vendor's obligation to implement appropriate safeguards
Breach notification procedures and timelines (per 45 C.F.R. § 164.410)
Return or destruction of PHI upon termination of the agreement
Prohibition on using PHI for purposes not authorized in the agreement (e.g., AI model training)
Psychotherapy Notes — Special HIPAA Protections
Mental health professionals must pay particular attention to 45 C.F.R. § 164.508(a)(2), which provides heightened protections for psychotherapy notes as defined in 45 C.F.R. § 164.501. Psychotherapy notes are a provider's personal notes about a counseling session, recorded separately from the medical record, and their disclosure requires a specific, separate patient authorization beyond general consent for treatment, payment, and healthcare operations.
Key considerations for AI scribing:
If your AI scribe generates content that qualifies as psychotherapy notes, those notes receive the highest level of HIPAA protection.
If AI-generated notes are integrated into the general medical record (progress notes, treatment summaries), they are not classified as psychotherapy notes but are still PHI subject to standard HIPAA protections.
Clarify with your AI scribing vendor whether the tool's output is being stored in a manner consistent with your classification of the notes.
Security Rule Compliance
Under the HIPAA Security Rule (45 C.F.R. §§ 164.302–164.318), all electronic PHI (ePHI) must be protected through administrative, physical, and technical safeguards. For AI scribing, this means:
Encryption: Audio data and transcripts must be encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Access Controls: Only authorized personnel should be able to access AI-generated notes (45 C.F.R. § 164.312(a)).
Audit Controls: The system must maintain logs of who accessed PHI and when (45 C.F.R. § 164.312(b)).
Automatic Logoff and Session Timeouts: As required by 45 C.F.R. § 164.312(a)(2)(iii).
Data Retention and Disposal: Clear policies for how long audio recordings and transcripts are retained, and NIST 800-88 compliant destruction when no longer needed.
HIPAA Preemption
Under 45 C.F.R. § 160.203, HIPAA preempts state law only when the state law is less protective of patient privacy. Where state law provides greater protections — as Colorado's mental health confidentiality statutes do in certain contexts — the more protective standard applies. Mental health professionals must comply with whichever standard is stricter.
Patient Consent Best Practices for Colorado
Given the intersection of Colorado recording law, HIPAA, ethical codes, and the sensitive nature of mental health treatment, the following consent framework is recommended:
1. Written Informed Consent
Develop a standalone AI scribing consent form (separate from your general intake consent) that includes:
A clear, plain-language explanation of what AI scribing is and how it works during the session
What data is captured (audio, text, or both)
How the data is processed, transmitted, and stored
Who has access to the data (your practice, the AI vendor as a business associate)
How long audio recordings and transcripts are retained
The patient's right to opt out of AI scribing without any impact on the quality or availability of treatment
A statement that the AI vendor has signed a BAA and is HIPAA-compliant
Whether any data is used for AI model training (and if so, whether patients can opt out)
Patient signature and date
2. Verbal Confirmation at Each Session
Even with a signed consent form on file, best practice for mental health professionals is to verbally confirm at the start of each session: "As a reminder, I'll be using the AI scribe today. Are you still comfortable with that?" This is particularly important because:
Patients may wish to opt out for specific sessions involving especially sensitive disclosures
Ongoing consent reinforces the therapeutic alliance and patient autonomy
Some licensing boards may view a single, static consent as insufficient for ongoing recording
3. Document Opt-Outs
Maintain documentation of any session where a patient declines AI scribing. This protects you in the event of a complaint or audit.
4. Minor Patients and Legal Guardians
For patients under 18, consent must generally be obtained from a parent or legal guardian, subject to Colorado's minor consent statutes (e.g., C.R.S. § 27-65-103 for minors aged 15 and older who may consent to their own mental health treatment). When a minor has the right to consent to treatment independently, carefully consider whether the minor — not the parent — should also control consent for AI scribing of those sessions.
5. Couples and Group Therapy
In couples or group therapy settings, all participants must consent to AI scribing. Even though Colorado is a one-party consent state, recording conversations involving multiple patients implicates each patient's independent HIPAA rights and confidentiality interests. Obtain written consent from every participant.
What Happens if You Don't Comply?
Non-compliance with recording, privacy, or HIPAA requirements when using AI scribing can result in severe consequences:
Criminal Penalties (Colorado)
Violation of C.R.S. § 18-9-303 (unauthorized recording without any party's consent) is a class 6 felony, punishable by 12–18 months in prison and fines of $1,000–$100,000 under Colorado's sentencing guidelines.
While one-party consent reduces this risk for therapists who are parties to the conversation, recording without any party's consent (e.g., an AI tool that activates without the therapist's knowledge or authorization) could trigger criminal liability.
HIPAA Penalties
The HHS Office for Civil Rights (OCR) enforces HIPAA violations under a tiered penalty structure (45 C.F.R. § 160.404):
Tier | Culpability Level | Penalty Per Violation | Annual Maximum |
|---|---|---|---|
Tier 1 | Did not know (and could not have known) | $137–$68,928 | $2,067,813 |
Tier 2 | Reasonable cause (not willful neglect) | $1,379–$68,928 | $2,067,813 |
Tier 3 | Willful neglect, corrected within 30 days | $13,785–$68,928 | $2,067,813 |
Tier 4 | Willful neglect, not corrected | $68,928+ | $2,067,813 |
Note: Penalty amounts are adjusted annually for inflation. The figures above reflect approximate 2025–2026 ranges. Always verify current amounts at the HHS OCR website.
Professional Licensing Consequences
The Colorado Department of Regulatory Agencies (DORA) oversees mental health licensing boards. A complaint alleging unauthorized recording of therapy sessions or improper handling of mental health records can result in investigation, disciplinary action, license suspension, or revocation.
Ethical violations reported to the APA, ACA, or NASW can result in professional sanctions and expulsion from professional organizations.
Civil Liability
Patients may bring civil suits for breach of confidentiality, invasion of privacy, or negligence.
Colorado recognizes a tort action for invasion of privacy, including intrusion upon seclusion, which could apply if a patient's session is recorded without consent under circumstances a reasonable person would find highly offensive.
Implementation Checklist
Use the following checklist before deploying AI scribing in your Colorado mental health practice:
☐ Verify your AI scribing vendor has signed a HIPAA-compliant Business Associate Agreement (BAA) — Confirm the BAA explicitly prohibits use of PHI for model training unless separately authorized.
☐ Confirm the vendor's security posture — Request documentation of encryption standards (AES-256 at rest, TLS 1.2+ in transit), SOC 2 Type II certification, and their breach notification procedures.
☐ Develop a standalone AI scribing consent form — Include all elements listed in the Patient Consent Best Practices section above. Have the form reviewed by a healthcare attorney licensed in Colorado.
☐ Update your Notice of Privacy Practices (NPP) — Under 45 C.F.R. § 164.520, your NPP must describe how PHI is used. Add language disclosing the use of AI technology in documentation.
☐ Train all staff — Ensure front-desk staff, clinical assistants, and any other personnel understand the AI scribing workflow, consent requirements, and what to do if a patient opts out.
☐ Establish an opt-out protocol — Document how sessions will be handled (manual notes, traditional dictation) when a patient declines AI scribing.
☐ Implement verbal re-confirmation — Build a brief verbal consent check into your session-start routine.
☐ Define data retention policies — Determine how long audio recordings and transcripts will be stored, consistent with Colorado's medical record retention requirements and your own clinical needs.
☐ Address psychotherapy notes classification — Determine whether AI-generated output constitutes psychotherapy notes under 45 C.F.R. § 164.501 and handle accordingly.
☐ Review Colorado Privacy Act applicability — If your vendor processes data for purposes beyond treatment, payment, or operations, assess CPA obligations (C.R.S. § 6-1-1301 et seq.).
☐ Establish a breach response plan — Know your obligations under both HIPAA (45 C.F.R. §§ 164.400–414) and Colorado's data breach notification law (C.R.S. § 6-1-716) if patient data is compromised.
☐ Conduct periodic compliance reviews — Reassess consent forms, vendor agreements, and security practices at least annually.
☐ Consult a Colorado-licensed healthcare attorney — This guide is informational and does not constitute legal advice. An attorney can tailor compliance to your specific practice circumstances.
Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. Laws and regulations may change. Mental health professionals should consult with a qualified attorney licensed in Colorado for advice specific to their practice and circumstances. Penalty amounts and regulatory interpretations are subject to change and should be verified with current official sources.
