Posted on
Mar 23, 2026
State-by-State Patient Consent Requirements for AI Scribing: 2026 Guide for Clinic Managers
State-by-State Patient Consent Requirements for AI Scribing (2026 Guide for Clinic Managers)
A clinic in Texas and a clinic in California can use the exact same AI scribe software — but face completely different legal obligations before pressing "record." Platforms like Scribing.io are built with compliance in mind, but no technology can substitute for understanding the consent laws that govern your specific state. If you manage a practice that uses — or plans to use — ambient AI documentation, this guide is your operational roadmap.
AI medical scribes work by recording patient–provider conversations and generating clinical notes from those recordings. The legality of that recording is not determined by HIPAA alone. It hinges on your state's wiretapping or eavesdropping statute — laws that predate AI scribes by decades but still carry civil and criminal penalties for violations. Scribing.io provides the infrastructure for HIPAA-compliant documentation, but clinic managers must pair that infrastructure with the right consent workflows for their jurisdiction.
TL;DR
AI medical scribes record patient–provider conversations to generate clinical notes — but whether that recording is legal depends on where your clinic operates. The U.S. has no single federal recording-consent law; each state applies its own wiretapping or eavesdropping statute, creating a patchwork of one-party consent and all-party (two-party) consent requirements. HIPAA governs the privacy and security of the resulting PHI but does not preempt stricter state recording laws. Clinic managers must understand both layers, implement consent workflows tailored to their state, and choose an AI scribe platform that is HIPAA-compliant, covered by a Business Associate Agreement (BAA), and designed to support consent documentation. This guide breaks it all down — state by state — with actionable consent templates.
Need a Scribe that is 100% Legal in all states? Try Scribing.io for Free.
Book a quick 1-on-1 call to see the product in action.
Contents
Why State Consent Laws Matter More Than You Think for AI Scribing
One-Party vs. All-Party Consent: The Core Framework Explained
State-by-State Consent Requirements: Detailed Breakdown
Building a Compliant Consent Workflow for Your Clinic
HIPAA vs. State Recording Laws: Understanding the Two Layers
Telehealth and Cross-State Consent Considerations
Get Started Today
Why State Consent Laws Matter More Than You Think for AI Scribing
State wiretapping and eavesdropping statutes were written long before ambient AI documentation existed. Most date to the 1960s and 1970s, designed to regulate telephone surveillance and police conduct. But their language is broad: they govern any electronic interception of oral communications — and that is exactly what an AI medical scribe does when it listens to a clinical encounter and converts speech to text.
The critical distinction that clinic managers must internalize is this:
HIPAA governs what happens to Protected Health Information (PHI) after it is created — its storage, access, transmission, and the Business Associate Agreement obligations that bind your AI scribe vendor.
State recording-consent laws govern whether the recording itself is legal in the first place.
These are two separate legal layers. A fully HIPAA-compliant AI scribe operating under a valid BAA can still expose your practice to civil liability, criminal penalties, and potentially inadmissible medical records if the recording violated your state's consent requirements. In California, for example, illegal recording under Penal Code § 632 can result in fines up to $2,500 per violation and imprisonment. In Florida, violations of Statute § 934.03 are felonies. Pennsylvania's 18 Pa.C.S. § 5703 classifies unauthorized interception as a third-degree felony.
The American Medical Association's guidance on AI in clinical documentation emphasizes that physicians must ensure transparency with patients about how AI tools are used in their care. But physicians adopt tools; clinic managers enforce policies. The workflow, training, signage, and consent forms that make AI scribing legally defensible are operational responsibilities — and they start with knowing your state's rules.
For a deep dive into California's specific requirements, see our California AI Scribe Laws guide.
One-Party vs. All-Party Consent: The Core Framework Explained
Every state falls into one of two primary categories for recording consent, with a few notable edge cases:
One-Party Consent (Single-Party)
Only one participant in the conversation needs to consent to the recording. If the physician consents to the AI scribe recording the encounter, that is legally sufficient under the wiretapping statute. The patient does not need to be notified under recording law — though medical ethics, professional board requirements, and best practices strongly recommend disclosure regardless.
All-Party Consent (Two-Party)
Every participant in the conversation must consent before recording begins. This includes the patient, any family members present, interpreters, nursing staff speaking during the encounter, and anyone else whose voice is captured. Consent must typically be explicit — silence or failure to object is generally insufficient.
The 50-State Landscape
The following table classifies each state and the District of Columbia by consent type. Statute citations are included for reference; however, state laws change, and this guide is for informational purposes — not legal advice. Consult a healthcare attorney in your jurisdiction for binding guidance.
State | Consent Type | Governing Statute |
|---|---|---|
Alabama | One-party | Ala. Code § 13A-11-30 |
Alaska | One-party | Alaska Stat. § 42.20.310 |
Arizona | One-party | A.R.S. § 13-3005 |
Arkansas | One-party | Ark. Code § 5-60-120 |
California | All-party | Cal. Penal Code § 632 |
Colorado | One-party | C.R.S. § 18-9-303 |
Connecticut | All-party | Conn. Gen. Stat. § 52-570d |
Delaware | All-party | Del. Code tit. 11, § 2402 |
D.C. | One-party | D.C. Code § 23-542 |
Florida | All-party | Fla. Stat. § 934.03 |
Georgia | One-party | O.C.G.A. § 16-11-62 |
Hawaii | One-party | HRS § 803-42 |
Idaho | One-party | Idaho Code § 18-6702 |
Illinois | All-party | 720 ILCS 5/14-2 |
Indiana | One-party | Ind. Code § 35-33.5-5-5 |
Iowa | One-party | Iowa Code § 808B.2 |
Kansas | One-party | K.S.A. § 21-6101 |
Kentucky | One-party | KRS § 526.010 |
Louisiana | One-party | La. R.S. 15:1303 |
Maine | One-party | Me. Rev. Stat. tit. 15, § 709 |
Maryland | All-party | Md. Code, Cts. & Jud. Proc. § 10-402 |
Massachusetts | All-party | Mass. Gen. Laws ch. 272, § 99 |
Michigan | All-party | MCL § 750.539c |
Minnesota | One-party | Minn. Stat. § 626A.02 |
Mississippi | One-party | Miss. Code § 41-29-531 |
Missouri | One-party | Mo. Rev. Stat. § 542.402 |
Montana | All-party | Mont. Code § 45-8-213 |
Nebraska | One-party | Neb. Rev. Stat. § 86-290 |
Nevada | One-party | Nev. Rev. Stat. § 200.620 |
New Hampshire | All-party | N.H. Rev. Stat. § 570-A:2 |
New Jersey | One-party | N.J. Stat. § 2A:156A-4 |
New Mexico | One-party | N.M. Stat. § 30-12-1 |
New York | One-party | N.Y. Penal Law § 250.00 |
North Carolina | One-party | N.C. Gen. Stat. § 15A-287 |
North Dakota | One-party | N.D. Cent. Code § 12.1-15-02 |
Ohio | One-party | Ohio Rev. Code § 2933.52 |
Oklahoma | One-party | Okla. Stat. tit. 13, § 176.4 |
Oregon | All-party (in-person) | ORS § 165.540 |
Pennsylvania | All-party | 18 Pa.C.S. § 5703 |
Rhode Island | One-party | R.I. Gen. Laws § 11-35-21 |
South Carolina | One-party | S.C. Code § 17-30-30 |
South Dakota | One-party | S.D. Codified Laws § 23A-35A-20 |
Tennessee | One-party | Tenn. Code § 39-13-601 |
Texas | One-party | Tex. Penal Code § 16.02 |
Utah | One-party | Utah Code § 77-23a-4 |
Vermont | One-party* | *No specific statute; federal law applies |
Virginia | One-party | Va. Code § 19.2-62 |
Washington | All-party | RCW 9.73.030 |
West Virginia | One-party | W. Va. Code § 62-1D-3 |
Wisconsin | One-party | Wis. Stat. § 968.31 |
Wyoming | One-party | Wyo. Stat. § 7-3-702 |
Important: When in doubt, get consent. Even in one-party states, informed verbal and written consent is a clinical and ethical best practice that protects your practice from liability, board complaints, and patient trust erosion.
See how Scribing.io's workflow supports consent documentation before every encounter.
State-by-State Consent Requirements: Detailed Breakdown
While the table above provides a quick reference, several states warrant deeper attention because of unique statutory language, aggressive enforcement history, or healthcare-specific overlays.
California — All-Party Consent + CMIA
California's Penal Code § 632 prohibits recording confidential communications without the consent of all parties. A clinical encounter is inherently confidential. Additionally, California's Confidentiality of Medical Information Act (CMIA) imposes healthcare-specific data protections that go beyond HIPAA — including a private right of action for patients. Clinics using AI scribes in California must obtain explicit, documented patient consent before every recorded encounter. Our California AI Scribe Laws guide covers this in depth.
Florida — All-Party Consent, Criminal Penalties
Florida Statute § 934.03 classifies unauthorized interception of oral communications as a third-degree felony. There is no healthcare carve-out. Florida clinics must treat AI scribe consent with the same seriousness as any other recording — documented, explicit, and obtained before the encounter begins.
Illinois — All-Party Consent, Enforcement History
Illinois' eavesdropping law (720 ILCS 5/14-2) has a well-known enforcement history. The state's original statute was struck down as unconstitutional in 2014, but the legislature passed a revised version that reinstated all-party consent for private conversations. AI scribe vendors and clinics operating in Illinois should be aware that the legal landscape here has been actively litigated.
Massachusetts — Strictest in the Nation
Massachusetts General Laws ch. 272, § 99 prohibits secret recording of any oral or wire communication. The key word is "secret" — if all parties are informed and consent, recording is permissible. Massachusetts courts have interpreted this law broadly, and violations carry criminal penalties. For AI scribing, this means consent must be clear, documented, and unambiguous.
Texas — One-Party Consent, But Health Data Adds Complexity
Texas Penal Code § 16.02 is a one-party consent statute, meaning the physician's own consent to record is legally sufficient. However, Texas HB 300 imposes strict obligations on how health data is stored, shared, and disclosed. The Texas Medical Board also has its own standards around transparency with patients. Clinics in Texas should still implement patient notification as a best practice.
Washington — All-Party Consent, "Private Conversations"
RCW 9.73.030 requires consent from all participants in a private conversation. Clinical encounters clearly qualify. Washington also requires that consent be "announced" — meaning you cannot rely on fine print in intake forms alone. Verbal disclosure at the start of the encounter, combined with written consent, is the safest approach.
New York — One-Party, But Watch Local Rules
New York Penal Law § 250.00 allows one-party consent recording. However, New York City has additional privacy considerations in healthcare settings, and professional licensing boards may impose disclosure expectations that go beyond the wiretapping statute. Clinics in NYC should consult local counsel.
Oregon — Hybrid: All-Party for In-Person, One-Party for Telephone
Oregon's ORS § 165.540 applies all-party consent to in-person conversations but one-party consent to telephone conversations. Since most AI scribe recordings capture in-person clinical encounters, Oregon clinics must obtain all-party consent for standard visits. Telehealth encounters may fall under different rules depending on the technology used.
Building a Compliant Consent Workflow for Your Clinic
Understanding your state's consent category is step one. Building a defensible, repeatable workflow is where compliance becomes operational. Here is a practical framework for clinic managers.
Step 1: Identify Your State's Consent Category
Use the reference table above. If your practice operates in multiple states or provides telehealth across state lines, identify the most restrictive state in your footprint and use it as your baseline policy.
Step 2: Draft Written Consent Language
Your consent form should include, at minimum:
A plain-language description of what AI scribing is and how it works
Explicit statement that the visit will be recorded by an AI documentation tool
How the recording and resulting notes will be stored, who has access, and how long audio is retained
The patient's right to decline AI scribing without affecting their care
A signature line with date
Step 3: Implement Verbal Disclosure at Point of Care
Written consent in intake paperwork is necessary but not sufficient — especially in all-party consent states. Train clinical staff to verbally inform patients before the encounter begins: "We use an AI documentation tool that listens during our visit to help create accurate notes. Is that okay with you?" This verbal confirmation should be documented in the chart.
Step 4: Post Visible Signage
In waiting rooms and exam rooms, post clear signage informing patients that AI-assisted documentation may be in use. This creates an additional layer of notice and reinforces a culture of transparency.
Step 5: Document Consent Refusals
If a patient declines AI scribing, the provider must switch to manual documentation. Build a simple workflow for this: a checkbox in the EHR intake, a verbal cue to the provider, and an alternative documentation method. Patients who decline should receive the same quality of care.
Step 6: Audit and Retrain Regularly
Consent workflows degrade over time. Staff turnover, new providers, and workflow drift all erode compliance. Conduct quarterly audits: Are consent forms being signed? Are verbal disclosures happening? Is signage current? Are refusals documented correctly?
Clinics using AI scribes integrated with athenahealth or Epic can often build consent checkboxes directly into the EHR intake workflow, reducing friction and improving documentation rates.
HIPAA vs. State Recording Laws: Understanding the Two Layers
One of the most common misconceptions among clinic staff is that "HIPAA compliance" covers everything related to AI scribing. It does not. HIPAA and state recording laws operate on parallel but distinct tracks.
What HIPAA Covers
Under the HIPAA Privacy Rule, covered entities and their business associates must protect PHI — including any clinical notes, transcripts, or audio files generated by an AI scribe. This means:
Your AI scribe vendor must sign a Business Associate Agreement (BAA)
Audio recordings and transcripts must be encrypted in transit and at rest
Access must be limited to authorized personnel
Data retention and deletion policies must be documented
What HIPAA Does Not Cover
HIPAA does not address whether the recording itself was lawfully obtained. A recording that violates a state wiretapping statute is illegal regardless of how securely the resulting data is stored. HIPAA also does not preempt stricter state laws — under the HIPAA preemption analysis, state laws that provide greater privacy protections remain in force.
This means clinic managers must satisfy both layers: the recording must be lawfully obtained under state law, and the resulting PHI must be handled in accordance with HIPAA. Choosing a vendor that offers both a signed BAA and built-in consent workflow support is essential. Scribing.io's feature set is designed with this dual obligation in mind.
Telehealth and Cross-State Consent Considerations
Telehealth adds a significant layer of complexity to consent requirements. When a provider in one state treats a patient in another state via video or audio, which state's recording law applies?
There is no single federal answer to this question. Legal precedent and prevailing guidance suggest that the more restrictive state's law generally controls. If a provider in New York (one-party consent) treats a patient in Pennsylvania (all-party consent) via telehealth, Pennsylvania's all-party requirement should be assumed to apply.
The Safe Default for Multi-State Practices
For any practice that provides telehealth across state lines — or has multiple locations in different states — the safest operational policy is to adopt universal all-party consent for all AI-scribed encounters. This eliminates the need for staff to determine which state's law applies to each individual encounter, reduces error, and provides maximum legal protection.
Practical Telehealth Consent Steps
Include AI scribe consent language in your telehealth-specific consent form (which patients should sign before virtual visits begin)
Have the provider verbally confirm consent at the start of the video visit: "Before we begin, I want to let you know that I use an AI documentation assistant that will listen to our conversation to help me create accurate notes. Do I have your permission to proceed?"
Document the verbal consent in the encounter note
If the patient declines, disable the AI scribe and document manually
Practices in specialties with high telehealth volumes — such as psychiatry and family medicine — should pay particular attention to cross-state consent policies, as these specialties frequently serve patients across jurisdictional boundaries.
Editorial note: State laws change. This guide reflects the legal landscape as of early 2026 and is provided for informational purposes only. It does not constitute legal advice. Consult with a healthcare attorney licensed in your jurisdiction for guidance specific to your practice.
Get Started Today
Consent compliance is not optional — but it does not have to be burdensome. With the right workflows, training, and technology, your clinic can adopt AI scribing confidently in any state. Scribing.io is HIPAA-compliant, covered by a BAA, and designed to support your consent documentation needs from the very first encounter. Start with a platform that treats compliance as a feature, not an afterthought.
