Is AI Scribing Legal in North Carolina? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Yes, AI scribing is legal in North Carolina when implemented in compliance with state recording consent laws and federal HIPAA regulations. North Carolina is a one-party consent state for recording conversations, which means that only one party to a conversation must consent to its recording. In a clinical setting, the physician — as a party to the patient encounter — can legally consent to the recording. However, legal permissibility and best practice are two different things. Healthcare providers should still obtain informed patient consent to satisfy HIPAA privacy obligations, maintain patient trust, and reduce legal risk.

Practice in North Carolina? Scribing.io is fully compliant with North Carolina recording laws. Try it free.

Recording Consent Laws in North Carolina

North Carolina's wiretapping and electronic surveillance laws are codified under N.C. Gen. Stat. § 15A-287 (commonly referenced within Chapter 15A, Article 16 of the North Carolina General Statutes — the Electronic Surveillance Act). This statute makes it unlawful to intercept or attempt to intercept any wire, oral, or electronic communication except under specific conditions.

The critical exception relevant to AI scribing is found in N.C. Gen. Stat. § 15A-287(a), which provides that it is lawful for a person to intercept a wire, oral, or electronic communication where that person is a party to the communication or where one of the parties to the communication has given prior consent to the interception. This establishes North Carolina as a one-party consent jurisdiction.

For physicians and healthcare providers, this means:

• As a direct participant in the clinical encounter, the physician satisfies the one-party consent requirement under North Carolina law.

• The physician may lawfully use an AI scribing tool to record and transcribe the encounter without obtaining the patient's explicit consent under state wiretapping law alone.

• However, state recording law is only one layer of the compliance analysis. HIPAA and professional ethics standards impose additional requirements, as discussed below.

It is important to note that N.C. Gen. Stat. § 15A-290 establishes criminal penalties for unlawful interception, including felony classification. Compliance with the one-party consent exception is therefore not merely a best practice — it is a legal necessity.

One-Party vs Two-Party Consent: What It Means for Your Practice

Understanding the distinction between one-party and two-party consent states is essential for any provider deploying AI scribing technology.

North Carolina is a one-party consent state. In practical terms, this means a physician conducting a patient visit can record the encounter using an AI scribe without the patient's separate consent under state law. The physician's own consent as a party to the conversation is legally sufficient under N.C. Gen. Stat. § 15A-287.

However, providers should be aware of the following nuances:

• Multi-state telehealth: If you treat patients located in two-party consent states via telehealth, the stricter state's law may apply. Always assess the patient's location at the time of the encounter.

• Third-party recordings: If the AI scribe operates without any party to the conversation having consented (e.g., an unmanned device in a room where neither participant is aware), the one-party exception would not apply, and the recording could be unlawful.

• Staff awareness: Medical assistants, nurses, or other staff present during a recorded encounter are also parties. At least one party must have consented — typically the ordering physician.

HIPAA Requirements on Top of State Law

Even though North Carolina's one-party consent law permits recording without patient notification, HIPAA imposes a separate and independent set of obligations that healthcare providers must satisfy when using AI scribing technology.

Protected Health Information (PHI)

AI scribe recordings and transcriptions of patient encounters constitute Protected Health Information (PHI) under the HIPAA Privacy Rule (45 C.F.R. Part 160 and Part 164, Subparts A and E). This means:

• All recordings and AI-generated clinical notes must be stored, transmitted, and disposed of in accordance with HIPAA standards.

• Access to recorded encounter data must be limited to authorized personnel on a minimum-necessary basis.

• Patients retain the right to access their medical records, including AI-generated notes derived from recorded encounters, under 45 C.F.R. § 164.524.

Business Associate Agreements (BAAs)

Any AI scribing vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate under HIPAA. Before deploying any AI scribe tool, the provider must execute a Business Associate Agreement (BAA) as required by 45 C.F.R. § 164.502(e) and 45 C.F.R. § 164.504(e). The BAA must specify:

• Permitted uses and disclosures of PHI by the vendor

• Requirements for safeguarding PHI (encryption, access controls, audit logging)

• Breach notification obligations

• Terms for return or destruction of PHI upon contract termination

HIPAA Security Rule

Under the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), providers must ensure that the AI scribing platform implements appropriate administrative, physical, and technical safeguards, including:

• Encryption: Audio recordings and transcriptions should be encrypted both in transit and at rest.

• Access controls: Role-based authentication to limit who can access recordings.

• Audit trails: Logging of all access to recorded PHI.

• Data retention policies: Clear timelines for how long recordings are stored and when they are deleted.

Notice of Privacy Practices

Under 45 C.F.R. § 164.520, covered entities must provide patients with a Notice of Privacy Practices (NPP) describing how their PHI is used and disclosed. If your practice uses AI scribing, your NPP should be updated to reflect that clinical encounters may be recorded and processed by AI technology for documentation purposes. This satisfies HIPAA's transparency requirements and serves as an additional layer of informed consent.

Patient Consent Best Practices for North Carolina

While North Carolina law does not require patient consent for recording, medical ethics, risk management, and patient relationship considerations strongly favor obtaining it. The following best practices are recommended:

1. Inform Patients Verbally and in Writing

At intake or at the beginning of each encounter, inform patients that an AI scribe may be used to record and transcribe the visit. Provide a brief written notice — either as a standalone form or as part of your general consent for treatment — that explains:

• What the AI scribe does (records and transcribes the encounter)

• Why it is used (to improve documentation accuracy and reduce physician administrative burden)

• How the data is protected (HIPAA-compliant encryption and storage)

• The patient's right to opt out

2. Offer an Opt-Out Option

Patients should be given the opportunity to decline AI scribing. If a patient opts out, the physician should be prepared to document the encounter through traditional methods. Document the patient's preference in the medical record.

3. Use Clear, Plain Language

Avoid legal jargon. A simple statement such as: "We use a secure AI tool to help take notes during your visit. The recording is encrypted and stored according to federal privacy laws. You may ask us to turn it off at any time."

4. Document Consent in the EHR

Record the patient's acknowledgment or consent (or their opt-out) in the electronic health record. This creates an audit trail and protects the practice in the event of a dispute.

5. Update Your Notice of Privacy Practices

As noted above, ensure your NPP reflects the use of AI scribing technology. Distribute updated NPPs to patients and post the revised version in your office and on your website.

6. Train All Staff

Ensure that front desk staff, medical assistants, nurses, and all clinical personnel understand the AI scribing workflow, how to explain it to patients, and how to handle opt-out requests.

What Happens if You Don't Comply?

Non-compliance with recording consent laws and HIPAA carries serious consequences:

North Carolina State Law Penalties

Unlawful interception of communications under N.C. Gen. Stat. § 15A-290 is classified as a Class H felony in North Carolina. Conviction may result in imprisonment and fines. Additionally, under N.C. Gen. Stat. § 15A-296, individuals whose communications are unlawfully intercepted may bring a civil action for actual damages, punitive damages, and reasonable attorney's fees.

HIPAA Penalties

HIPAA violations are enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Penalties are tiered based on the level of culpability:

Note: Penalty amounts are adjusted annually for inflation. The figures above reflect recent HHS adjustments and may change. Always verify current penalty amounts on the HHS OCR website.

Professional Licensing Consequences

The North Carolina Medical Board has authority to investigate complaints and take disciplinary action against licensed physicians for unprofessional conduct. Recording patients without appropriate notice — even if technically legal under state wiretapping law — could be viewed as a breach of professional ethics and may trigger board inquiry, particularly if a patient files a complaint. Disciplinary actions can include reprimand, license suspension, or revocation.

Malpractice and Litigation Risk

Failure to inform patients about AI scribing could undermine the physician-patient relationship and expose the practice to claims of breach of fiduciary duty or invasion of privacy under common law theories. Even in a one-party consent state, undisclosed recording in a medical setting may be viewed unfavorably by juries.

Implementation Checklist

Use this checklist to ensure compliant deployment of AI scribing in your North Carolina practice:

1. ☐ Confirm one-party consent compliance: Verify that the recording physician or another participating provider is a party to each recorded encounter, satisfying N.C. Gen. Stat. § 15A-287.

2. ☐ Execute a Business Associate Agreement (BAA): Ensure your AI scribing vendor has signed a HIPAA-compliant BAA before any PHI is created or transmitted.

3. ☐ Verify vendor security measures: Confirm the AI scribe platform uses end-to-end encryption, role-based access controls, audit logging, and compliant data retention/deletion policies.

4. ☐ Update your Notice of Privacy Practices: Add language disclosing the use of AI-assisted recording and transcription for clinical documentation.

5. ☐ Create a patient notification and consent process: Develop a brief written disclosure (standalone or integrated into intake forms) and a verbal notification script for staff.

6. ☐ Establish an opt-out protocol: Define a clear process for patients who decline AI scribing, including alternative documentation methods and documentation of the patient's preference.

7. ☐ Train all clinical and administrative staff: Educate team members on how AI scribing works, how to explain it to patients, how to handle opt-outs, and how to protect recorded PHI.

8. ☐ Assess telehealth consent requirements: For patients located outside North Carolina, determine the recording consent laws of the patient's state and apply the more restrictive standard.

9. ☐ Conduct periodic compliance audits: Review AI scribing workflows, consent documentation, vendor security, and BAA terms at least annually.

10. ☐ Consult legal counsel: Have a healthcare attorney licensed in North Carolina review your AI scribing policies and consent forms before implementation and periodically thereafter.