ARTICLE
11 June 2025

HIPAA Compliance Risks With AI Scribes In Health Care: What Digital Health Leaders Need To Know

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore Firm Details
AI scribes are quickly becoming the digital sidekick of modern health care. They promise to reduce clinician burnout, streamline documentation, and improve the patient experience.
United States Food, Drugs, Healthcare, Life Sciences
Aaron T. Maguregui and Jennifer J. Hennessy
Your Author LinkedIn Connections

AI scribes are quickly becoming the digital sidekick of modern health care. They promise to reduce clinician burnout, streamline documentation, and improve the patient experience. But as health care providers and digital health companies race to implement AI scribe solutions, one major concern keeps surfacing: What are the HIPAA risks?

The HIPAA risk is highly dependent on how the AI solution is trained, deployed, integrated, and governed. If your company is exploring or already using an AI scribe solution, pressure test the risk with this blog as your roadmap.

What is an AI Scribe?

AI scribes use machine learning models to listen to (or process recordings of) patient-provider encounters and generate structured clinical notes. These tools are marketed to seamlessly integrate into the electronic health record (EHR), reduce the need for manual charting, and allow physicians to focus more on the patient during visits.

Behind the scenes, AI scribes handle a high volume of protected health information (PHI) in real time, across multiple modalities (e.g., audio, transcripts, structured EHR data, etc.). As a result, AI scribes will be regulated by HIPAA.

HIPAA Pitfalls in the AI Scribe Lifecycle

Below are the most common HIPAA pitfalls we have encountered while advising digital health clients, health systems, and AI vendors rolling out scribe technologies.

1. Training AI on PHI Without Proper Authorization

Many AI scribes are "fine-tuned" or retrained using real-world data, including prior encounters or clinician-edited notes. That data typically contains PHI. Under HIPAA, using PHI for purposes beyond a covered entity health care provider's treatment, payment, or health care operations generally requires patient authorization. As a result, use cases like model training or product improvement require a strong case that the activity qualifies as the covered entity health care provider's health care operations — otherwise it will require patient authorization.

Risk: If an AI vendor is training its model on customer data without patient authorization or on behalf of the customer on a defensible treatment, payment, or health care operations basis, that use would need to be assessed as a potential HIPAA violation. Also consider any other consents that may be required to deploy this technology, such as consents for patients or providers to be recorded under state recording laws.

2. Improper Business Associate Agreements (BAAs)

An AI scribe vendor that accesses, stores, or otherwise processes PHI on behalf of a covered entity or another business associate is almost always a business associate under HIPAA. Yet we have seen vendor contracts that either (a) lack a compliant BAA, (b) contain overbroad indemnity disclaimers essentially eliminating liability for the vendor, or (c) fail to define permitted uses and disclosures or include uses and disclosures not permitted by HIPAA (such as allowing the vendor to train AI models on PHI without proper authorization or otherwise meeting a HIPAA exception).

Tip: Scrutinize every AI vendor agreement. Ensure the BAA or underlying services contract clearly defines: the data being accessed, stored, or otherwise processed, how the data may be used, including what data may be used for training, and whether data is de-identified or retained after service delivery.

3. Lacking Security Safeguards

AI scribe platforms are high-value targets for attackers. The platforms may capture real-time audio, store draft clinical notes, or integrate via APIs into the EHR. If those platforms are not properly secured, and a data breach occurs as a result, the risks include regulatory fines and penalties, class action lawsuits, and reputational damage.

HIPAA Requirement: Covered entities and business associates must implement "reasonable and appropriate" technical, administrative, and physical safeguards to protect PHI. HIPAA regulated entities must also update their risk analyses to include the use of AI scribes.

4. Model Hallucinations and Misdirected Outputs

AI scribes, especially those built on generative models, can "hallucinate" or fabricate clinical information. Worse, they can misattribute information to the wrong patient if transcription errors or patient mismatches occur. That is not just a workflow issue. If PHI is inserted into the wrong chart or disclosed to the wrong individual, that could be a breach under HIPAA and state data breach laws (and even potentially detrimental to the patient if future care is impacted by an erroneous entry).

Risk Management: Implement human-in-the-loop review for all AI-scribed notes. Make sure providers are trained to confirm the accuracy of notes before entry into the patient's record.

5. De-Identification Fallacies

Some vendors claim their AI solution is "HIPAA-compliant" because the data is de-identified. However, vendors often fail to strictly follow either of the two permissible methods of de-identification under HIPAA at 45 C.F.R. § 164.514: the Expert Determination or the Safe Harbor method. If the data is not fully de-identified under one of those methods, the data is not de-identified under HIPAA.

Compliance Check: If a vendor claims their system is outside of HIPAA's reach because only de-identified data is used, press for: the method of de-identification used, evidence of re-identification risk analysis, and credentials of the de-identification expert used (if applicable). Also, note that if the vendor is given PHI to de-identify, there must be a BAA in place with the provider and vendor for that de-identification.

Practical Next Steps for Health Systems and Digital Health Companies

For companies evaluating or already implementing an AI scribe, here are tips to mitigate risk without stifling innovation:

  1. Vet vendors thoroughly
  2. Build governance into your EHR workflows
  3. Limit secondary use/training without authorization
  4. Update your risk analysis
  5. Train your providers

The Bottom Line

AI scribes are transforming clinical documentation. However, with great automation comes great accountability, especially under HIPAA. Vendors, digital health companies, and health systems must treat AI scribes not just as software, but as data stewards embedded into patient care. By building strong contractual safeguards, limiting use of PHI to what is permitted under HIPAA, and continuously assessing downstream risks, digital health leaders can embrace innovation without inviting unwarranted risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Aaron T. Maguregui
Aaron T. Maguregui
Photo of Jennifer J. Hennessy
Jennifer J. Hennessy
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More