Call Us Today! 877-659-2467

AI scribe and when an authorization is required

Posted bySuze Shaffer
AI Scribe and when a patient authorization is required

There has been some confusion about when a patient authorization is required when using AI scribe or the recording of a patient encounter.

HIPAA permits providers to use and disclose PHI for the Treatment, Payment, and Healthcare operations (TPO). If the provider records the encounter solely to create clinical documentation, then a separate patient authorization is required.

Keep in mind, you must have a signed business associate agreement (BAA). The recording must be secure, and encryption and proper safeguards are in place. Also, this must be disclosed to the patient.

HOWEVER, it is recommended to obtain a patient authorization since many states, including Florida require an authorization from BOTH parties to record audio conversations.

AI Scribe Used for Treatment Documentation

If the provider records the encounter solely to create clinical documentation for treatment, payment, or healthcare operations purposes, HIPAA generally does not require a separate patient authorization.

Medical Provider Requirements

The AI vendor must sign a Business Associate Agreement (BAA). The recording must be secured using encryption and proper technical safeguards.

When Authorization May Be Required

A separate written authorization may be required if the recording is used for marketing, shared outside of treatment purposes, or training outside HIPAA regulated entities.

Some state law requires two-party consent for audio recording (such as Florida).

State wiretapping laws may require patient consent even if HIPAA does not.

AI scribing tools typically record audio of patient encounters, transcribe and process PHI, sometimes store or analyze recordings. That triggers BOTH laws at the same time.

Additional Risk Considerations

Even if HIPAA does not require authorization, patients should be clearly informed that the visit is being recorded. Transparency reduces complaints and scrutiny. Even some malpractice carriers recommend a written acknowledgment.

Practical Best Practice

Providers should be updating their intake paperwork to include this disclosure and adding signage in the exam rooms.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you step by step.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Share This HIPAA Blog
New regulations coming for electronic signatures and ability to upload documents and images

New Rule for Health Care Claims Attachments and Electronic Signatures 

March 27, 2026
What is HIPAA compliance?

Good Faith Compliance is No Longer Enough

April 7, 2026
©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC