.jpg)
In an effort to ease the workload of providers and address provider burnout, health systems and medical groups have turned to ambient AI scribe tools. One study found a 21% adoption rate while industry estimates put the adoption rate at 25-35%. As with any technology, implementing AI scribes is not without risk. Two recent class action lawsuits against Sharp HealthCare, Sutter Health, and MemorialCare highlight exactly what is at stake and provide lessons on how healthcare providers can roll out AI scribe tools in a compliant way.
What are the Lawsuits About?
In simple terms, the plaintiffs allege that healthcare providers affiliated with Sharp HealthCare, Sutter Health, and MemorialCare used an ambient AI scribe during medical visits to capture physician-patient conversations, transmit the audio to outside systems for processing, and generate draft clinical documentation without proper disclosure to patients and without obtaining adequate consent.
According to the complaints, the technology was activated on microphone-enabled devices during patient encounters and allegedly captured the substance of live conversations in real time. The complaints allege that the audio and resulting transcripts contained highly sensitive health information, including symptoms, diagnoses, medications, treatment discussions, and other personally identifiable medical information. Patients claim this happened without any consent or without valid patient consent and without clear and conspicuous notice, in violation of various privacy laws including the California Invasion of Privacy Act, the California Confidentiality of Medical Information Act and the Federal Wiretap Act.
Who brought the case?
The named plaintiffs are patients who attended appointments where the AI scribe was used. According to the complaints, the plaintiffs received care from providers affiliated with the defendants and discussed sensitive medical information during those visits. The lawsuits seek to proceed on behalf of a proposed class of patients whose physician-patient communications were allegedly recorded or processed using ambient AI scribes without prior informed consent. In the current cases, claims are framed around patient rights and privacy, not doctors’ rights, although it’s possible doctors may also have causes of action if ambient AI tools are not implemented in a compliant manner.
What exactly do the plaintiffs say went wrong?
The complaints are interesting both for what they say and what they do not say. In both suits, the complaints allege, among other things, that patients: 1) were not given clear notice that their conversations would be recorded by an AI platform; 2) did not provide meaningful informed consent before recording began; 3) were not provided adequate disclosure that audio would be transmitted outside the clinical setting; 4) were not given sufficient information about whether third parties could process, review, retain, or use the recordings and transcripts; and 5) did not provide valid written authorization for disclosures of medical information as required under California law. The complaints also allege that the hospitals did not implement a uniform, system-wide process to ensure that consent was obtained before clinicians activated the technology. The complaints also alleged that the tools lacked reliable visual or auditory indicators showing that recording was occurring, nor did they provide a prompt deletion process when a patient opted out. However, in contrast to the case against Sharp HealthCare, where the plaintiffs claim they were unaware that the ambient scribed was being used, the complaint against Sutter Health and MemorialCare does not say that the patients never received notice that their conversations would be recorded by an AI platform or that there was no informed consent process. In other words, the main issue is not just whether some notice existed, but whether the notice and consent process and work-flow were specific, timely, and legally sufficient.
Why are Consent and Privacy the Central Issues?
Consent and privacy are the primary issues because existing medical records and patient and consumer privacy laws are centered around the idea that patients have a right to keep their medical information private and that their records can only be shared when patients knowingly consent.
For healthcare providers, the legal risk often starts with a deceptively simple question: Did the patient meaningfully agree before the recording and downstream processing happened?
Informed consent is a familiar concept for all healthcare providers. When discussing treatment plans, medications,proposed surgeries and other medical interventions, providers know they must discuss risks and benefits and provide patients with enough information so that they can grant an educated and meaningful consent.
That can be relatively easy when it comes to a medication or treatment plan that a provider is familiar with. It’s more difficult when a provider is using new technology such as an ambient AI scribe. The difficulty is often compounded by the fact that many providers, especially those in larger institutions, may not know exactly how the AI scribe works,where the records are sent and stored, who can access them, and all the use cases of the recording.
These questions matter because exam-room conversations are among the most sensitive communications in any regulated setting. Patients reasonably expect privacy when discussing symptoms, diagnoses, medications, mental health, sexual health, family history, and treatment options. If a tool records that discussion, transmits it to a vendor environment, stores it, or uses it for troubleshooting, quality assurance, or model-related functions, the provider may face scrutiny not only under HIPAA-style frameworks, but also under state recording laws, state medical confidentiality statutes, and common-law privacy doctrines.
Is this a judgment against ambient AI scribesgenerally?
No. All we have right now are complaints with allegations. We do not know how Sharp HealthCare, Sutter Health or MemorialCare will respond. We also do not know what a judge or jury will think of the allegations. The core issue is not simply that an ambient AI scribe was used, but how it was allegedly implemented, what patients were allegedly told, what consent was allegedly obtained, and where the data allegedly went.
It is possible to use ambient AI scribes in a compliant way. But these lawsuits are a reminder to healthcare providers that they need to balance speedy adopting with legal and regulatory responsibilities and risks when they purchase and implement new technologies, especially AI tools such as ambient scribes.
Ambient documentation technology can offer real operational benefits. The complaints acknowledge the basic business rationale behind these tools: reducing clinicians’ documentation burden, improving note efficiency, and supporting workflow. But in healthcare, efficiency must be balanced with legal risks, especially with respect to privacy and security issues. If anything, efficiency tools that touch exam-room audio demand more front-end governance, not less.
What are the real compliance pressure points for providers?
Is a general privacy notice enough?
A broad notice of privacy practices or a generic intake disclosure is likely not enough, especially if the actual workflow involves recording a live, confidential conversation and sending the audio to a third-party platform for processing. Similarly, a broad notice in Terms of Service or in a privacy policy posted on a website is likely insufficient. Providers should evaluate whether the patient has received specific, timely, understandable notice that informed them how the AI tool would be used,who would have access to the information or recordings and where the records would be sent and stored. This needs to happen before the tool is activated.
Is the consent actually meaningful?
A consent process is only as strong as its operational reality. If clinicians can activate recording without following a script, without documenting the patient’s response, or without any visual or audible cue that recording has begun, plaintiffs will argue the process was not meaningful.
From a litigation perspective, “we usually tell patients” is far weaker than:
- a standardized script,
- a documented patient choice (signed if required by applicable state law or medical privacy law),
- an EHR field showing acceptance or refusal,
- a workflow that technically prevents recording until consent is captured; and
- a policy that ensures all of the above happens.
Educate Staff, Especially Those Obtaining Consent, on the Data Flow
In many organizations, the IT, compliance, and business teams may understand how the AI tool works and the underlying lifecycle of the data, but providers using the tool do not. That’s a mistake.
Providers should know:
- whether audio is stored or only transiently processed;
- where the data is transmitted;
- whether transcripts are retained;
- who can access them;
- whether vendor personnel can review them;
- whether data is used for quality assurance or troubleshooting;
- whether any de-identified or derivative use is permitted; and
- what deletion rights or controls actually exist.
If the compliance team cannot easily diagram the workflow, that is a red flag. The informed consent process must explain how the data is used, shared, disclosed, retained, and deleted, and providers must be able to answer questions. Providers cannot obtain adequate informed consent if they do not understand the lifecycle of the data.
Does the documentation match what is happening in practice?
A policy may say consent is required, but if the actual workflow leaves consent to provider habit or allows every provider to develop their own script, the policy may not help much in litigation. Ambient AI deployments need alignment across policy, training, technical controls, patient-facing materials, and chart documentation.
What should healthcare providers do now?
The good news is that the lessons here are practical. Providers don’t need to wait for a final ruling to improve their posture.
Practical Compliance Takeaways
1. Map the workflow before scaling the tool
Before enterprise rollout, document exactly how the ambient scribe works in your environment.
At a minimum, map:
- when recording begins and ends;
- whether the entire encounter is captured;
- where audio and transcripts travel;
- where data is stored;
- who can access it;
- how long it is retained; and
- whether it is used for any purpose beyond immediate documentation.
2. Rebuild consent around the actual technology
Consent should match the reality of the workflow, not a simplified description of it.
A stronger process usually includes: 1) plain-language explanation before recording starts; 2) disclosure that the conversation may be recorded and transcribed; 3) disclosure that information may be transmitted to and processed by a third-party technology vendor (as well as who that vendor is and what the purpose of the transmission is); 4)a meaningful chance to decline without confusion or pressure; and 5) clear documentation of the patient’s choice.
Be very careful with note templates or automatically including language that patients have consented. The lawsuits allege that the AI scribes automatically documented that patients consented despite the fact that patients were not given clear notice or adequate opportunity to provide informed consent. Automated documentation and template language needs to be backed by policy and by audits that confirm the policy was followed.
3. Review State-specific recording and medical privacy requirements
It is important to review state-specific laws to identify any unique recording and medical privacy requirements. If you operate in California, do not assume a HIPAA analysis is enough. The lawsuits underscore that California claims may focus on all-party consent to confidential recording, medical information disclosure rules, and privacy expectations unique to the care setting. Multi-state providers should also avoid using a one-size-fits-all template. Recording and consent rules vary by state.
4. Pressure-test vendor contracting and diligence
Providers should understand what the vendor can do with the data and what the contract permits and should ensure that thenotice and informed consent process actually reflects the contract terms and the data flow. Among other things, providers should review, permitted uses of audio and transcripts, subcontractor use and access, retention periods, support and troubleshooting access, and alignment between contract language and public-facing vendor materials.
5. Put technical controls behind the policy
A policy that depends entirely on memory and perfect staff behavior is fragile.
Consider controls such as:
- recording-disabled default settings unless consent is captured;
- visible prompts requiring confirmation that notice was given;
- EHR fields documenting patient acceptance or refusal, but beware of pre-checked boxes or language that confirms consent is always obtained;
- encounter flags for patients who decline;
- and auditable logs showing when the tool was activated.
6. Update training for clinicians and staff
Clinicians often see ambient AI primarily as a documentation aid and may not think about the privacy implications. Alternatively, they may assume consent is obtained through some other process or might not know how to provide proper informed consent . Training should explain what the tool captures and what the capture will be used for, what the patient must be told, when the tool cannot be used, how to respond if a patient declines, and how to document the interaction.
7. Prepare an alternative workflow
Patients who decline should still be able to receive care without friction. That means providers should have a practical non-AI documentation fallback. A consent process looks less voluntary if declining creates confusion, delay, or a lower-quality experience.
8. Audit patient-facing disclosures
Review the full patient experience, not just the consent form. That includes things like appointment reminders, intake materials, signage, electronic notices on websites and in emails and verbal scripts. If your materials are inconsistent, unclear, or overly technical,plaintiffs will argue that there was no clear and conspicuous notice or that the provider failed to obtain adequate informed consent.
What about other AI Tools?
The lessons from the AI scribe cases are not limited to ambient scribes. While audio recordings pose a unique risk because of laws related to recording conversations, if providers are employing other AI tools that access private health information and share it with third parties, it maybe necessary to disclose that and obtain consent from patients. Existing informed consent processes should be evaluated periodically to ensure they still accurately describe how technology is used. For example, switching vendors may change where data is stored and how it is shared which may require updating disclosures to patients.
These cases also serve as a good reminder on proper informed consent processes. The emphasis is on “informed.” Patients need to be educated on how AI technology is being used, why it is being used and what happens with their private information. Including short AI disclaimerson a website, Terms of Service or intake documents may not be enough to prevent patients from suing. Proper disclosure and informed consent are important elements of risk management, particularly when recording conversations between patients and providers.
Are There Lessons Here For Developers?
Developers of ambient AI tools can also support compliance by building privacy safeguards directly into the product. This may include clear visual or auditory indicators when recording is active, workflow controls that prevent recording until consent is documented, and a fast, verifiable deletion process when a patient declines or later withdraws consent. These features can help healthcare providers operationalize their legal obligations rather than relying solely on manual policies or clinician memory.
So what is the bottom line?
The ambient scribe lawsuits are an early but important warning sign for healthcare providers adopting AI documentation tools. The central lesson is not that innovation must stop or that hospitals and medical groups should not bother trying to lighten provider loads. The lesson is that ambient AI in the exam room is a privacy, consent, and governance decision as well as a technology and workflow decision.
The pending complaints allege that use of ambientAI scribe technology crossed legal lines because confidential doctor-patient conversations were allegedly recorded, transcribed, transmitted, and processed without meaningful informed consent. Those allegations remain unproven. But the broader compliance message is already clear: providers using ambient AI scribes should treat these tools as part of a regulated communication pathway, not just a convenient charting assistant.
Healthcare organizations that move now to tighten consent, clarify disclosures, understand data flows, and align contracting, training, and technical controls will be in a much better position than organizations that assume their existing privacy paperwork is enough.
Need help evaluating your ambient AI scribe workflow?
Elevare Law helps digital health companies and (now more often!) healthcare providers build the regulatory and contractual infrastructure that makes tech-enabled healthcare work. Whether it’s an AI scribe or another AI tool, new technology raises new legal and regulatory risks. We've navigated them before - feel free to reach out.