Mid-Atlantic Health Law TOPICS

The explosive growth of artificial intelligence (AI) offers many opportunities to increase efficiency in health care delivery, allowing providers to focus more of their time on delivering quality care, but providers must thoughtfully navigate long standing privacy laws when deploying new technology.

An increasingly common application of AI in the health care space is ambient scribe technology which refers to software programs that record audio of patient interactions in exam rooms and then, using AI, transcribes the conversation and, in many cases, provides a summary of the transcript to provide a draft of the provider’s clinical note. The provider then reviews the summary before the note is added to the patient’s electronic health record.

In 2024, over 60 different companies were marketing AI scribe products as developers raced to capture market share in this emerging space. Proponents hope that these tools will reduce workload for clinicians, increase the accuracy and detail of clinical notes by capturing more complete information, and improve patient experience.

However, as these tools have access to patient’s health care data, providers must consider whether any product they choose to use complies with both traditional health care privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) as well as state specific laws regarding recording conversations, such as the Maryland Wiretapping and Electronic Surveillance Act.

HIPAA

HIPAA requires providers to implement a variety of safeguards to ensure the confidentiality of patient information, known as protected health information (PHI). Providers are required to ensure that companies they work with that have access to PHI entrusted to the provider also comply with HIPAA and implement the same types of safeguards.

In HIPAA, providers are known as Covered Entities and the vendors that offer services using PHI are Business Associates. Common examples of Business Associates are billing companies, legal or accounting firms, IT service providers, and, most likely, the companies that develop AI scribe software.

A Covered Entity and a Business Associate must sign a Business Associate Agreement (BAA) before sharing PHI. This contract outlines how PHI will be used, disclosed, and protected. Business Associates are directly liable for HIPAA violations if they occur, meaning that the vendor may be subject to penalties and enforcement actions from the government in addition to contractual liabilities to the Covered Entity.

Some AI scribe services were built specifically to meet the needs of health care providers and have taken steps to ensure their platforms and services comply with HIPAA and will enter into a BAA. Other AI scribe tools were built for general use and do not have the level of data protection in place to support medical practices.

In addition to the vendor’s willingness to enter a BAA, providers should look for vendors that are willing to answer questions about their security features. Providers should inquire how audio recordings are stored and processed, how and for how long recordings can be accessed, and other security protocols in alignment with the practice’s HIPAA policies.

Maryland Wiretapping and Electronic Surveillance Act

Unlike many states, Maryland requires all parties participating in a private conversation to consent to a recording. The Maryland Wiretapping and Electronic Surveillance Act, prohibits “willfully intercepting” any “wire, oral, or electronic communication” where the parties have a reasonable expectation of privacy unless all parties participating in the communication have given consent. This law applies to any setting in Maryland, not just at health care practices, though the application here is clear.

Providers need to get consent before recording any patient and provider interaction, including recording via ambient scribe, as a medical appointment is an example of a conversation where participants expect privacy. Further, this privacy right extends to anyone who is being recorded, including other individuals whom patients may bring to an appointment, such as relatives or caregivers.Providers should affirmatively obtain and document consent to recording. Merely posting a sign in an exam room that conversations are being recorded is likely insufficient, given patients may easily miss the sign and many patients are unfamiliar with the possibility of an ambient scribe being used in a place where patients typically would have no expectation of being recorded.

Further, having a written record that consent was obtained would be beneficial in protecting the practice if an issue arose. Additionally, practices should review existing HIPAA policies and notices to ensure that new products, such as ambient scribes, are accounted for in their privacy practices.

Beyond privacy concerns, ambient scribes raise other questions including what access patients may have to recordings of appointments. As the technology continues to evolve quickly, often arising from less regulated industries, providers should consult with legal counsel to implement these tools thoughtfully into their practices.

Alexandria K. Montanio
410-576-4278 • amontanio@gfrlaw.com