Is AI Scribing Legal in New Mexico? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Yes, AI scribing is legal in New Mexico when implemented in compliance with state recording consent laws, HIPAA regulations, and applicable medical practice standards. New Mexico is a one-party consent state for recording communications, which means that only one party to a conversation needs to consent to the recording. However, healthcare providers should be aware that HIPAA and medical ethics standards impose additional obligations beyond what state wiretapping law requires — particularly around patient notification, data security, and transparency.

Practice in New Mexico? Scribing.io is fully compliant with New Mexico recording laws. Try it free.

Recording Consent Laws in New Mexico

New Mexico's wiretapping and electronic surveillance law is codified under the New Mexico Wiretapping and Electronic Surveillance Act, NMSA 1978, §§ 30-12-1 through 30-12-11. The key provision relevant to AI scribing is NMSA 1978, § 30-12-1, which makes it unlawful to intercept wire or oral communications without the consent of at least one party to the communication.

Under this statute, a healthcare provider who is a party to the clinical encounter may lawfully record or use AI-assisted tools to capture the conversation, because the provider's own consent satisfies the one-party requirement. The statute does not require the consent of all parties — only one participant in the conversation needs to have authorized the recording or interception.

Additionally, NMSA 1978, § 30-12-11 provides that evidence obtained in compliance with the Act (i.e., with proper one-party consent) is admissible and lawful. Violations of the Act can result in criminal penalties as outlined in NMSA 1978, § 30-12-1, which classifies unauthorized interception as a fourth-degree felony.

One-Party vs Two-Party Consent: What It Means for Your Practice

Understanding the distinction between one-party and two-party consent states is essential for healthcare providers deploying AI scribing tools.

• One-party consent (New Mexico's standard): Only one person involved in the conversation needs to consent to the recording. Since you, the healthcare provider, are a participant in the clinical encounter and you are authorizing the AI scribe, the legal threshold under state wiretapping law is met.

• Two-party consent (other states): All parties to the conversation must consent. States like California, Florida, and Pennsylvania follow this more restrictive standard.

Because New Mexico follows the one-party consent model, healthcare providers are not legally required under the Wiretapping and Electronic Surveillance Act to obtain patient permission before using an AI scribe. However, this does not mean patient notification is unnecessary. Federal HIPAA requirements, professional ethics guidelines from the American Medical Association (AMA), and the New Mexico Medical Board's expectations around informed consent and transparency all create strong reasons — and in some cases, obligations — to notify patients.

Providers who treat patients located in two-party consent states via telehealth should apply the more restrictive standard of the patient's state when there is ambiguity about which state's law applies.

HIPAA Requirements on Top of State Law

Even though New Mexico state law permits one-party consent recording, the Health Insurance Portability and Accountability Act (HIPAA) — specifically the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C) — impose additional requirements that healthcare providers must satisfy when using AI scribing technology.

Protected Health Information (PHI)

AI scribes process audio recordings of clinical encounters, which constitute protected health information (PHI) under 45 CFR § 160.103. Any AI scribing vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate under HIPAA.

Business Associate Agreement (BAA)

Under 45 CFR § 164.502(e) and 45 CFR § 164.504(e), healthcare providers must execute a Business Associate Agreement (BAA) with the AI scribing vendor before any PHI is shared. The BAA must specify:

• Permitted and required uses and disclosures of PHI

• Obligations to safeguard PHI

• Breach notification procedures

• Requirements to return or destroy PHI upon contract termination

Minimum Necessary Standard

Under 45 CFR § 164.502(b), covered entities and their business associates must limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. Providers should verify that their AI scribe only processes data needed for clinical documentation.

Patient Rights Under the Privacy Rule

Patients retain rights under 45 CFR § 164.524 to access their medical records, including any documentation generated by an AI scribe. Under 45 CFR § 164.526, patients may request amendments to their records if they believe the AI-generated notes contain errors.

Notice of Privacy Practices (NPP)

Under 45 CFR § 164.520, covered entities must provide patients with a Notice of Privacy Practices that describes how PHI is used and disclosed. If your practice uses AI scribing tools, your NPP should be updated to reflect this technology and how patient data is processed, stored, and protected.

Patient Consent Best Practices for New Mexico

Although New Mexico's one-party consent law does not mandate patient consent for recording, best practices — grounded in HIPAA, professional ethics, and risk management — strongly favor transparent patient notification. The following recommendations are designed to protect your practice and build patient trust.

1. Update Your Notice of Privacy Practices

Include a clear statement in your NPP that your practice uses AI-assisted clinical documentation tools. Describe in plain language what the tool does: it records or transcribes portions of the clinical encounter to generate clinical notes. Ensure every patient receives or has access to the updated NPP as required under 45 CFR § 164.520(c).

2. Provide Verbal Notification at the Point of Care

At the start of each clinical encounter, briefly inform the patient that an AI tool will be used to assist with documentation. A simple statement such as the following is sufficient:

"I use an AI-assisted tool to help me take accurate clinical notes during our visit. The recording is processed securely and is part of your medical record. You may opt out at any time."

3. Offer an Opt-Out Option

While not legally required under New Mexico's one-party consent law, offering patients the ability to opt out of AI scribing demonstrates respect for patient autonomy and aligns with the AMA's ethical guidance on AI in clinical settings (AMA Council on Ethical and Judicial Affairs, Policy H-480.939). If a patient opts out, the provider should revert to traditional documentation methods.

4. Obtain Written Acknowledgment for Enhanced Protection

For practices seeking maximum legal protection, consider obtaining a brief written acknowledgment from patients indicating they have been informed about the AI scribe. This is not a legal requirement under New Mexico law, but it provides a documentary record that may be valuable in the event of a complaint or audit.

5. Special Considerations for Sensitive Encounters

For clinical encounters involving substance use disorder treatment, mental health services, HIV/AIDS-related information, or reproductive health, additional federal and state privacy protections may apply. For example, 42 CFR Part 2 governs the confidentiality of substance use disorder patient records and may impose stricter consent requirements. Providers should evaluate whether heightened consent or additional safeguards are warranted.

6. Telehealth Encounters

When treating patients via telehealth who are located in other states, providers must comply with the recording consent laws of both New Mexico and the patient's state. If the patient is in a two-party consent state, the provider should obtain explicit patient consent before activating the AI scribe.

What Happens if You Don't Comply?

Non-compliance with applicable laws and regulations carries significant consequences for healthcare providers in New Mexico.

State Criminal Penalties

Violating the New Mexico Wiretapping and Electronic Surveillance Act (NMSA 1978, § 30-12-1) by recording without the consent of at least one party is classified as a fourth-degree felony under New Mexico law. Fourth-degree felonies in New Mexico carry a potential sentence of up to 18 months in prison and fines up to $5,000 under NMSA 1978, § 31-18-15.

HIPAA Enforcement

Failure to comply with HIPAA requirements — such as operating without a valid BAA, failing to update your Notice of Privacy Practices, or inadequately securing PHI — can result in enforcement action by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). HIPAA penalties under 42 USC § 1320d-5 and 42 USC § 1320d-6 range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category (adjusted for inflation). Willful neglect violations that are not corrected can reach the highest penalty tiers.

Medical Board Discipline

The New Mexico Medical Board, operating under the authority of the Medical Practice Act (NMSA 1978, §§ 61-6-1 through 61-6-35), has the authority to investigate complaints and take disciplinary action against physicians for unprofessional conduct. Failing to obtain appropriate informed consent or mishandling patient information could be construed as unprofessional conduct under NMSA 1978, § 61-6-15, potentially resulting in license suspension, revocation, or other sanctions.

Civil Liability

Patients may also pursue civil claims for invasion of privacy, negligence, or breach of fiduciary duty if they can demonstrate harm resulting from undisclosed recording or improper handling of their health information. New Mexico recognizes the tort of invasion of privacy, and healthcare providers owe patients a heightened duty of confidentiality.

Implementation Checklist

Use the following checklist to ensure your New Mexico practice is compliant when deploying an AI scribing solution:

1. Verify one-party consent compliance: Confirm that you, as a participant in the clinical encounter, are authorizing the AI scribe's recording or transcription function, satisfying NMSA 1978, § 30-12-1.

2. Execute a Business Associate Agreement: Ensure a signed, HIPAA-compliant BAA is in place with your AI scribing vendor before any patient data is processed (45 CFR § 164.502(e)).

3. Update your Notice of Privacy Practices: Add clear language about AI-assisted documentation tools to your NPP and redistribute to patients as required (45 CFR § 164.520).

4. Implement verbal patient notification: Train all clinical staff to briefly inform patients at the start of each encounter that an AI tool is being used for documentation.

5. Provide an opt-out mechanism: Establish a clear, easily accessible process for patients to decline AI scribing, and document opt-outs in the patient's chart.

6. Consider written acknowledgment: Develop a simple patient acknowledgment form for optional use, particularly in practices handling sensitive health information.

7. Evaluate telehealth scenarios: Implement protocols to identify patients' locations during telehealth encounters and apply the appropriate state's consent standard.

8. Verify data security measures: Confirm that the AI scribing vendor employs encryption in transit and at rest, access controls, audit logging, and other safeguards compliant with the HIPAA Security Rule (45 CFR Part 164, Subpart C).

9. Review and approve AI-generated notes: Ensure that a licensed clinician reviews and signs off on all AI-generated documentation before it is finalized in the patient's medical record.

10. Train staff: Conduct periodic training for all clinical and administrative staff on the proper use of AI scribing tools, patient notification procedures, and privacy requirements.

11. Address special populations: Implement additional safeguards for encounters involving minors, substance use disorder patients (42 CFR Part 2), and other populations with enhanced privacy protections.

12. Document your compliance program: Maintain written policies and procedures governing AI scribe use, consent processes, and data handling for audit readiness.