Are AI scribes illegal after these wiretap lawsuits?

No court has ruled that ambient AI scribes are illegal. The CIPA suits against Sutter Health, Memorial Healthcare Services, and Sharp HealthCare are early and unresolved. What they establish is real legal exposure when a patient visit is recorded without clear consent. The practical response is to fix consent, vet the vendor, and consider a documentation workflow that does not record the live conversation at all.

Am I personally liable as a physician, or is it the health system?

The suits so far target the health systems that deployed the tools and the vendors that built them, not individual physicians. That does not make you irrelevant. You are in the room when recording starts and your name is on the encounter, so your consent practice and documentation habits matter if your group is named. Getting explicit, documented consent before any recording is the cheapest protection available.

How do I use AI for notes without the wiretap risk?

Skip the always-on microphone. Write or dictate a de-identified draft after the visit and use AI to organize it, rather than recording the live conversation. Strip all HIPAA identifiers before anything reaches the model, use only vendors vetted under a Business Associate Agreement for anything touching PHI, and re-identify inside your compliant system. You stay the author and you never record the patient.

The Leveraged Years · AI Regulation News

AI Scribe Wiretap Lawsuits Hit Physicians: What You Owe Patients Now

A wave of wiretap lawsuits is now testing how AI scribe tools record patient visits. Plaintiffs are suing health systems under California's Invasion of Privacy Act (CIPA) and related wiretap statutes, arguing that an ambient AI scribe captured the conversation in the exam room without the patient's consent. Sutter Health and Memorial Healthcare Services have been named in proposed class actions, following an earlier suit against Sharp HealthCare. If you are a physician, the headline is not "AI is dangerous." It is narrower and more useful: the recording is the legal exposure, and you have more control over that than you think. This briefing covers what the CIPA suits actually allege, why ambient scribes create wiretap and consent risk, a consent and vendor due diligence protocol you can run this week, and a lower-exposure way to document that keeps you the author of the note.

Who this is for: Practicing physicians and advanced-practice clinicians using or evaluating an ambient AI scribe, plus practice owners weighing the consent and vendor risk before they sign or renew a contract.

What the CIPA wiretap lawsuits actually allege

The suits are not about whether AI writes a good note. They are about consent to recording. California's Invasion of Privacy Act is an all-party-consent wiretap law. In an all-party-consent state, every person in a confidential conversation generally has to agree before it is recorded. The plaintiffs argue that an ambient AI scribe listens to and captures the visit, that this is a recording of a confidential medical conversation, and that the patient never gave the consent the statute requires. Several complaints pair the wiretap claim with state medical-privacy claims such as California's Confidentiality of Medical Information Act.

Sutter Health and Memorial Healthcare Services have been named in proposed class actions on this theory, and an earlier action was filed against Sharp HealthCare. The cases are early and unresolved, so no court has decided that ambient scribes are illegal. What has changed is the exposure. There is now a live, copyable legal template that says recording a patient visit with an AI tool, without clear consent, can be framed as illegal wiretapping. Plaintiffs' firms reuse templates. One filing against a large system becomes a pattern others follow, which is exactly how privacy class actions tend to spread.

Most of this litigation targets the health system that deployed the tool and the vendor that built it, not the individual physician. That is genuinely reassuring. It is not a reason to tune out. You are the person in the room when the recording starts, your name is on the encounter, and your patients trust your judgment about what happens during their visit. If your group is named, your documentation habits and your consent practice become part of the story.

Why ambient scribes create wiretap and consent exposure

An ambient AI scribe works by listening to the live visit through an always-on microphone, capturing the audio of the conversation, and sending it to a vendor's servers to be transcribed and summarized into a draft note. Each of those steps is where the legal risk lives.

It records. A wiretap statute cares about capturing a confidential conversation. An ambient scribe does precisely that. A physician dictating or typing a note after the visit is not recording the patient, which is a different posture entirely.
The patient may not understand what is happening. A quick "I use an AI assistant for notes" is not the same as informed consent to record an exam-room conversation. The complaints lean on exactly that gap between a vague mention and real consent.
The audio leaves the room. The conversation is transmitted to and processed on a third party's servers. That raises both the wiretap question and a separate vendor and data-handling question about who holds the recording and under what agreement.
Consent rules vary by state. All-party-consent states require everyone to agree before recording. The line moves depending on where you practice, and a multi-state group cannot assume one script works everywhere.

The throughline is simple. The microphone is the risk. The note is not. A clinician who controls what goes into the model, after the visit, from a de-identified draft, sidesteps the recording question that the lawsuits are built on. That is the contrast worth understanding before you decide how you document.

A consent and vendor due diligence protocol for this week

You do not need to wait for the courts to settle this to lower your exposure. Here is a concrete protocol. None of it requires sending any patient information to an AI tool.

STEP 1 / FIX THE CONSENT MOMENT

If your group uses an ambient scribe, make consent explicit and documented before recording starts. Tell the patient plainly that an AI tool will listen to and help write the note, that they can decline, and record that they agreed. In an all-party-consent state, treat this as mandatory, not a courtesy. A one-line consent script and a charted note that the patient agreed is the cheapest protection available.

STEP 2 / KNOW YOUR STATE'S RECORDING LAW

Confirm whether each state you practice in is all-party or one-party consent for recording confidential conversations, and apply the stricter standard across a multi-state group. This is a question for your compliance or legal team. Get the answer in writing and build the consent script to match.

STEP 3 / RUN VENDOR DUE DILIGENCE

Before you sign or renew, ask the vendor: Is there a signed Business Associate Agreement. Where is the audio stored and for how long. Is audio retained after the note is generated or deleted. Who can access recordings. What consent workflow does the product enforce in the room. Does the contract indemnify your practice if the tool's recording is challenged. Vague answers are an answer.

STEP 4 / DECIDE YOUR DOCUMENTATION POSTURE

Decide deliberately whether ambient recording is worth its exposure for your practice, or whether a typed or dictated, de-identified, AI-assisted draft after the visit gives you most of the time savings with far less recording risk. This is the option the lawsuits do not touch, and it is the workflow our physician course is built around.

De-identify first: never put PHI into a public model

The non-negotiable rule: never paste protected health information into a public, consumer AI model, and never assume an always-on microphone is handling consent or de-identification for you. No names, dates of birth, addresses, medical record numbers, phone numbers, full dates of service, or any other HIPAA identifier should reach a consumer tool.

The lower-exposure workflow inverts the ambient model. Instead of a tool listening to the live conversation, you write or dictate a de-identified draft after the visit and use AI to organize it. The guardrails:

Strip every identifier before you paste. Refer to "the patient" or "Patient A." Replace specific dates with relative timing where it still makes the clinical point.
Keep the clinical signal, drop the identity. The history, exam, and assessment are what the draft needs. The name and the record number are not.
For any tool that will touch PHI, including an ambient scribe, use only a vendor your organization has vetted under a Business Associate Agreement. A consumer chat interface is not that.
Re-identify on your side, inside your compliant system, after the draft comes back. The model never needs to know who the patient is, and it never needs to hear the visit.

Free resource

Free AI Scribe Consent and Vendor Checklist

Get the consent script and the vendor due diligence questions from this briefing, ready to paste. Built for clinicians, privacy-first.

[Kajabi opt-in form embeds here]

What AI does not replace

AI can draft the note. It does not practice medicine, it does not give consent, and it does not carry the responsibility. The boundary is bright and worth stating plainly:

Clinical judgment stays human. What is wrong with the patient and what to do about it is your determination. The model organizes language; it does not decide the medicine.
Consent is yours to obtain. No tool, recording or not, relieves you of explaining what is happening and getting agreement. The wiretap suits exist precisely because that step was treated as optional.
The sign-off is real accountability. When you sign the note, you attest to it. An AI-assisted draft does not dilute that. Read every word first.
The patient relationship is the point. The reason to document faster is to spend more attention on the person in front of you, not to put a microphone between you and them.

Key takeaways

Sutter Health, Memorial Healthcare Services, and earlier Sharp HealthCare suits allege that ambient AI scribes recorded patient visits without consent, in violation of California's CIPA wiretap law and medical-privacy statutes.
The legal exposure is the recording, not the note. A de-identified draft written after the visit avoids the recording question the lawsuits are built on.
Run a consent and vendor protocol now: explicit documented consent before recording, confirm your state's recording law, and demand clear answers from the vendor on storage, retention, BAA, and indemnity.
De-identify before anything reaches a model, and never put PHI into a public AI tool. Re-identify inside your compliant system.
Consent, clinical judgment, and the physician sign-off stay fully human. AI drafts; the clinician decides, consents the patient, and attests.

Go deeper: build the lower-exposure workflow

This briefing is the legal picture and the immediate checklist. The full method, including the de-identified draft workflow that gives you the time savings without the always-on microphone, prompt libraries, and the review protocol that keeps you safe, is the focus of our physician course.

Cut your charting time without the recording risk: the physician notes course →

Not sure where to start? The two-minute course finder quiz points you to the right path for your specialty and workflow. For the consent best-practice details, see our briefing on AI scribe patient consent, the error-catching method in our scribe accuracy review protocol, and the foundations in using AI for clinical notes safely. Track the wider picture in our AI regulation news series.

Stay sharp on clinical AI. The Leverage Club sends practical, privacy-first AI workflows for professionals, including clinicians, straight to your inbox for $49. Join the Club.

Frequently asked questions

Are AI scribes illegal after these wiretap lawsuits?: No court has ruled that ambient AI scribes are illegal. The CIPA suits against Sutter Health, Memorial Healthcare Services, and Sharp HealthCare are early and unresolved. What they establish is real legal exposure when a patient visit is recorded without clear consent. The practical response is to fix consent, vet the vendor, and consider a documentation workflow that does not record the live conversation at all.
Am I personally liable as a physician, or is it the health system?: The suits so far target the health systems that deployed the tools and the vendors that built them, not individual physicians. That does not make you irrelevant. You are in the room when recording starts and your name is on the encounter, so your consent practice and documentation habits matter if your group is named. Getting explicit, documented consent before any recording is the cheapest protection available.
How do I use AI for notes without the wiretap risk?: Skip the always-on microphone. Write or dictate a de-identified draft after the visit and use AI to organize it, rather than recording the live conversation. Strip all HIPAA identifiers before anything reaches the model, use only vendors vetted under a Business Associate Agreement for anything touching PHI, and re-identify inside your compliant system. You stay the author and you never record the patient.