Is AI Scribing Legal in Virginia? (2026 Compliance Guide for Healthcare Providers)

Quick Answer

Yes, AI scribing is legal in Virginia when implemented in compliance with both Virginia's recording consent statute and federal HIPAA regulations. Virginia is a one-party consent state, meaning that only one party to a conversation needs to consent to the recording. As the healthcare provider initiating the AI scribe, your own consent satisfies Virginia's statutory requirement. However, HIPAA imposes additional obligations regarding patient notice, data security, and Business Associate Agreements (BAAs) that must also be met.

Practice in Virginia? Scribing.io is fully compliant with Virginia recording laws. Try it free.

Recording Consent Laws in Virginia

Virginia's wiretapping and electronic surveillance law is codified at Virginia Code § 19.2-62. This statute makes it unlawful to intercept, record, or disclose the contents of any wire, electronic, or oral communication — unless one of the parties to the communication has given prior consent.

The key language of Virginia Code § 19.2-62 provides that it is not unlawful for a person to intercept a wire, electronic, or oral communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception. This establishes Virginia firmly as a one-party consent jurisdiction.

Additionally, Virginia Code § 19.2-61 defines relevant terms including "intercept," "oral communication," and "electronic communication," which encompass the types of audio capture used by AI scribing tools during clinical encounters.

In 2021, Virginia enacted the Virginia Consumer Data Protection Act (VCDPA), codified at Virginia Code §§ 59.1-575 through 59.1-585. While this law primarily governs consumer data privacy and includes provisions on data processing, consent, and consumer rights, it contains exemptions for entities and data governed by HIPAA. Specifically, protected health information (PHI) handled by covered entities and business associates under HIPAA is exempt from VCDPA requirements. Nonetheless, providers should be aware of VCDPA's existence in case their AI scribe vendor processes any data that falls outside the HIPAA exemption.

One-Party vs Two-Party Consent: What It Means for Your Practice

Understanding the distinction between one-party and two-party consent is critical for healthcare providers deploying AI scribing technology:

• One-party consent (Virginia's standard): Only one participant in the conversation needs to know about and agree to the recording. As the clinician using the AI scribe, you are a party to the conversation. Your decision to activate the AI scribe constitutes your consent under Virginia Code § 19.2-62.

• Two-party (all-party) consent: Every participant must consent before recording can begin. This is the standard in states like California, Florida, and Pennsylvania — but not Virginia.

For your Virginia practice, this means:

1. You are not legally required under Virginia state law to obtain your patient's consent before activating an AI scribe during a clinical encounter.

2. However, best practice — and HIPAA considerations — strongly counsel in favor of informing patients and obtaining their consent anyway. Transparency fosters trust and reduces liability risk.

3. If you conduct telehealth visits with patients located in other states, you must comply with the recording consent law of the patient's state. If that state requires all-party consent, you must obtain the patient's explicit permission before recording.

HIPAA Requirements on Top of State Law

Even though Virginia's one-party consent law permits recording without patient notification, HIPAA introduces a separate and independent layer of compliance obligations. HIPAA does not specifically address audio recording of clinical encounters, but the data captured by an AI scribe — including transcripts, clinical notes, and any stored audio — constitutes protected health information (PHI) under 45 CFR § 160.103.

Business Associate Agreement (BAA)

Under 45 CFR § 164.502(e) and 45 CFR § 164.504(e), any AI scribe vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. You must execute a written BAA with the vendor before using the tool. The BAA must specify:

• Permitted and required uses and disclosures of PHI

• Appropriate administrative, physical, and technical safeguards

• Breach notification obligations

• Requirements for the vendor to return or destroy PHI upon termination

Minimum Necessary Standard

Under 45 CFR § 164.502(b), covered entities must make reasonable efforts to limit PHI access to the minimum necessary for the intended purpose. Ensure your AI scribe is configured to capture only the information needed for clinical documentation and that access is restricted to authorized personnel.

Security Rule Compliance

The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and their business associates to implement:

• Administrative safeguards: Risk assessments, workforce training, and access management policies (45 CFR § 164.308)

• Physical safeguards: Workstation and device security controls (45 CFR § 164.310)

• Technical safeguards: Encryption, access controls, audit logs, and integrity controls for electronic PHI (45 CFR § 164.312)

Verify that your AI scribe vendor encrypts data both in transit and at rest, maintains audit logging, and can demonstrate compliance with these requirements.

Notice of Privacy Practices

Under 45 CFR § 164.520, covered entities must provide patients with a Notice of Privacy Practices (NPP) describing how their PHI may be used and disclosed. If you implement AI scribing, your NPP should be updated to reference the use of technology-assisted documentation tools and the involvement of third-party business associates in processing clinical encounter data.

Patient Consent Best Practices for Virginia

Although Virginia law does not require patient consent for recording, adopting a robust informed consent process is strongly recommended for ethical, legal, and practical reasons:

1. Update your Notice of Privacy Practices: Include a clear statement that your practice uses AI-assisted scribing technology to document clinical encounters, and that a third-party vendor processes encounter data under a BAA.

2. Provide verbal notice at the start of each visit: Inform the patient that an AI scribe will be active during the encounter. A simple statement such as, "I use an AI-assisted tool to help document our visit. It records our conversation to generate clinical notes. Is that okay with you?" is sufficient.

3. Offer an opt-out option: Patients who decline AI scribing should have the option to proceed with traditional manual documentation. Document their preference in the medical record.

4. Use written consent forms for added protection: Consider a one-time written acknowledgment that patients sign during intake, confirming they understand the practice uses AI scribing technology. This creates a defensible record.

5. Handle telehealth encounters carefully: For patients located outside Virginia, determine their state's consent requirements and obtain all-party consent if required. Document the patient's location at the time of the visit.

6. Train your staff: Ensure all clinical and front-desk staff understand the AI scribing workflow, how to inform patients, how to handle opt-outs, and how to document consent.

What Happens if You Don't Comply?

Virginia State Law Violations

Violations of Virginia Code § 19.2-62 can result in both criminal and civil liability:

• Criminal penalties: Under Virginia Code § 19.2-62, unlawful interception is a Class 6 felony, punishable by up to five years in prison or up to 12 months in jail and/or a fine of up to $2,500.

• Civil remedies: Under Virginia Code § 19.2-69, any person whose communication is unlawfully intercepted may bring a civil action and recover actual damages, punitive damages, attorney's fees, and litigation costs.

While one-party consent protects you as a participant in the conversation, risks arise if the AI tool were to record conversations to which you are not a party (e.g., the device inadvertently records in a waiting room or between patients without a provider present).

HIPAA Violations

HIPAA violations are enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and carry tiered penalties under 42 USC § 1320d-5 and 42 USC § 1320d-6:

• Tier 1 (lack of knowledge): $137 to $68,928 per violation (adjusted annually for inflation)

• Tier 2 (reasonable cause): $1,379 to $68,928 per violation

• Tier 3 (willful neglect, corrected): $13,785 to $68,928 per violation

• Tier 4 (willful neglect, not corrected): $68,928 per violation, up to approximately $2,067,813 per calendar year for identical violations

• Criminal penalties: Up to $250,000 in fines and up to 10 years imprisonment for offenses committed with intent to sell, transfer, or use PHI for personal gain or malicious purposes

Note: Penalty amounts are subject to annual inflation adjustments by HHS. The figures above reflect recent published penalty ranges and should be verified against the most current HHS guidance.

Professional and Reputational Consequences

Beyond statutory penalties, non-compliance can trigger state medical board investigations, malpractice claims, loss of patient trust, and reputational damage that can significantly impact a practice's viability.

Implementation Checklist

Use this checklist before deploying an AI scribe in your Virginia practice:

This guide is provided for informational purposes only and does not constitute legal advice. Healthcare providers should consult with a qualified healthcare attorney in Virginia to address their specific circumstances and ensure full compliance with all applicable laws and regulations.