Posted on
Mar 4, 2026
Is AI Scribing Legal in Tennessee? (2026 Compliance Guide for Healthcare Providers)
Quick Answer
Yes, AI scribing is legal in Tennessee when implemented in compliance with state recording consent laws and federal HIPAA regulations. Tennessee is a one-party consent state for the recording of conversations, meaning that only one party to a conversation needs to consent to the recording. In the context of a clinical encounter, the healthcare provider who participates in the conversation can lawfully consent to the AI scribe recording the visit. However, HIPAA imposes additional obligations regarding the use, storage, and disclosure of protected health information (PHI), and best practices strongly recommend informing patients about AI documentation tools.
Practice in Tennessee? Scribing.io is fully compliant with Tennessee recording laws. Try it free.
Recording Consent Laws in Tennessee
Tennessee's wiretapping and electronic surveillance statute is codified at Tennessee Code Annotated § 39-13-601 (the Tennessee Wiretapping and Electronic Surveillance Act). Under this law, it is a criminal offense to intentionally intercept, endeavor to intercept, or procure any other person to intercept any wire, oral, or electronic communication — unless at least one party to the communication has given prior consent to the interception.
The key provision for healthcare providers is found in Tenn. Code Ann. § 39-13-601(b)(5), which provides an exception for recordings made with the consent of at least one party to the communication. This makes Tennessee a one-party consent state.
Additionally, Tenn. Code Ann. § 39-13-602 addresses the interception and disclosure of wire, oral, or electronic communications, further reinforcing that lawful interception occurs when one party to the communication consents.
What This Means for AI Scribing
When a healthcare provider uses an AI scribing tool during a patient encounter, the provider is a direct party to the conversation. Under Tennessee law, the provider's own consent to the recording satisfies the one-party consent requirement. There is no statutory obligation under state wiretapping law to obtain the patient's consent before recording.
However, legal compliance extends beyond the wiretapping statute. Healthcare providers must also consider HIPAA, medical board regulations, and professional ethical standards — all of which are addressed below.
One-Party vs Two-Party Consent: What It Means for Your Practice
Understanding the distinction between one-party and two-party (also called "all-party") consent is critical for healthcare providers, especially those who practice across state lines or via telehealth.
Consent Type | Requirement | Tennessee? |
|---|---|---|
One-Party Consent | Only one participant in the conversation must consent to recording | ✅ Yes — Tennessee follows this standard |
Two-Party (All-Party) Consent | All participants must consent before recording | ❌ Not required under Tennessee law |
Practical Implications
In-person visits: The provider's consent alone is legally sufficient under Tenn. Code Ann. § 39-13-601. The AI scribe may record the encounter without violating state wiretapping law.
Telehealth encounters: If the patient is located in a two-party consent state (e.g., California, Florida, or Washington), the stricter consent law of that state may apply. Providers conducting interstate telehealth should obtain explicit patient consent to avoid liability under the patient's home state law.
Multi-provider settings: In group consultations, the consent of at least one participating party satisfies Tennessee law. However, best practice is to ensure all providers are aware of and consent to the AI documentation tool.
HIPAA Requirements on Top of State Law
While Tennessee's one-party consent law permits the recording, HIPAA (the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191) and its implementing regulations — particularly the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C) — impose separate and additional obligations on how PHI is handled by AI scribing tools.
Business Associate Agreement (BAA)
Under 45 CFR § 164.502(e) and 45 CFR § 164.504(e), any AI scribing vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity (the healthcare provider or practice) is a business associate. A signed Business Associate Agreement (BAA) must be in place before the AI scribe processes any patient data. The BAA must specify:
Permitted and required uses of PHI
Obligations to safeguard PHI
Breach notification procedures
Requirements for return or destruction of PHI upon termination
Minimum Necessary Standard
Under 45 CFR § 164.502(b), covered entities and their business associates must limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose. AI scribing tools should be configured to capture only clinically relevant information and not extraneous conversation.
Security Safeguards
The HIPAA Security Rule (45 CFR §§ 164.308, 164.310, 164.312) requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For AI scribing, this includes:
Encryption: Audio recordings and transcriptions must be encrypted in transit and at rest
Access controls: Only authorized personnel should access AI-generated notes
Audit trails: The system should log who accesses documentation and when
Data retention and disposal: Policies must govern how long recordings are stored and how they are securely deleted
Patient Rights
Under 45 CFR § 164.524, patients have the right to access their medical records, which may include AI-generated documentation. Under 45 CFR § 164.526, patients can request amendments to their records. Providers should be prepared to fulfill these requests related to AI-scribed notes.
Patient Consent Best Practices for Tennessee
Although Tennessee's one-party consent law does not require patient permission to record, best practices and ethical standards strongly recommend transparent disclosure and consent. The following recommendations help protect providers legally, build patient trust, and align with evolving regulatory expectations:
1. Provide Written Disclosure
Include a notice in your intake paperwork or patient portal informing patients that AI-assisted documentation tools may be used during their visit. The disclosure should clearly explain:
What the AI scribe does (records and/or transcribes the encounter)
How the data is used (to generate clinical documentation)
How the data is protected (encryption, HIPAA-compliant vendor, BAA in place)
That the recording is not shared outside the care team without authorization
2. Obtain Verbal or Written Consent
While not legally required under Tennessee wiretapping law, obtaining affirmative patient consent — whether verbal (documented in the chart) or written (via a consent form) — provides an additional layer of legal protection. It also demonstrates compliance with the ethical principles articulated by organizations such as the American Medical Association (AMA), which has issued guidance encouraging transparency about AI use in clinical settings.
3. Offer an Opt-Out
Give patients the ability to decline AI documentation. If a patient opts out, providers should be prepared to manually document the encounter. Documenting the patient's choice in the medical record is advisable.
4. Post Signage in Clinical Areas
Consider posting a visible notice in waiting rooms and exam rooms informing patients that AI-assisted documentation may be used. This provides passive notification even before the formal intake process.
5. Address Telehealth Specifically
For telehealth encounters, include AI scribe disclosure in the telehealth consent form. Announce the use of AI documentation verbally at the start of the virtual visit. This is particularly important when the patient may be located in a two-party consent jurisdiction.
What Happens if You Don't Comply?
Non-compliance with Tennessee recording laws and/or HIPAA carries significant consequences:
Tennessee State Law Violations
Under Tenn. Code Ann. § 39-13-602, unlawful interception of communications is classified as a criminal offense. Depending on the circumstances, violations can be charged as a felony. Additionally, Tenn. Code Ann. § 39-13-603 provides a civil cause of action for individuals whose communications are unlawfully intercepted, with potential recovery of actual damages, punitive damages, and attorney's fees.
For Tennessee-based providers who comply with the one-party consent framework, these penalties are unlikely to apply. However, providers who record patients across state lines without respecting the consent laws of the patient's state may face liability under those jurisdictions.
HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA. Penalties under 42 USC § 1320d-5 and 42 USC § 1320d-6 are tiered based on the level of culpability:
Violation Tier | Penalty Range per Violation | Annual Maximum |
|---|---|---|
Tier 1 — Did not know | $137–$68,928 | $2,067,813 |
Tier 2 — Reasonable cause | $1,379–$68,928 | $2,067,813 |
Tier 3 — Willful neglect (corrected) | $13,785–$68,928 | $2,067,813 |
Tier 4 — Willful neglect (not corrected) | $68,928+ | $2,067,813 |
Note: Penalty amounts are adjusted annually for inflation. The figures above reflect approximate ranges as of 2025–2026. Verify current amounts at the HHS OCR website.
Criminal penalties under 42 USC § 1320d-6 can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
Professional Licensing Consequences
The Tennessee Board of Medical Examiners (operating under Tenn. Code Ann. Title 63) may investigate complaints related to unethical or unprofessional conduct, which could include improper use of AI tools without appropriate patient notification. Disciplinary actions can include license suspension, probation, or revocation.
Malpractice and Liability Exposure
If an AI scribe produces an inaccurate clinical note and the provider signs it without adequate review, the provider may face malpractice liability. The AI-generated note becomes part of the medical record, and the provider is ultimately responsible for its accuracy.
Implementation Checklist
Use this checklist to ensure your practice is compliant when deploying an AI scribing solution in Tennessee:
☐ Verify one-party consent compliance: Confirm that your AI scribing tool records only conversations in which at least one consenting party (the provider) participates, consistent with Tenn. Code Ann. § 39-13-601.
☐ Execute a Business Associate Agreement (BAA): Ensure a signed BAA is in place with your AI scribing vendor before any PHI is processed, per 45 CFR § 164.504(e).
☐ Confirm HIPAA-compliant security: Verify that the vendor provides end-to-end encryption, access controls, audit logging, and secure data storage and disposal.
☐ Update intake forms: Add AI documentation disclosure language to patient intake and consent forms.
☐ Create a telehealth-specific protocol: For patients in other states, identify the applicable consent law and obtain explicit consent when required.
☐ Post signage: Display notices in clinical areas about the use of AI-assisted documentation.
☐ Establish an opt-out process: Develop a clear workflow for patients who decline AI documentation, including manual note-taking alternatives.
☐ Train staff: Educate all clinical and administrative staff on how the AI scribe works, when and how to disclose it to patients, and how to handle opt-outs.
☐ Review AI-generated documentation: Implement a policy requiring providers to review, edit, and authenticate all AI-generated notes before they are finalized in the medical record.
☐ Conduct periodic audits: Schedule regular compliance reviews of your AI scribing practices, vendor agreements, and security safeguards.
☐ Maintain records of consent: Document patient consent (or opt-out) decisions in the medical record for each encounter.
☐ Monitor legal developments: Stay informed about changes to Tennessee state law, HIPAA regulations, and any new guidance from the Tennessee Board of Medical Examiners regarding AI in clinical practice.
This guide is provided for informational purposes only and does not constitute legal advice. Healthcare providers should consult with a qualified healthcare attorney in Tennessee to address specific compliance questions related to their practice.
