Posted on
Feb 16, 2026
Is AI Scribing Legal in Pennsylvania? (2026 Compliance Guide for Healthcare Providers)
Quick Answer
Yes, AI scribing is legal in Pennsylvania when implemented in compliance with both state recording laws and federal HIPAA regulations. Pennsylvania is a two-party (all-party) consent state for the interception of oral communications under 18 Pa.C.S. § 5703 (the Pennsylvania Wiretapping and Electronic Surveillance Control Act). This means that all parties to a conversation must consent before any oral communication is recorded or intercepted. For medical practices, this requires obtaining patient consent before activating any AI scribing tool that records, captures, or processes the audio of a clinical encounter.
Practice in Pennsylvania? Scribing.io is fully compliant with Pennsylvania recording laws. Try it free.
Recording Consent Laws in Pennsylvania
Pennsylvania's wiretapping statute is among the stricter in the United States. The key provisions medical practices must understand are:
18 Pa.C.S. § 5703 — Interception, disclosure or use of wire, electronic or oral communications: This statute makes it a criminal offense for any person to intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept any wire, electronic, or oral communication without the consent of all parties. Violations can be prosecuted as a felony of the third degree.
18 Pa.C.S. § 5704 — Exceptions to prohibition of interception and disclosure of communications: This section outlines lawful exceptions, including when all parties to the communication have given prior consent to the interception. Under § 5704(4), it is lawful for a person to intercept a wire, electronic, or oral communication where all parties to the communication have given prior consent to such interception.
18 Pa.C.S. § 5725 — Civil action for unlawful interception: Any person whose wire, electronic, or oral communication is intercepted, disclosed, or used in violation of the act may bring a civil action for actual damages, punitive damages, reasonable attorney fees, and litigation costs.
AI scribing tools that process audio from patient encounters — whether by recording the audio, streaming it for real-time transcription, or temporarily buffering it for processing — constitute interception of oral communications under Pennsylvania law. The legal analysis does not change based on whether the audio is stored permanently or discarded after processing.
One-Party vs Two-Party Consent: What It Means for Your Practice
The distinction between one-party and two-party consent states is critical for healthcare providers implementing AI scribing technology:
Consent Type | Definition | Pennsylvania? |
|---|---|---|
One-Party Consent | Only one party to the conversation needs to consent to the recording. The provider alone deciding to use an AI scribe would be sufficient. | No — Pennsylvania is NOT a one-party consent state. |
Two-Party (All-Party) Consent | All parties to the conversation must consent before any recording or interception occurs. Both the provider and the patient (and any other person present) must consent. | Yes — Pennsylvania requires all-party consent under 18 Pa.C.S. § 5703. |
What This Means Practically
In a Pennsylvania medical practice, before activating any AI scribing tool during a patient encounter, you must:
Inform the patient that an AI-powered tool will be listening to and processing the conversation.
Explain the purpose — that the tool is being used for clinical documentation.
Obtain affirmative consent from the patient (and any other individuals present, such as family members, interpreters, or other clinicians).
Document that consent was obtained — ideally in writing or electronically, though the statute does not prescribe a specific form of consent.
Provide an opt-out option — patients must be free to decline without it affecting the quality of their care.
Note that Pennsylvania courts have historically interpreted the wiretapping statute broadly. The Pennsylvania Supreme Court has recognized the strong privacy protections embedded in the statute. Medical practices should err on the side of caution and obtain clear, affirmative consent rather than relying on implied consent or passive notification.
HIPAA Requirements on Top of State Law
Compliance with Pennsylvania's wiretapping law is necessary but not sufficient. Medical practices must also satisfy federal requirements under the Health Insurance Portability and Accountability Act (HIPAA), specifically:
HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E)
AI scribing tools process Protected Health Information (PHI) — the audio of a clinical encounter contains identifiable patient health information.
Under the Privacy Rule, the use of PHI for treatment, payment, and healthcare operations (TPO) does not require separate patient authorization (45 C.F.R. § 164.506). Clinical documentation generated by an AI scribe generally falls within the treatment and healthcare operations categories.
However, practices must still provide patients with a Notice of Privacy Practices (NPP) that describes how PHI is used and disclosed, including the use of AI-powered documentation tools.
HIPAA Security Rule (45 C.F.R. Part 164, Subpart C)
Any AI scribing vendor that processes, transmits, or stores PHI on behalf of the practice is a Business Associate under HIPAA.
A Business Associate Agreement (BAA) must be executed before the vendor has access to any PHI (45 C.F.R. § 164.502(e)).
The BAA must specify how the vendor will safeguard PHI, including encryption in transit and at rest, access controls, audit logging, and breach notification procedures.
Practices must conduct a risk assessment to evaluate the security of the AI scribing tool and vendor infrastructure.
HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D)
If patient audio or transcription data is compromised, the practice and/or the business associate must follow breach notification procedures, including notifying affected individuals within 60 days of discovery.
Where State and Federal Law Overlap
Pennsylvania's wiretapping law and HIPAA address different but complementary concerns:
Requirement | PA Wiretapping Law | HIPAA |
|---|---|---|
Patient consent to record/intercept audio | Required (all-party) | Not separately required for TPO, but transparency required via NPP |
Business Associate Agreement with vendor | Not addressed | Required |
Encryption and data security | Not specifically addressed | Required (addressable standard) |
Breach notification | Not addressed | Required |
Criminal penalties for violations | Yes (felony of the third degree) | Yes (for knowing violations) |
The key takeaway: In Pennsylvania, you must satisfy both the state consent requirement and HIPAA's privacy and security framework. HIPAA compliance alone does not satisfy Pennsylvania's all-party consent requirement, and Pennsylvania consent alone does not satisfy HIPAA's data protection requirements.
Patient Consent Best Practices for Pennsylvania
Given Pennsylvania's strict all-party consent requirement, the following best practices are recommended for medical practices deploying AI scribing tools:
1. Use Written or Electronic Consent Forms
While Pennsylvania law does not mandate a specific form of consent, written or electronic documentation provides the strongest evidence of compliance. Your consent form should include:
A clear statement that the clinical encounter will be captured by an AI-powered documentation tool
A plain-language explanation of what the tool does (e.g., "This tool listens to our conversation and creates a draft of the clinical note")
How the audio and resulting data will be handled (e.g., whether audio is stored, how long it is retained, or whether it is deleted after processing)
The patient's right to decline without any impact on the quality of care they receive
A signature line or electronic acknowledgment with a date and time stamp
2. Integrate Consent into Your Intake Workflow
The most efficient approach is to incorporate AI scribe consent into your standard patient intake process. This can be:
A standalone consent form presented during check-in
An addendum to your existing general consent-to-treat form (though a standalone form is preferred for clarity)
An electronic consent captured via a patient portal or tablet at check-in
3. Obtain Consent from All Parties Present
Remember that Pennsylvania requires all-party consent. If a family member, caregiver, interpreter, or other individual is present during the encounter, their consent must also be obtained before the AI scribe is activated.
4. Provide Verbal Reinforcement
Even with written consent on file, it is good practice for the clinician to verbally confirm at the start of the encounter: "As noted during check-in, I'll be using an AI documentation assistant during our visit today. It will listen to our conversation to help me create your clinical note. Is that still okay with you?"
5. Update Your Notice of Privacy Practices
Under HIPAA, your Notice of Privacy Practices should be updated to reflect the use of AI-powered documentation tools and how PHI is processed in connection with those tools.
6. Train All Staff
Front desk staff, medical assistants, nurses, and clinicians should all understand the consent requirement and the workflow for obtaining and documenting consent. Staff should also know the protocol when a patient declines — the AI scribe must not be activated, and the patient must receive the same standard of care.
What Happens if You Don't Comply?
Non-compliance with either Pennsylvania's wiretapping law or HIPAA carries serious consequences:
Pennsylvania Wiretapping Violations (18 Pa.C.S. § 5703)
Criminal penalties: Illegal interception is a felony of the third degree under Pennsylvania law, punishable by up to 7 years in prison and fines up to $15,000.
Civil liability: Under 18 Pa.C.S. § 5725, any person whose communication was unlawfully intercepted may sue for actual damages (with a minimum of liquidated damages of $100 per day for each day of violation or $1,000, whichever is greater), punitive damages, and reasonable attorney fees and costs.
Exclusion of evidence: Under 18 Pa.C.S. § 5721.1, unlawfully intercepted communications may be suppressed in legal proceedings.
HIPAA Violations
Civil monetary penalties: The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services can impose tiered penalties ranging from $141 to $2,134,831 per violation category per calendar year (penalty amounts adjusted annually for inflation).
Criminal penalties: The Department of Justice can pursue criminal charges for knowing HIPAA violations, with penalties up to $250,000 and up to 10 years imprisonment for the most serious offenses.
Reputational damage: HIPAA enforcement actions are publicly reported. OCR maintains a public breach portal (commonly called the "Wall of Shame") for breaches affecting 500 or more individuals.
State attorney general enforcement: Under the HITECH Act, state attorneys general, including the Pennsylvania Attorney General, have authority to bring civil actions for HIPAA violations on behalf of state residents.
Professional Licensing Risks
Beyond statutory penalties, Pennsylvania medical licensing boards may consider violations of patient privacy laws when evaluating complaints against licensed providers. Egregious or repeated violations could trigger disciplinary review.
Implementation Checklist
Use the following checklist to ensure your Pennsylvania medical practice is fully compliant when deploying an AI scribing tool:
Verify your AI scribe vendor will execute a HIPAA Business Associate Agreement (BAA). Do not use any tool that processes PHI without a signed BAA in place.
Confirm the vendor's security posture: encryption in transit (TLS 1.2+), encryption at rest (AES-256), access controls, audit logging, and SOC 2 Type II certification or equivalent.
Review the vendor's data retention and deletion policies. Understand whether audio is stored, for how long, and how it is disposed of.
Develop or update your patient consent form specifically addressing AI-assisted documentation and the recording/processing of encounter audio.
Ensure consent is obtained from ALL parties present during the encounter — patients, family members, interpreters, and others.
Update your Notice of Privacy Practices (NPP) to reflect the use of AI documentation tools.
Train all clinical and administrative staff on the consent workflow, the opt-out process, and how to handle patient questions about AI scribing.
Establish a clear opt-out protocol. When a patient declines AI scribing, staff must know how to deactivate the tool and proceed with traditional documentation without any change in quality of care.
Conduct a HIPAA Security Risk Assessment that incorporates the AI scribing tool into your practice's risk profile.
Document everything. Retain signed consent forms, the executed BAA, training records, and risk assessment documentation.
Consult a Pennsylvania healthcare attorney to review your specific implementation plan, consent forms, and vendor agreements before going live.
This guide is provided for informational purposes only and does not constitute legal advice. Pennsylvania medical practices should consult with a qualified healthcare attorney licensed in Pennsylvania to ensure full compliance with applicable state and federal laws based on their specific circumstances. Laws and regulations are subject to change; verify all cited statutes are current as of your implementation date.
