Is AI Scribing Legal in North Dakota? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Yes, AI scribing is legal in North Dakota when implemented in compliance with state recording consent laws and federal HIPAA regulations. North Dakota is a one-party consent state for recording conversations, which means that only one party to the conversation needs to consent to the recording. In a clinical encounter, the physician who initiates the AI scribe typically satisfies this requirement. However, HIPAA's privacy and security standards impose additional obligations that go beyond state recording law, including patient notification, data safeguards, and business associate agreements.

Practice in North Dakota? Scribing.io is fully compliant with North Dakota recording laws. Try it free.

Recording Consent Laws in North Dakota

North Dakota's wiretapping and electronic surveillance law is codified in North Dakota Century Code (N.D.C.C.) § 12.1-15-02. This statute makes it a criminal offense to willfully intercept, endeavor to intercept, or procure any other person to intercept any wire, electronic, or oral communication. However, the law provides a critical exception: it is not unlawful for a person who is a party to the communication — or who has received prior consent from one of the parties — to intercept, record, or disclose the communication.

This exception establishes North Dakota as a one-party consent state. For medical practices, this means that if the physician or another member of the care team is a party to the conversation and consents to the AI scribe recording the encounter, the recording itself is lawful under state law.

Additionally, N.D.C.C. § 12.1-15-04 addresses the disclosure of intercepted communications. It is unlawful to use or disclose the contents of a communication obtained in violation of the statute. This reinforces the importance of ensuring that any recording is conducted lawfully from the outset and that the resulting documentation is handled with appropriate safeguards.

One-Party vs Two-Party Consent: What It Means for Your Practice

Understanding the distinction between one-party and two-party consent is essential for any medical practice deploying AI scribing technology.

• One-party consent (North Dakota's standard): Only one participant in the conversation needs to know about and agree to the recording. The healthcare provider who activates the AI scribe and is present during the clinical encounter satisfies this legal threshold.

• Two-party (all-party) consent: Every participant in the conversation must consent. North Dakota does not require this for audio recordings.

For small rural medical practices in North Dakota, the one-party consent framework means that a physician can lawfully use an AI scribe to record a patient encounter without the patient's explicit consent under state recording law alone. However, this does not eliminate the need for patient awareness and consent under federal healthcare privacy regulations — specifically HIPAA — which impose separate and additional requirements as discussed below.

Important note for telehealth: If your practice provides telehealth services to patients located in other states, you must comply with the recording consent laws of those states as well. Several states — including California, Florida, and Washington — require all-party consent. Always verify the patient's physical location at the time of the encounter when providing cross-state telehealth services.

HIPAA Requirements on Top of State Law

Compliance with North Dakota's one-party consent law is necessary but not sufficient for legally operating an AI scribe in a medical practice. The Health Insurance Portability and Accountability Act (HIPAA), codified primarily at 42 U.S.C. § 1320d et seq. and implemented through regulations at 45 C.F.R. Parts 160 and 164, imposes comprehensive requirements on the handling of protected health information (PHI).

Key HIPAA Obligations for AI Scribing

1. Business Associate Agreement (BAA): Under 45 C.F.R. § 164.502(e) and 45 C.F.R. § 164.504(e), any AI scribing vendor that receives, creates, maintains, or transmits PHI on behalf of your practice is a business associate. You must execute a written Business Associate Agreement before using their service. The BAA must specify the permitted uses and disclosures of PHI, require appropriate safeguards, and establish breach notification obligations.

2. Privacy Rule Compliance: The HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) requires covered entities to use and disclose only the minimum necessary PHI for a given purpose. Your AI scribe's output — clinical notes, transcripts, and summaries — must be treated as PHI and subject to all applicable privacy protections.

3. Security Rule Compliance: The HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) mandates administrative, physical, and technical safeguards for electronic PHI (ePHI). This includes encryption of audio recordings and transcripts both in transit and at rest, access controls, audit trails, and workforce training.

4. Breach Notification: Under 45 C.F.R. Part 164, Subpart D, any unauthorized access, use, or disclosure of PHI must be reported. If your AI scribe vendor experiences a data breach, both the vendor (as a business associate) and your practice (as the covered entity) may have notification obligations to affected patients, the U.S. Department of Health and Human Services (HHS), and potentially the media.

5. Patient Rights: Patients retain the right to access their records under 45 C.F.R. § 164.524, including AI-generated clinical notes. Your practice must be prepared to provide these records upon request.

Notice of Privacy Practices

Under 45 C.F.R. § 164.520, covered entities must provide a Notice of Privacy Practices (NPP) that describes how PHI may be used and disclosed. If your practice uses AI scribing technology, your NPP should be updated to reflect that clinical encounters may be recorded and processed by AI-powered tools for the purpose of clinical documentation. While the Privacy Rule permits the use of PHI for treatment, payment, and healthcare operations without specific patient authorization, transparency through the NPP is both a legal requirement and an ethical best practice.

Patient Consent Best Practices for North Dakota

Even though North Dakota's one-party consent law does not legally require patient permission to record a clinical encounter, best practices for medical professionals extend well beyond the legal minimum. The following recommendations reflect ethical obligations, risk management principles, and patient trust considerations that are especially important for small rural practices where provider-patient relationships are central to care delivery.

• Inform patients verbally and in writing: Let patients know at intake or at the start of the visit that your practice uses AI-assisted technology to help document the encounter. A brief explanation — such as "We use an AI-powered tool to help create accurate clinical notes from our conversation" — goes a long way.

• Update intake forms: Add a clear, plain-language disclosure to your patient intake or consent forms noting the use of AI scribing. Include a line for patient acknowledgment (signature or initials).

• Offer an opt-out option: While not legally mandated in a one-party consent state, allowing patients to decline AI recording demonstrates respect for autonomy and reduces the risk of complaints or disputes. If a patient opts out, the provider can take manual notes instead.

• Post signage: Consider placing a visible notice in your clinic's waiting area or exam rooms stating that AI-assisted documentation tools may be in use.

• Document consent: Record the patient's acknowledgment in the medical chart. This creates a contemporaneous record that may be invaluable in the event of a dispute.

• Review your NPP: As noted above, ensure your HIPAA Notice of Privacy Practices reflects the use of AI documentation tools.

These practices are consistent with guidance from the American Medical Association (AMA), which has emphasized the importance of transparency when using AI tools in clinical settings.

What Happens if You Don't Comply?

Non-compliance with state and federal requirements can expose your practice to significant legal, financial, and reputational consequences.

State Law Violations

Under N.D.C.C. § 12.1-15-02, unlawful interception of communications is a criminal offense classified as a Class C felony in North Dakota. While lawful one-party consent recording in a clinical setting would not trigger this provision, violations involving recordings made without any party's consent — or unauthorized disclosure of lawfully recorded communications — could result in criminal prosecution. Additionally, individuals whose communications are unlawfully intercepted may pursue civil remedies.

HIPAA Violations

HIPAA violations carry tiered civil monetary penalties as enforced by the HHS Office for Civil Rights (OCR):

• Tier 1 (lack of knowledge): $137 to $68,928 per violation (adjusted annually for inflation)

• Tier 2 (reasonable cause): $1,379 to $68,928 per violation

• Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation

• Tier 4 (willful neglect, not corrected): $68,928 per violation, up to approximately $2,067,813 per calendar year for identical violations

Note: These figures reflect recent HHS adjustments and are subject to annual inflation updates. Verify current penalty amounts at the HHS OCR website.

Criminal penalties under 42 U.S.C. § 1320d-6 can include fines up to $250,000 and imprisonment for up to 10 years for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Professional and Reputational Risks

Beyond statutory penalties, the North Dakota Board of Medicine has the authority to investigate complaints and take disciplinary action against licensed physicians for unprofessional conduct. Mishandling patient information — including through improperly implemented AI tools — could trigger board investigation. For small rural practices, reputational damage within a close-knit community can be especially consequential.

Implementation Checklist

Use this checklist to ensure your North Dakota medical practice deploys AI scribing technology in a legally compliant and ethically sound manner:

1. Verify your AI scribe vendor will execute a HIPAA Business Associate Agreement (BAA) — Do not use any vendor that refuses or cannot provide a BAA.

2. Confirm the vendor's security practices — Ensure encryption of data in transit and at rest, access controls, audit logging, and compliance with the HIPAA Security Rule.

3. Update your Notice of Privacy Practices (NPP) — Disclose the use of AI-assisted documentation technology.

4. Update patient intake and consent forms — Add plain-language disclosure about AI scribing and obtain patient acknowledgment.

5. Establish an opt-out procedure — Document how patients can decline AI recording and how the practice will handle documentation in those cases.

6. Train all staff — Ensure physicians, nurses, medical assistants, and front-desk staff understand the AI scribe workflow, consent procedures, and HIPAA obligations.

7. Post visible signage — Inform patients in waiting areas and exam rooms that AI documentation tools may be in use.

8. Review telehealth consent requirements — If serving patients in other states, verify the recording consent laws of each state where patients are located.

9. Conduct a HIPAA risk assessment — As required by 45 C.F.R. § 164.308(a)(1)(ii)(A), assess the risks posed by the introduction of AI scribing to your ePHI environment.

10. Document everything — Maintain records of your BAA, risk assessments, staff training, consent forms, and any patient opt-outs.

11. Consult with a healthcare attorney — Consider engaging a North Dakota-licensed attorney with experience in healthcare law to review your AI scribing implementation.

This guide is intended for informational purposes only and does not constitute legal advice. Laws and regulations are subject to change. Medical practices should consult with a qualified healthcare attorney licensed in North Dakota to address their specific circumstances.