Is AI Scribing Legal in Utah? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Yes, AI scribing is legal in Utah when implemented in compliance with both state recording consent laws and federal HIPAA regulations. Utah is a one-party consent state for recording communications, which means that only one party to a conversation needs to consent to the recording. However, healthcare providers must still satisfy HIPAA's privacy and security requirements when using any AI tool that processes protected health information (PHI). Legal compliance requires a deliberate approach to consent, data handling, and vendor selection.

Practice in Utah? Scribing.io is fully compliant with Utah recording laws. Try it free.

Recording Consent Laws in Utah

Utah's wiretapping and electronic surveillance law is codified under Utah Code § 77-23a-4 (the Utah Interception of Communications Act). Under this statute, it is lawful for a person who is a party to a communication — or who has obtained the prior consent of one party — to record or intercept that communication. This makes Utah a one-party consent state.

Specifically, Utah Code § 77-23a-4(7)(b) provides that it is not unlawful for a person who is a party to an in-person or electronic communication to intercept, record, or disclose the content of that communication, provided at least one party has given consent. Because the healthcare provider is a party to the patient encounter, the provider's own consent to the AI scribing tool's recording satisfies the minimum threshold under Utah law.

However, it is critical to note that legal permission under state wiretapping law does not eliminate obligations under other legal frameworks, including HIPAA, medical ethics standards, and institutional policies. Most healthcare compliance authorities strongly recommend obtaining explicit patient consent even in one-party consent jurisdictions.

One-Party vs Two-Party Consent: What It Means for Your Practice

In a one-party consent state like Utah, only one participant in a conversation must consent to the recording. This contrasts with two-party (or all-party) consent states — such as California or Florida — where every participant must agree before a conversation can be lawfully recorded.

What This Means Practically for AI Scribing

• Legally sufficient minimum: Because the provider is a party to the clinical encounter, the provider's own consent to activate AI scribing technically satisfies Utah Code § 77-23a-4. No separate patient consent is legally required under the state wiretapping statute alone.

• Best practice recommendation: Despite the legal minimum, healthcare providers should inform patients that an AI scribing tool is being used during the encounter. This aligns with medical ethics principles of transparency, supports HIPAA's individual rights provisions, and reduces liability risk.

• Multi-state telehealth: If you provide telehealth services to patients located in two-party consent states, you must comply with the more restrictive law of the patient's jurisdiction. Always verify the recording consent law of the state where the patient is physically located during the encounter.

HIPAA Requirements on Top of State Law

State recording consent law and HIPAA operate independently. Satisfying one does not satisfy the other. Any AI scribing solution that processes, transmits, or stores protected health information (PHI) triggers HIPAA obligations under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the HIPAA Security Rule (45 CFR Part 164, Subpart C).

Key HIPAA Requirements for AI Scribing

1. Business Associate Agreement (BAA): Under 45 CFR § 164.502(e) and 45 CFR § 164.504(e), any AI scribing vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. A signed BAA must be in place before the tool is used with patient data. The BAA must specify the vendor's obligations regarding PHI use, disclosure, breach notification, and data return or destruction.

2. Minimum Necessary Standard: Under 45 CFR § 164.502(b), covered entities must make reasonable efforts to limit PHI use and disclosure to the minimum necessary to accomplish the intended purpose. Configure your AI scribing tool to capture only information needed for clinical documentation.

3. Security Safeguards: Under the HIPAA Security Rule, you must ensure that the AI scribing vendor implements appropriate administrative, physical, and technical safeguards. This includes encryption of data in transit and at rest, access controls, audit logging, and workforce training requirements (45 CFR §§ 164.308, 164.310, 164.312).

4. Patient Rights: Patients retain the right to access their records under 45 CFR § 164.524 and the right to request amendments under 45 CFR § 164.526. AI-generated notes become part of the designated record set and are subject to these rights.

5. Breach Notification: Under 45 CFR Part 164, Subpart D, if a breach of unsecured PHI occurs through the AI scribing tool, the covered entity and business associate must comply with notification requirements to affected individuals, HHS, and, in cases affecting 500 or more individuals, the media.

Utah-Specific Health Data Considerations

Utah enacted the Utah Consumer Privacy Act (UCPA), codified at Utah Code § 13-61-101 et seq., which took effect December 31, 2023. While the UCPA generally exempts data governed by HIPAA (specifically, entities and data subject to HIPAA are excluded from UCPA's scope), providers should be aware that any patient data processed outside the HIPAA-regulated treatment, payment, or healthcare operations context could potentially fall under UCPA requirements. Ensure that your AI scribing tool's data handling is fully within HIPAA's regulatory perimeter to maintain this exemption.

Patient Consent Best Practices for Utah

Even though Utah's one-party consent law does not legally require patient permission for recording, healthcare providers should implement robust consent processes for the following reasons:

Recommended Consent Framework

1. Verbal notification at the start of each encounter: Inform the patient that an AI scribing tool will be used to assist with documentation. Example: "I use an AI-assisted tool that listens to our conversation to help me create accurate clinical notes. The recording is processed securely and is part of your medical record. Do you have any questions or concerns about this?"

2. Written consent in intake paperwork: Include a clear, plain-language disclosure in your new patient intake forms and periodic re-authorization forms. The disclosure should explain: what the AI tool does, how data is processed and stored, who has access, and the patient's right to opt out.

3. Document the patient's response: Record in the chart whether the patient consented to or declined AI scribing. If a patient declines, have a workflow in place to disable the tool and use traditional documentation methods for that encounter.

4. Post signage in clinical areas: Display notices in waiting rooms and exam rooms informing patients that AI-assisted documentation technology may be in use.

5. Telehealth-specific consent: For telehealth encounters, provide the AI scribing disclosure as part of your telehealth informed consent process before the clinical conversation begins. This is especially important for patients located in two-party consent states.

What Happens if You Don't Comply?

State Law Violations

Violation of Utah Code § 77-23a-4 can result in criminal penalties. Under Utah Code § 77-23a-11, unlawful interception of communications is a third-degree felony, carrying potential penalties including imprisonment and fines. Additionally, Utah Code § 77-23a-11 provides a civil cause of action for individuals whose communications are unlawfully intercepted, with potential recovery of actual damages, punitive damages, and attorney's fees.

While a provider acting as a one-party consenter in Utah would generally not violate the state wiretapping statute, recording in contexts where you are not a party to the communication (e.g., recording conversations between staff and patients without any party's consent) could trigger liability.

HIPAA Violations

HIPAA violations are enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and carry a tiered penalty structure under 42 U.S.C. § 1320d-5 and 42 U.S.C. § 1320d-6:

• Tier 1 (Unknowing): $137 to $68,928 per violation (adjusted annually for inflation)

• Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation

• Tier 3 (Willful Neglect, Corrected): $13,785 to $68,928 per violation

• Tier 4 (Willful Neglect, Not Corrected): $68,928 per violation, with an annual maximum of $2,067,813 per violation category

Note: Penalty amounts are adjusted periodically for inflation. Verify current amounts through the HHS OCR website.

Criminal penalties under 42 U.S.C. § 1320d-6 can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

Professional and Institutional Consequences

• State medical board investigations and potential disciplinary action

• Malpractice liability if AI-generated documentation contains errors that affect patient care

• Loss of patient trust and reputational damage

• Health system or hospital credentialing consequences

Implementation Checklist

Use this checklist before deploying AI scribing in your Utah-based practice:

This guide is for informational purposes only and does not constitute legal advice. Healthcare providers should consult with a qualified healthcare attorney in Utah to address their specific circumstances and ensure full compliance with all applicable laws and regulations.