As AI medical scribes become standard in clinical practice, understanding HIPAA compliance requirements isn’t optional—it’s essential. The January 2025 updates to the HIPAA Security Rule represent the most significant changes in 20 years, and they directly impact how practices must evaluate and deploy AI documentation tools.

Why AI Scribes Are Different From Traditional Software

AI medical scribes process Protected Health Information (PHI) in ways that create unique compliance considerations:

  • Audio recordings of patient-physician conversations
  • Real-time transcription of sensitive clinical discussions
  • Machine learning models that may be trained on clinical data
  • Cloud-based processing of electronic PHI (ePHI)

Because AI scribes handle PHI on behalf of providers, the vendor qualifies as a business associate under HIPAA. This triggers specific legal requirements.

The Business Associate Agreement (BAA) Requirement

Before deploying any AI scribe solution, you must have a signed Business Associate Agreement with the vendor. This isn’t negotiable—it’s federal law.

The BAA should clearly address:

  • How the vendor protects ePHI during transmission and storage
  • Whether audio recordings or transcripts are retained, and for how long
  • Whether any patient data is used to train or improve AI models
  • Breach notification procedures and timelines
  • Data deletion upon contract termination

Critical warning: Consumer AI tools like ChatGPT are not HIPAA compliant. OpenAI does not sign BAAs, meaning these tools cannot legally be used to process patient information.

AI scribes record patient-physician conversations, which triggers state wiretapping and recording consent laws. These vary significantly:

  • One-party consent states: Only one person in the conversation needs to consent (the physician’s consent is sufficient)
  • Two-party/all-party consent states: Every person being recorded must consent

States requiring all-party consent include California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington. Violations can carry civil and criminal penalties.

Best practice: Inform patients that AI-assisted documentation is being used and obtain consent, regardless of state requirements.

The 2025 HIPAA Security Rule Updates

The January 2025 proposed updates from HHS Office for Civil Rights introduce significant changes:

  1. No more “addressable” safeguards: All security requirements become mandatory
  2. Stricter encryption requirements: Enhanced standards for data at rest and in transit
  3. Improved resilience requirements: Stronger backup and recovery mandates
  4. Enhanced risk management: More rigorous security risk analysis requirements

Practices must assess AI scribe tools as part of their HIPAA Security Risk Analysis, evaluating vulnerabilities specific to AI-powered documentation.

Red Flags When Evaluating Vendors

Be cautious of AI scribe vendors that:

  • Hesitate or refuse to sign a BAA
  • Cannot clearly explain their data handling practices
  • Use patient data to train models without explicit authorization
  • Lack SOC 2 or ISO 27001 certifications
  • Store data outside the United States without disclosure
  • Cannot provide documentation of their security practices

Best Practices for Compliant Implementation

  1. Conduct vendor due diligence: Request security documentation, certifications, and audit reports
  2. Sign a comprehensive BAA: Don’t accept a generic template—ensure AI-specific provisions are included
  3. Update your Notice of Privacy Practices: Inform patients about AI-assisted documentation
  4. Train staff: Ensure everyone understands proper use and limitations
  5. Document consent processes: Create clear workflows for patient notification
  6. Include in risk assessments: Add AI tools to your annual HIPAA Security Risk Analysis

The Bottom Line

AI medical scribes offer tremendous benefits for clinical efficiency and physician wellbeing. But those benefits must be balanced against rigorous compliance requirements. Choosing a vendor that takes HIPAA seriously—and can prove it—protects your patients, your practice, and your license.

Medical Scribe is built with HIPAA compliance at its core. Learn about our security practices and how we protect your patients’ data.