Posted on
Mar 17, 2026
Is AI Scribing Legal in Puerto Rico? (2026 Compliance Guide for Healthcare Providers)
Quick Answer
Yes, AI scribing is legal in Puerto Rico when implemented with proper consent and HIPAA-compliant safeguards. Puerto Rico is a one-party consent jurisdiction for the recording of conversations. This means that only one party to a conversation needs to consent to its recording. However, healthcare providers must also satisfy federal requirements under HIPAA, and best practices strongly recommend obtaining explicit patient consent before using any AI-powered documentation tool during clinical encounters.
Practice in Puerto Rico? Scribing.io is fully compliant with Puerto Rico recording laws. Try it free.
Recording Consent Laws in Puerto Rico
Puerto Rico's wiretapping and electronic surveillance laws are primarily governed by the Código Penal de Puerto Rico (Puerto Rico Penal Code) and by federal law. The key legal frameworks are:
Puerto Rico Penal Code, Article 264 (Ley Núm. 146-2012, as amended) — Puerto Rico's Penal Code criminalizes the unauthorized interception of private communications. However, the law permits recording when at least one party to the conversation consents to the recording.
Federal Wiretap Act (18 U.S.C. §§ 2510–2522) — As a U.S. territory, Puerto Rico is subject to the federal Electronic Communications Privacy Act (ECPA), which operates as a one-party consent framework. Under 18 U.S.C. § 2511(2)(d), it is lawful for a person to record a conversation if they are a party to it or if one party has given prior consent, unless the recording is made for the purpose of committing a criminal or tortious act.
Constitution of Puerto Rico, Article II, Section 10 — The Puerto Rico Constitution protects the dignity and privacy of individuals and the inviolability of communications. Courts in Puerto Rico have interpreted this protection broadly, but it has not been held to require all-party consent for recordings where one party consents.
In practice, Puerto Rico follows a one-party consent standard. A healthcare provider who is a party to the clinical conversation may legally record it — or authorize an AI tool to do so — without obtaining separate consent from the patient under Puerto Rico's recording laws alone. However, healthcare-specific obligations (particularly HIPAA) impose additional requirements, as discussed below.
One-Party vs Two-Party Consent: What It Means for Your Practice
Understanding the distinction between one-party and two-party consent is essential for compliance:
Consent Type | Definition | Puerto Rico Status |
|---|---|---|
One-Party Consent | Only one participant in the conversation must consent to the recording. The person doing the recording can be the consenting party. | ✔ This is Puerto Rico's standard |
Two-Party (All-Party) Consent | All participants in a conversation must consent before a recording may be made. | Not required under Puerto Rico law |
For healthcare providers in Puerto Rico, this means that a physician who is a party to the patient encounter can legally authorize the AI scribe to record the conversation. The physician's own consent satisfies the one-party requirement under both Puerto Rico territorial law and the federal Wiretap Act.
Important caveats:
Even though one-party consent is legally sufficient for recording purposes, HIPAA and medical ethics standards create independent obligations to inform patients about how their protected health information (PHI) is being collected, used, and disclosed.
If your practice treats patients located in two-party consent jurisdictions via telehealth (e.g., California, Florida, or others), the stricter consent standard of the patient's location may apply. Always verify the applicable law for telehealth encounters.
Puerto Rico's constitutional privacy protections are robust, and courts could potentially scrutinize recordings made in medical settings more carefully given the sensitive nature of health information.
HIPAA Requirements on Top of State Law
Compliance with Puerto Rico's recording consent law is necessary but not sufficient. As a healthcare provider, you must also comply with the Health Insurance Portability and Accountability Act (HIPAA), specifically:
The HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E)
Notice of Privacy Practices (NPP): Under 45 C.F.R. § 164.520, covered entities must provide patients with a notice describing how their PHI may be used and disclosed. If you use an AI scribe, your NPP should clearly describe this technology and explain that audio from clinical encounters may be processed by a third-party AI system to generate clinical documentation.
Minimum Necessary Standard (45 C.F.R. § 164.502(b)): Any PHI processed by the AI scribing tool should be limited to the minimum necessary to accomplish the documentation purpose.
Patient Rights: Patients retain the right to request restrictions on certain uses and disclosures of their PHI under 45 C.F.R. § 164.522. If a patient objects to the use of AI scribing, you should have a workflow in place to accommodate that request.
The HIPAA Security Rule (45 C.F.R. Part 164, Subpart C)
Business Associate Agreement (BAA): Under 45 C.F.R. § 164.502(e) and § 164.504(e), any AI scribing vendor that processes, stores, or transmits PHI on your behalf is a business associate. You must execute a BAA with the vendor before using the tool. The BAA must specify the vendor's obligations regarding the safeguarding of PHI.
Technical Safeguards (45 C.F.R. § 164.312): Ensure the AI scribing platform uses encryption in transit and at rest, implements access controls, and maintains audit logs.
Risk Assessment: Under 45 C.F.R. § 164.308(a)(1), you must conduct a risk analysis that includes the AI scribing tool in your assessment of threats to the confidentiality, integrity, and availability of ePHI.
The HITECH Act (42 U.S.C. § 17931 et seq.)
The HITECH Act extended HIPAA's requirements directly to business associates and increased penalties for non-compliance. It also strengthened breach notification requirements. Ensure your AI scribing vendor understands and complies with HITECH obligations, including breach notification under 45 C.F.R. §§ 164.400–414.
Patient Consent Best Practices for Puerto Rico
While Puerto Rico's one-party consent law does not legally require patient consent for the recording itself, healthcare providers should implement the following best practices to maintain trust, comply with HIPAA, and reduce legal risk:
Obtain informed verbal or written consent before each encounter. Inform the patient that an AI-powered tool will be listening to the conversation to assist with documentation. Document the patient's consent or refusal in the medical record.
Update your Notice of Privacy Practices. Add a clear, plain-language section explaining the use of AI scribing technology, how audio data is processed, where it is stored, and how long it is retained.
Provide a Spanish-language notice. Given that Spanish is the primary language of most patients in Puerto Rico, all consent forms and privacy notices related to AI scribing should be available in Spanish. Providing only English-language materials may be legally and ethically insufficient.
Offer an opt-out option. Patients should be able to decline AI scribing without it affecting the quality of their care. Have a clear workflow for manual documentation when a patient opts out.
Post visible signage. In the exam room or waiting area, post notices (in both Spanish and English) informing patients that AI-assisted documentation technology is in use.
Document everything. Keep records of when consent was obtained, which encounters used AI scribing, and any patient refusals. This creates a defensible audit trail.
What Happens if You Don't Comply?
Non-compliance with recording consent laws, HIPAA, or both can result in serious consequences:
Puerto Rico Territorial Law Violations
Unauthorized interception of communications under the Puerto Rico Penal Code can result in criminal penalties, including imprisonment and fines.
Civil liability for invasion of privacy under Puerto Rico's Constitution (Article II, Section 10) and the general tort provisions of the Puerto Rico Civil Code.
Federal Wiretap Act Violations (18 U.S.C. § 2520)
Civil damages including the greater of actual damages or statutory damages of $100 per day of violation or $10,000, whichever is greater.
Reasonable attorney's fees and litigation costs.
Criminal penalties under 18 U.S.C. § 2511(4), including fines and imprisonment of up to five years.
HIPAA Violations (42 U.S.C. § 1320d-5 and § 1320d-6)
Violation Tier | Penalty Range (per violation) | Annual Maximum |
|---|---|---|
Tier 1 — Lack of knowledge | $137 – $68,928 | $2,067,813 |
Tier 2 — Reasonable cause | $1,379 – $68,928 | $2,067,813 |
Tier 3 — Willful neglect (corrected) | $13,785 – $68,928 | $2,067,813 |
Tier 4 — Willful neglect (not corrected) | $68,928+ | $2,067,813 |
Note: Penalty amounts are adjusted annually for inflation. The figures above reflect HHS adjustments as of 2025. Verify current amounts with the HHS Office for Civil Rights.
Additional Risks
Medical board discipline: The Puerto Rico Board of Medical Licensure and Discipline (Junta de Licenciamiento y Disciplina Médica) could investigate complaints related to privacy violations in clinical settings.
Malpractice exposure: If improper use of an AI scribe leads to inaccurate documentation, this could create liability in medical malpractice claims.
Reputational harm: Patients who learn their conversations were recorded and processed by AI without their knowledge may lose trust in the practice and file complaints.
Implementation Checklist
Use this checklist to ensure your Puerto Rico practice is fully compliant when implementing AI scribing:
Verify your AI scribing vendor is HIPAA-compliant — Confirm the vendor can provide documentation of their security practices, including SOC 2 certification or equivalent.
Execute a Business Associate Agreement (BAA) — Do not use any AI scribing tool until a signed BAA is in place per 45 C.F.R. § 164.504(e).
Update your Notice of Privacy Practices — Include clear language about AI-assisted documentation in both English and Spanish.
Create a patient consent workflow — Develop a verbal or written consent process for informing patients at the start of each visit. Document consent or refusal.
Post signage in clinical areas — Inform patients in both Spanish and English that AI documentation technology is in use.
Establish an opt-out procedure — Create a clear workflow for encounters where patients decline AI scribing.
Train all staff — Ensure physicians, nurses, medical assistants, and front desk staff understand the AI scribing tool, consent process, and privacy obligations.
Conduct a HIPAA risk assessment — Include the AI scribing tool in your annual security risk analysis under 45 C.F.R. § 164.308(a)(1).
Review data retention policies — Confirm how long audio recordings and transcripts are retained by the vendor, and ensure retention periods align with your practice's policies and Puerto Rico medical record retention requirements.
Confirm encryption standards — Verify that data is encrypted both in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Review telehealth consent requirements — If you treat patients in other jurisdictions via telehealth, confirm the recording consent laws of the patient's location.
Document your compliance efforts — Maintain records of all policies, training sessions, consent forms, and vendor agreements for audit purposes.
Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. Healthcare providers in Puerto Rico should consult with a qualified attorney licensed in Puerto Rico to obtain advice specific to their practice and circumstances. Laws and regulations may change, and this guide reflects information available as of early 2026.
