Posted on
Mar 6, 2026
Is AI Scribing Legal in Kentucky? (2026 Compliance Guide for Healthcare Providers)
Quick Answer
Yes, AI scribing is legal in Kentucky when implemented in compliance with state recording consent laws and federal HIPAA regulations. Kentucky is a one-party consent state for recording communications. This means that only one party to a conversation needs to consent to its recording. As the physician conducting the encounter, your own consent to the AI scribe recording the visit satisfies Kentucky's statutory requirement. However, HIPAA imposes additional obligations regarding patient privacy, and best practices strongly recommend transparent patient notification regardless of the minimum legal threshold.
Practice in Kentucky? Scribing.io is fully compliant with Kentucky recording laws. Try it free.
Recording Consent Laws in Kentucky
Kentucky's wiretapping and electronic surveillance laws are codified in Kentucky Revised Statutes (KRS) Chapter 526, specifically KRS 526.010 through KRS 526.080. These statutes govern the interception of communications in the Commonwealth.
Under KRS 526.020, it is a criminal offense to intentionally intercept any wire or oral communication using a device. However, Kentucky law provides a critical exception: a person who is a party to the communication — or who has the prior consent of one party — may lawfully record the conversation. This exception is what makes Kentucky a one-party consent state.
Key statutory provisions to understand:
KRS 526.010 — Definitions, including what constitutes "interception" and "oral communication."
KRS 526.020 — Prohibition on eavesdropping and interception of communications, with the one-party consent exception.
KRS 526.060 — Addresses the use and disclosure of unlawfully intercepted communications.
KRS 526.080 — Provides penalties for violations, which can include felony charges.
Because a physician is a direct party to the patient encounter, the physician's own consent to the AI scribe's recording satisfies the statutory minimum under Kentucky law. No additional consent from the patient is legally required under state wiretapping law alone.
One-Party vs Two-Party Consent: What It Means for Your Practice
Understanding the distinction between one-party and two-party consent is essential for compliance:
Consent Type | Requirement | Kentucky Status |
|---|---|---|
One-Party Consent | Only one participant in the conversation must consent to the recording. | ✅ This is Kentucky's law under KRS 526.020 |
Two-Party (All-Party) Consent | All participants must consent before a conversation can be recorded. | ❌ Not required in Kentucky |
What this means for your practice: As the physician, you are a party to every clinical encounter. Your decision to use an AI scribe constitutes your consent to the recording, which is legally sufficient under KRS 526.020. You are not legally required by Kentucky wiretapping law to obtain the patient's separate consent to record.
Important caveats:
Telehealth encounters: If your patient is located in a two-party consent state (such as California, Florida, or Illinois), the stricter law of that state may apply. Always verify the patient's location for telehealth visits.
Federal wiretap law (18 U.S.C. § 2511): Federal law also follows a one-party consent framework, so Kentucky providers are in alignment at both levels.
Ethical obligations: The American Medical Association (AMA) emphasizes transparency in the physician-patient relationship. Even where not legally mandated, informing patients about AI tools used in their care is considered an ethical best practice.
HIPAA Requirements on Top of State Law
While Kentucky's one-party consent law governs the legality of recording, the federal Health Insurance Portability and Accountability Act (HIPAA) governs the handling of the information captured by the AI scribe. HIPAA compliance is mandatory and operates independently of state consent law.
Business Associate Agreement (BAA)
Under the HIPAA Privacy Rule (45 CFR § 164.502) and Security Rule (45 CFR § 164.308), any AI scribing vendor that processes, stores, transmits, or has access to protected health information (PHI) qualifies as a Business Associate. You must execute a Business Associate Agreement (BAA) with your AI scribing provider before using the service. This is not optional.
A valid BAA must address:
Permitted uses and disclosures of PHI
Safeguards the vendor will implement to protect PHI
Breach notification obligations
Requirements for return or destruction of PHI upon contract termination
Compliance with the HITECH Act (42 U.S.C. § 17931), which extended HIPAA obligations directly to business associates
Minimum Necessary Standard
Under 45 CFR § 164.502(b), the AI scribe should capture and process only the minimum necessary PHI required for the intended documentation purpose.
Data Security Requirements
The HIPAA Security Rule requires:
Encryption of PHI in transit and at rest (45 CFR § 164.312(a)(2)(iv) and § 164.312(e)(1))
Access controls to limit who can view or modify the AI-generated notes
Audit trails documenting access to PHI
Risk assessments that include the AI scribing tool in your practice's security framework
Patient Rights
Under HIPAA's Privacy Rule, patients retain the right to:
Access their medical records, including AI-generated notes (45 CFR § 164.524)
Request amendments to inaccurate documentation (45 CFR § 164.526)
Receive an accounting of disclosures of their PHI (45 CFR § 164.528)
Patient Consent Best Practices for Kentucky
Although Kentucky's one-party consent law does not require patient permission for recording, best practices for healthcare providers go beyond the legal minimum. Transparency builds trust, reduces liability risk, and aligns with evolving regulatory expectations around AI in healthcare.
Recommended Notification Framework
Update your Notice of Privacy Practices (NPP): Include a clear statement that your practice uses AI-powered documentation tools that may process audio from clinical encounters. HIPAA requires that your NPP accurately reflect how PHI is used and disclosed (45 CFR § 164.520).
Provide verbal notification at the point of care: At the start of the encounter, briefly inform the patient: "I use an AI-assisted documentation tool that listens to our conversation to help me create accurate medical notes. The recording is processed securely and is not stored as an audio file. Would you like to proceed, or do you have any questions?"
Post visible signage: Display a notice in the exam room or waiting area stating that AI documentation technology is in use.
Offer an opt-out option: While not legally required in Kentucky, allowing patients to decline AI scribing demonstrates respect for patient autonomy. Have a fallback documentation process (e.g., manual note-taking) available.
Document the notification: Record in the patient's chart that they were informed about the AI scribe. This creates a defensible record if questions arise later.
Special Considerations
Sensitive encounters: For mental health, substance abuse, HIV-related care, or reproductive health visits, heightened federal and state privacy protections may apply (e.g., 42 CFR Part 2 for substance use disorder records). Exercise additional caution and consider whether AI scribing is appropriate for these encounters.
Minors: When treating patients under 18, notification should be directed to the parent or legal guardian, except in circumstances where the minor has independent consent rights under Kentucky law.
Patients with limited English proficiency or cognitive impairments: Ensure notification is provided in a manner the patient can understand.
What Happens if You Don't Comply?
Non-compliance carries risks at multiple levels:
Kentucky State Law Violations
Violating KRS 526.020 (unlawful interception) is a Class D felony under KRS 526.080, carrying potential penalties of one to five years of imprisonment. While one-party consent protects the recording physician, violations could occur if, for example, a staff member who is not a party to the conversation initiates the recording without any party's consent.
Additionally, KRS 526.060 addresses the unlawful use or disclosure of intercepted communications, which could compound liability if recorded PHI is mishandled.
HIPAA Violations
HIPAA violations are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and carry a tiered penalty structure under 42 U.S.C. § 1320d-5 and 42 U.S.C. § 1320d-6:
Violation Tier | Description | Penalty Per Violation |
|---|---|---|
Tier 1 | Lack of knowledge | $137–$68,928 |
Tier 2 | Reasonable cause | $1,379–$68,928 |
Tier 3 | Willful neglect (corrected) | $13,785–$68,928 |
Tier 4 | Willful neglect (not corrected) | $68,928–$2,067,813 |
Note: Penalty amounts are adjusted annually for inflation. The figures above reflect recent OCR published amounts but should be verified for the current year.
Professional Liability
Medical board complaints: The Kentucky Board of Medical Licensure could investigate complaints related to undisclosed use of AI tools in patient care.
Malpractice exposure: If an AI scribe produces an inaccurate note that leads to a clinical error, the physician remains responsible for the content of the medical record. Always review and authenticate AI-generated documentation.
Loss of patient trust: Patients who discover undisclosed recording may file complaints, leave the practice, or pursue legal action even if the recording was technically lawful.
Implementation Checklist
Use the following checklist before deploying AI scribing in your Kentucky practice:
Legal & Regulatory Compliance
☐ Confirm your AI scribing vendor will execute a HIPAA-compliant Business Associate Agreement (BAA)
☐ Verify the vendor uses end-to-end encryption for data in transit and at rest
☐ Confirm audio recordings are not retained beyond the processing period, or understand exactly how and where they are stored
☐ Review your vendor's data breach notification procedures
☐ Ensure the AI scribe is included in your practice's HIPAA risk assessment
Patient Notification
☐ Update your Notice of Privacy Practices to reference AI documentation tools
☐ Develop a brief verbal disclosure script for the start of each encounter
☐ Post visible signage in exam rooms and/or waiting areas
☐ Create a written consent or acknowledgment form (recommended even though not required by Kentucky law)
☐ Establish a clear opt-out process for patients who decline AI scribing
Clinical Workflow
☐ Review and authenticate every AI-generated note before signing
☐ Train staff on how the AI scribe works and when it is active
☐ Establish protocols for sensitive encounters where AI scribing may not be appropriate
☐ Document the patient notification in the medical record
☐ Implement audit procedures to periodically verify AI note accuracy
Telehealth Considerations
☐ For telehealth visits, verify the patient's physical location at the time of the encounter
☐ If the patient is in a two-party consent state, obtain explicit consent before using AI scribing
☐ Document the patient's location and consent status in the record
This guide is provided for informational purposes only and does not constitute legal advice. Healthcare providers should consult with a qualified healthcare attorney in Kentucky for guidance specific to their practice. Laws and regulations are subject to change; verify all cited statutes and regulations for current applicability.
