Common questions from medical practice managers about HIPAA compliance, BAAs, and AI scribe oversight.
Do I need a Business Associate Agreement (BAA) with my AI scribe vendor?
Yes, absolutely. Under HIPAA regulations (45 CFR ยง 164.504(e)), you cannot share Protected Health Information (PHI) with any third party without a signed BAA. Using an AI scribe tool like Abridge, Nuance DAX, or Nabla without a BAA is an automatic HIPAA violation, regardless of whether a breach occurs. The BAA must include: permitted uses of PHI, safeguard requirements, breach notification procedures, subcontractor requirements, data deletion clauses, and liability terms.
What happens if my AI scribe vendor refuses to sign a BAA?
Do not use that vendor. If a vendor refuses to sign a BAA or claims "we're HIPAA-compliant, trust us," this is a major red flag. You cannot legally use their service for clinical documentation. Switch to a vendor that will sign a proper BAA. OCR has fined practices $50,000+ for using AI tools without BAAs.
How often do I need to audit AI-generated notes?
Quarterly spot-check audits are required. OCR guidance requires practices to audit 20-50 AI-generated notes per provider per quarter. These audits should check for: clinical accuracy, PHI minimization, proper physician attestation, billing code appropriateness, and compliance with your AI usage policy. Document all audit results and corrective actions.
Can physicians just sign AI-generated notes without reviewing them?
No. OCR considers unreviewed AI notes as "auto-population" violations. A licensed physician must review, edit if needed, and attest to every AI-generated note before it's finalized in the patient record. Physicians must verify clinical accuracy, check for AI hallucinations, ensure proper PHI minimization, and confirm billing codes are appropriate. Attestation should occur within 24 hours of the encounter.
What is "PHI minimization" and why does it matter?
PHI minimization means including only the minimum necessary patient information. AI tools often over-document, including irrelevant details like full home addresses, Social Security Numbers, employment information, or non-clinical conversation. You must review and remove excessive PHI before finalizing notes. Only clinically relevant information should remain. This reduces breach risk and complies with HIPAA's minimum necessary standard.
Do I need patient consent to use AI scribes?
Yes, in most cases. Patients must be informed that AI tools are being used and consent to recording. This is especially important in two-party consent states (California, Florida, etc.). Display signage in exam rooms stating "This visit may be recorded by AI software for documentation purposes." Include AI usage disclosure in your Notice of Privacy Practices. Some practices also obtain written consent during intake.
What should I do if there's a data breach involving my AI scribe?
Act immediately. Notify your compliance officer, preserve all evidence (don't delete logs), document what happened and who was affected. If the breach is from your vendor, demand an incident report within 24 hours. You must notify OCR within 60 days if the breach affects 500+ patients. Smaller breaches must be reported to OCR within 60 days of the end of the calendar year. Your BAA should specify breach notification procedures.
Can I use consumer AI tools like ChatGPT for clinical notes?
No, never. Consumer AI tools (ChatGPT, Google Bard, etc.) do not sign BAAs and are not designed for PHI. Using them for clinical documentation is a HIPAA violation. OCR has fined practices for this. Only use AI scribe tools specifically designed for healthcare that will sign a proper BAA. Examples include Abridge, Nuance DAX, Nabla, DeepScribe, and Suki.
What documentation do I need for an OCR audit?
You need to demonstrate six core requirements: (1) Signed BAAs with all AI vendors, (2) Written AI usage policies and procedures, (3) Documentation of physician review and attestation for each note, (4) Quarterly audit results (20-50 notes per provider), (5) Staff training records showing HIPAA and AI oversight education, and (6) Risk assessments of your AI tools. Keep all documentation for at least 6 years.
How much will OCR fines cost if I'm not compliant?
Fines start at $50,000 per violation and can reach $1.5 million per year for repeated violations. Willful neglect can result in criminal penalties including prison time. Additionally, non-compliance can lead to Medicare exclusion, malpractice liability from unreviewed notes, and reputational damage. The cost of compliance (policies, training, audits) is far less than potential fines.
When do OCR audits of AI scribe usage begin?
OCR audits targeting AI scribe users begin April 2026. OCR issued formal guidance in January 2025 requiring documented compliance. Practices have until Q2 2026 to implement compliant processes. This gives you approximately 90 days (as of January 2026) to get your documentation, policies, and audit procedures in place.
Do small practices need to comply with OCR requirements?
Yes, there are no exemptions for practice size. All covered entities using AI medical scribes must comply with OCR's six core requirements, regardless of whether you're a solo practice or large health system. Small practices may have fewer providers to audit, but the requirements are the same: BAAs, policies, attestation, audits, training, and risk assessments.