Posted on
Mar 29, 2026
One-Party vs Two-Party Consent States for AI Scribing: Complete Compliance Guide
One-Party vs Two-Party Consent States for AI Scribing: The Definitive Compliance Hub
AI medical scribes are transforming clinical documentation — but they also introduce a legal complexity that traditional dictation never triggered. When an ambient AI scribe records a live patient-provider conversation, it activates wiretapping and eavesdropping statutes that vary dramatically from state to state. Platforms like Scribing.io build consent management directly into their workflows, but compliance officers still need a thorough understanding of the legal landscape to deploy AI scribing safely across jurisdictions.
This hub page is designed specifically for compliance officers navigating multi-state AI scribe deployment. It covers every U.S. jurisdiction, breaks down how federal and state laws interact for AI scribing specifically, provides actionable consent workflow frameworks, and links to deeper specialty- and state-specific guides across the Scribing.io resource library. Whether your health system operates in a single one-party consent state or spans a dozen jurisdictions with conflicting requirements, this page is your operational reference.
TL;DR: AI medical scribes record clinical encounters to generate documentation — but whether that recording is legal depends on where your providers practice. U.S. states are divided into one-party consent states (where only one participant needs to agree to the recording) and two-party/all-party consent states (where every participant must consent). HIPAA permits using patient data for treatment documentation without explicit authorization, but it sets the floor, not the ceiling — state wiretapping laws, state health privacy statutes, and professional ethics standards layer additional requirements on top. This hub page breaks down every jurisdiction, explains how federal and state laws interact for AI scribing specifically, provides a consent workflow framework for compliance officers, and offers actionable templates to operationalize compliant AI scribe deployment across multi-state health systems.
Table of Contents
Why Consent Laws Matter More for AI Scribes Than Traditional Dictation
Federal Law Foundation — The Electronic Communications Privacy Act and HIPAA
One-Party Consent States — What Compliance Officers Need to Know
Two-Party (All-Party) Consent States — Heightened Requirements for AI Scribing
State-Specific Deep Dives: Highest-Risk Jurisdictions
Consent Workflow Framework for Multi-State Health Systems
Consent Form Types and Enforceability by Jurisdiction
Multi-Participant Encounter Rules
Telehealth and Cross-State Encounters
Professional Ethics Overlay: AMA, Specialty Societies, and Licensing Boards
Penalties and Enforcement Landscape
Operationalizing Compliance at Scale
Get Started Today
Why Consent Laws Matter More for AI Scribes Than Traditional Dictation
Traditional clinical dictation involves a provider speaking into a recording device after the patient encounter, narrating their own recollection of the visit. The patient's voice is never captured. AI medical scribes operate fundamentally differently: they record the ambient, real-time conversation between provider and patient, then use natural language processing to generate structured clinical notes. This distinction is legally significant because it triggers wiretapping and eavesdropping statutes that dictation never implicated.
The Active Recording Problem
When an AI scribe captures ambient audio, it is intercepting an oral communication between two or more parties. Under most state wiretapping laws, this interception is presumptively illegal unless it falls within a consent exception. The provider activating the scribe may satisfy one-party consent requirements — but in two-party consent states, the patient must also affirmatively agree before recording begins. To understand how compliant platforms handle this technically, see how Scribing.io handles ambient recording compliantly.
The "Third Party" Problem
Most AI scribes operate as a non-participant listener — a silent third party to the conversation. The audio is transmitted to cloud infrastructure for processing, which means the conversation is being intercepted and transmitted to a system that is not a participant in the dialogue. In two-party consent states, this architecture may be viewed as an unauthorized third-party interception even if the provider has consented. Some state statutes specifically address interception by electronic devices rather than human listeners, making the AI processing pathway itself a potential violation vector.
HIPAA Is Necessary but Not Sufficient
Compliance officers frequently encounter a dangerous assumption: that HIPAA's treatment-payment-operations (TPO) exception resolves the consent question. It does not. HIPAA governs the use and disclosure of protected health information. State wiretapping laws govern whether you can capture the conversation at all. These are parallel legal frameworks with independent requirements. A practice can be fully HIPAA-compliant — with a signed Business Associate Agreement, encrypted transmission, and proper access controls — and still violate state criminal wiretapping law if it fails to obtain recording consent in a two-party consent state.
Penalties Are Real and Compounding
Violations of recording consent laws do not exist in a vacuum. A single non-compliant AI scribe deployment can trigger state criminal wiretapping charges (including felony charges in states like Pennsylvania and Florida), civil liability with statutory damages, HIPAA breach investigations if the unauthorized recording is deemed an impermissible use of PHI, and professional licensing board complaints against the recording provider. These consequences compound — and they can apply retroactively to every encounter recorded without proper consent.
Federal Law Foundation — The Electronic Communications Privacy Act and HIPAA
Before examining state-by-state requirements, compliance officers need a clear understanding of the federal baseline. Two federal frameworks are directly relevant to AI scribe consent: the Federal Wiretap Act and HIPAA.
Federal Wiretap Act (18 U.S.C. § 2511)
The Federal Wiretap Act, part of the Electronic Communications Privacy Act (ECPA), prohibits the intentional interception of oral, wire, or electronic communications. However, it provides a critical exception: interception is lawful when one party to the communication consents. This establishes one-party consent as the federal minimum. When a provider activates an AI scribe during a patient encounter, the provider's consent to the recording satisfies the federal wiretapping standard.
HIPAA Treatment Exception (45 CFR § 164.506)
Under HIPAA's Privacy Rule, covered entities may use and disclose protected health information for treatment, payment, and healthcare operations without individual patient authorization. Clinical documentation generated by an AI scribe falls squarely within the treatment use case. This means HIPAA does not require a patient's written authorization for the AI scribe to process their health data — but this only addresses the health privacy dimension, not the recording consent dimension.
Where the Two Frameworks Diverge
The critical insight for compliance officers is that HIPAA and wiretapping law regulate different things:
Framework | What It Regulates | Consent Requirement for AI Scribing |
|---|---|---|
HIPAA | Use and disclosure of PHI | No patient authorization required under TPO exception |
Federal Wiretap Act | Interception of communications | One-party consent (provider's consent suffices) |
State Wiretapping Laws | Interception of communications | Varies: one-party or all-party consent required |
State Health Privacy Laws | Health data collection and use | May impose additional notice/consent beyond HIPAA |
The Preemption Question
Federal law does not preempt stricter state recording consent laws. The ECPA explicitly allows states to impose higher bars for recording consent. This means compliance officers cannot rely on federal one-party consent as a universal standard — they must evaluate the law of every state where their providers practice.
Business Associate Agreements
Any AI scribe vendor that processes PHI must execute a Business Associate Agreement (BAA) with the covered entity. This is table-stakes under HIPAA and is separate from the consent question. However, a properly structured BAA should also address how the vendor handles recording consent workflows, data retention, and de-identification — integrating the recording consent and health privacy compliance obligations into a single vendor governance framework.
One-Party Consent States — What Compliance Officers Need to Know
In one-party consent states, the provider's decision to activate the AI scribe constitutes sufficient consent under the state wiretapping statute. No patient notification is legally required for the recording itself. This significantly simplifies deployment — but it does not eliminate all compliance obligations.
Complete List of One-Party Consent States (2026)
The following states require only one party to the conversation to consent to recording:
Alabama, Alaska, Arizona, Arkansas, Colorado, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Mississippi, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, West Virginia, Wisconsin, Wyoming, and the District of Columbia.
To see how family medicine practices in these states are deploying ambient AI scribing with streamlined consent processes, read our guide on how family medicine practices implement AI scribing in one-party consent states.
Healthcare-Specific Exceptions Within One-Party States
Even in one-party consent states, compliance officers must check for healthcare-specific statutes that impose additional requirements. Notable examples include:
Texas: While Texas is a one-party consent state for recording, the Texas Medical Practice Act and related regulations impose patient notification requirements for certain data collection practices in healthcare settings.
New York: New York's one-party consent law is clear, but the state's mental hygiene law imposes stricter confidentiality protections for behavioral health encounters that may require additional patient consent.
Colorado: The Colorado Privacy Act, effective since 2023, introduces additional requirements for processing sensitive health data that may layer onto the general wiretapping consent framework.
Why Best Practice Exceeds the Legal Minimum
Even where the law permits recording with only provider consent, the overwhelming consensus among healthcare compliance professionals is to obtain informed patient consent for AI scribing. The reasons are practical, not just ethical:
Patient trust: Patients who discover they were recorded without their knowledge — even legally — may file complaints, leave negative reviews, or switch providers.
Future law changes: Several one-party consent states have introduced legislation to require two-party consent. Obtaining consent now future-proofs your operations.
Ethical alignment: The American Medical Association's guidelines on augmented intelligence emphasize transparency and informed consent as core principles for AI in healthcare.
Malpractice defense: Documented patient consent strengthens the provider's position if any aspect of AI-generated documentation is later challenged in litigation.
Recommended Verbal Disclosure for One-Party States
A brief verbal disclosure at intake satisfies best-practice requirements without creating administrative burden: "We use an AI assistant during your visit to help your doctor write accurate notes. You can opt out at any time." This statement should be documented in the medical record with a timestamp.
Two-Party (All-Party) Consent States — Heightened Requirements for AI Scribing
Two-party consent states represent the highest compliance risk for AI scribe deployment. In these jurisdictions, every party to the conversation must consent before recording begins. For a clinical encounter, this means the patient — and any family members, interpreters, caregivers, or other participants present — must affirmatively agree to the AI scribe's recording.
Complete List of Two-Party/All-Party Consent States (2026)
The following states require all parties to consent to recording:
California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon (for in-person conversations), Pennsylvania, and Washington.
Note: Vermont's classification is sometimes debated. Vermont does not have a specific wiretapping statute with a clear one-party or two-party designation. The state relies on its general privacy framework, and compliance officers should consult local counsel for definitive guidance on AI scribe recording in Vermont.
What "Consent" Means in Practice
The form of consent that satisfies two-party consent requirements varies by state. Compliance officers should understand three tiers of consent and their relative legal strength:
Consent Type | Description | Legal Strength | Recommended For |
|---|---|---|---|
Written consent form | Patient signs a document specifically authorizing AI scribe recording | Strongest | All two-party states; required by some institutional policies |
Verbal consent with documentation | Provider verbally explains AI scribe and patient agrees; consent is noted in the medical record | Strong | States that accept verbal consent; follow-up visits after initial written consent |
Passive/implied consent | Patient is notified and continues the conversation without objecting | Variable | Accepted in some states (e.g., some interpretations of California law with adequate notice); insufficient in others (e.g., Pennsylvania, Florida) |
Risk-Tier Classification of Two-Party States
Risk Tier | States | Penalty Type | Key Risk Factor |
|---|---|---|---|
Critical (Felony) | Florida, Pennsylvania, Illinois, Maryland | Criminal felony | Intentional interception carries felony charges; statutory damages in civil actions |
High (Criminal + Civil) | California, Massachusetts, Washington, Michigan | Misdemeanor + civil liability | Private right of action; significant statutory damages; additional state health privacy laws |
Elevated (Civil + Regulatory) | Connecticut, Delaware, Montana, Nevada, New Hampshire, Oregon | Misdemeanor or civil penalties | Lower criminal penalties but regulatory enforcement risk; evolving case law |
State-Specific Deep Dives: Highest-Risk Jurisdictions
Five states warrant particular attention from compliance officers deploying AI scribes. Each combines recording consent requirements with additional state-specific laws that compound compliance complexity.
California
California is the most complex state for AI scribe deployment. Cal. Penal Code § 632 requires all-party consent for recording confidential communications, with violations punishable as a misdemeanor (up to one year in jail and/or a $2,500 fine per violation) plus civil damages of $5,000 per violation or three times actual damages. On top of this, the Confidentiality of Medical Information Act (CMIA) imposes healthcare-specific protections that go beyond both HIPAA and the general wiretapping statute. The CMIA requires specific authorization for certain disclosures of medical information and creates an independent civil cause of action. Compliance officers deploying AI scribes in California should use written consent forms that address both recording consent under § 632 and medical information authorization under the CMIA. For a detailed breakdown, see our guide on AI scribe laws in California.
Illinois
Illinois combines an all-party consent requirement for recording (720 ILCS 5/14-2) with the Biometric Information Privacy Act (BIPA), which may be implicated if the AI scribe processes voice biometric data — such as speaker identification or voiceprint analysis. BIPA requires informed written consent before collecting biometric identifiers and imposes statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. If your AI scribe vendor uses any form of voice identification technology, BIPA compliance must be addressed in your BAA and patient consent workflow.
Florida
Florida's all-party consent statute (Fla. Stat. § 934.03) classifies intentional interception of oral communications as a third-degree felony, punishable by up to five years in prison. Florida also provides a civil cause of action with statutory damages. The severity of criminal penalties makes Florida the highest-stakes state for non-compliant AI scribe deployment. Written consent with clear documentation is the only defensible approach.
Washington
Washington's Privacy Act (RCW 9.73.030) requires all-party consent and provides a private right of action. Notably, Washington courts have interpreted "consent" broadly — but have also held that the recording party bears the burden of proving consent was obtained. For AI scribing, this means the health system must maintain auditable records of consent for every encounter.
Pennsylvania
Pennsylvania's Wiretapping and Electronic Surveillance Control Act (18 Pa.C.S. § 5703) classifies non-consensual interception as a felony of the third degree. All parties must consent, and the statute has been interpreted strictly. Pennsylvania also does not recognize implied or passive consent — affirmative agreement is required.
Consent Workflow Framework for Multi-State Health Systems
For health systems operating across multiple states, a consent workflow must accommodate the strictest applicable standard while remaining operationally efficient. The following framework provides a tiered approach that compliance officers can adapt to their specific jurisdictional footprint.
Step 1: Jurisdictional Mapping
Create a master matrix of every state where your providers practice — including telehealth encounters where the patient may be in a different state than the provider. Classify each state as one-party or two-party consent, and flag any states with additional healthcare-specific consent requirements.
Step 2: Adopt the Highest Standard as Default
For multi-state systems, the most operationally sound approach is to adopt written patient consent as the default across all locations. This eliminates the risk of applying the wrong standard when patients cross state lines, providers cover multiple locations, or telehealth encounters involve cross-state scenarios. Attempting to maintain different consent workflows for one-party vs. two-party states creates more compliance risk than it saves in operational overhead.
Step 3: Integrate Consent into Existing Intake Workflows
AI scribe consent should be incorporated into the existing patient intake process — not treated as a standalone form that creates additional administrative burden. Options include:
Adding an AI scribe consent section to the general consent-to-treatment form
Including it in the patient portal check-in workflow
Using a brief standalone consent form signed at first visit, with verbal re-confirmation at subsequent visits
Step 4: Document Consent in the Medical Record
Every consent — whether written or verbal — must be documented in the patient's medical record with a timestamp. For platforms that integrate with major EHRs, this documentation can be automated. See how Scribing.io integrates with Epic and athenahealth to streamline consent documentation directly in the patient chart.
Step 5: Build an Opt-Out Mechanism
Patients must be able to decline AI scribe recording at any time. The workflow must include a clear, no-friction opt-out process, and the provider must be trained to immediately deactivate the scribe when a patient opts out. The opt-out should be documented in the record, and the provider should switch to traditional documentation methods for that encounter.
Consent Form Types and Enforceability by Jurisdiction
Compliance officers must select consent mechanisms that are both legally defensible and operationally scalable. The enforceability of different consent types varies by jurisdiction.
Written Consent Forms
Written consent provides the strongest legal protection in all jurisdictions. A compliant written consent form for AI scribing should include:
Clear identification of the AI scribe technology being used
Explanation that the patient-provider conversation will be recorded in real time
Description of how the recording will be used (clinical documentation only)
Data handling practices — how long the audio is retained, who has access, and how it is secured
The patient's right to opt out at any time without affecting their care
Signature and date lines for the patient (and any other participants)
Verbal Consent with Documentation
Verbal consent is legally sufficient in most one-party consent states and in some two-party consent states where the statute does not specifically require written consent. For verbal consent to be defensible, it must be clearly documented in the medical record, including the specific language used and the patient's affirmative response.
Digital/Electronic Consent
For organizations using patient portals or tablet-based check-in, electronic consent captured through digital signature is legally equivalent to written consent under the federal ESIGN Act and the Uniform Electronic Transactions Act (adopted in most states). This is the most scalable approach for large health systems.
Multi-Participant Encounter Rules
Clinical encounters frequently involve more than two parties. Compliance officers must account for every participant in the room — or on the telehealth call — when determining consent requirements.
Common Multi-Participant Scenarios
Scenario | Additional Consent Required (Two-Party States) | Operational Recommendation |
|---|---|---|
Spouse or partner present | Yes — spouse must consent | Include companion consent in intake form; verbal consent at start of encounter |
Parent present for minor's visit | Yes — parent consents on behalf of minor and for their own participation | Parent signs consent; consider minor assent for adolescents |
Interpreter present | Yes — interpreter must consent | Include interpreter consent in vendor contracts; obtain consent at start of interpreted encounter |
Multiple providers (consultation, teaching) | Yes — all providers must be aware of recording | Internal policy requiring all providers to acknowledge AI scribe use |
Caregiver or health aide | Yes — caregiver must consent | Include in intake workflow; document in record |
In pediatric settings, consent workflows must account for the parent's consent, the minor's assent (when age-appropriate), and any other participants in the room — making multi-participant consent especially important.
Telehealth and Cross-State Encounters
Telehealth introduces a jurisdictional complication that is unique to AI scribing: when the provider is in one state and the patient is in another, which state's consent law applies?
The Conservative Approach
Most legal analysis favors applying the stricter of the two states' laws. If a provider in a one-party consent state conducts a telehealth visit with a patient in a two-party consent state, the two-party standard should apply. The rationale is that the conversation is occurring in both jurisdictions simultaneously, and either state could assert jurisdiction over a wiretapping violation.
Practical Guidance for Telehealth
Your EHR or scheduling system should capture the patient's physical location at the time of the encounter
The consent workflow should dynamically apply the appropriate standard based on the patient's location
For multi-state systems, adopting written consent as the universal default eliminates this complexity
Train providers to verbally confirm the patient's location and re-confirm consent at the start of each telehealth encounter
Professional Ethics Overlay: AMA, Specialty Societies, and Licensing Boards
Beyond statutory requirements, professional ethics standards impose a de facto consent requirement that applies regardless of state law. The AMA's Code of Medical Ethics emphasizes the physician's obligation to be transparent with patients about all aspects of their care, including the tools used in documentation. State medical licensing boards have begun issuing guidance that clinicians must disclose the use of AI tools in patient care.
For psychiatry — where the sensitivity of recorded content is especially high — the ethics overlay is even more stringent. Our guide on AI scribing in psychiatry addresses specialty-specific ethical considerations that go beyond general consent requirements.
Key Professional Ethics Principles for AI Scribing
Transparency: Patients should know an AI tool is being used during their encounter.
Autonomy: Patients should have a meaningful right to decline AI scribe use without it affecting their care.
Fidelity: Providers should review and authenticate all AI-generated notes before they become part of the medical record.
Non-maleficence: The use of AI scribing should not create risks to patient privacy or the therapeutic relationship.
Penalties and Enforcement Landscape
Understanding the penalty landscape helps compliance officers calibrate the rigor of their consent programs to the actual risk exposure in each jurisdiction.
Criminal Penalties by State Category
Penalty Level | States | Maximum Criminal Penalty |
|---|---|---|
Felony | Florida, Pennsylvania, Illinois, Maryland | Up to 5 years imprisonment; substantial fines |
Misdemeanor | California, Massachusetts, Michigan, Washington, Connecticut, others | Up to 1 year imprisonment; fines up to $10,000 |
Civil only | Some one-party states with limited enforcement | No criminal penalties; civil damages only |
Civil Liability Exposure
Many states provide a private right of action for illegal recording, with statutory damages that can be substantial when multiplied across hundreds or thousands of patient encounters. In California, statutory damages of $5,000 per violation mean that a practice recording 20 patients per day without proper consent could accumulate $100,000 in statutory damage exposure per day. Class action risk amplifies this exposure further.
Regulatory and Licensing Consequences
Beyond criminal and civil liability, unlawful recording can trigger:
HIPAA breach investigations if the unauthorized recording is deemed an impermissible use of PHI
State attorney general investigations under state consumer protection or health privacy statutes
Medical licensing board complaints that can result in license suspension, required remediation, or public reprimand
Accreditation risk for health systems subject to Joint Commission or NCQA standards
Operationalizing Compliance at Scale
For large health systems and multi-state organizations, consent compliance must be systematized — not left to individual provider discretion. The following operational recommendations translate the legal requirements above into scalable processes.
Technology-Driven Consent Management
The most effective approach is to integrate consent management directly into the AI scribe platform. This means the scribe does not begin recording until consent is confirmed in the system. Platforms like Scribing.io offer built-in consent workflows that can be configured by jurisdiction, documenting consent automatically in the patient record.
Provider Training Requirements
Every provider using an AI scribe should receive training on:
The consent requirements in their specific practice state(s)
How to deliver the verbal disclosure naturally without disrupting the patient encounter
How to handle patient opt-outs gracefully
How to manage multi-participant scenarios
The consequences of non-compliance — both for the organization and for their individual license
Auditing and Monitoring
Compliance programs should include regular audits of AI scribe consent documentation. Key audit metrics include:
Percentage of AI-scribed encounters with documented consent
Opt-out rates by provider, location, and specialty
Consent documentation timeliness (was consent documented before recording began?)
Multi-participant consent completeness
Incident Response Planning
Despite best efforts, consent failures will occur — a provider may forget to obtain consent, a new staff member may not be trained, or a system error may allow recording before consent is confirmed. Your incident response plan should include:
Immediate deletion of non-consented audio recordings
Assessment of whether a HIPAA breach notification is required
Assessment of state wiretapping law violation and need for legal response
Root cause analysis and process correction
Documentation of the incident and response for regulatory defense
Vendor Due Diligence Checklist
When evaluating AI scribe vendors, compliance officers should verify:
The vendor executes a HIPAA-compliant BAA
The platform supports configurable consent workflows by jurisdiction
Audio data is encrypted in transit and at rest
Audio retention policies are clearly defined and configurable
The platform can prevent recording from beginning until consent is confirmed
The vendor has documented SOC 2 Type II compliance or equivalent security certification
The platform integrates consent documentation into the EHR record
Scribing.io's services page details how the platform addresses each of these requirements for health systems of all sizes.
Get Started Today
Deploying AI medical scribes across jurisdictions with different consent requirements is a solvable compliance challenge — but it requires the right legal understanding, operational workflows, and technology platform. This hub page gives compliance officers the jurisdictional knowledge and framework to build a defensible consent program. Scribing.io is built for exactly this use case: a HIPAA-compliant AI scribe platform with configurable consent management, EHR integration, and the security infrastructure that multi-state health systems require.
