Free for a week, then $19 for your first month
Expert Advice

Patient Consent and AI Notes: What Practices Need to Document

Discover key patient consent requirements for HIPAA-compliant AI notes.

Dr. Danni Steimberg's profile picture
By  Dr. Danni Steimberg Dr. Danni Steimberg profile pictureDr. Danni SteimbergLicensed Medical Doctor

Dr. Danni Steimberg is a pediatrician at Schneider Children’s Medical Center with extensive experience in patient care, medical education, and healthcare innovation. He earned his MD from Semmelweis University and has worked at Kaplan Medical Center and Sheba Medical Center.

 , Licensed Medical Doctor
4 min read Expert Verified How is this page expert verified? At Twofold Health, we take the accuracy of our content seriously. "Expert verified" means our Clinical Advisory Board — practicing clinicians and industry experts — has thoroughly evaluated the article for accuracy, clarity, and relevance. They hold us accountable for delivering trustworthy resources clinicians can rely on. About our Review Board
Reviewed by  Dr. Dora Matis Dr. Dora Matis profile pictureDr. Dora MatisLicensed Medical Doctor

Dr. Dora Matis is a licensed medical doctor currently working as a psychiatrist and psychotherapist at a leading clinic in Germany. With a strong passion for mental health and holistic care, she combines clinical expertise with a compassionate approach to patient well‑being. Beyond her clinical practice, Dr. Matis is actively involved in medical research and has published several articles across various fields of medicine, reflecting her dedication to advancing medical knowledge and improving patient outcomes.
A single consent-form card centered on a cream gradient, split horizontally. The top half labeled 'STANDARD CONSENT — already in your form' shows three ink-filled check rows: treatment scope, confidentiality limits, right to withdraw. The bottom half (washed in coral) labeled 'AI ADDENDUM — required for AI notes' shows four coral-bordered check rows: AI scribe vendor named, audio + transcript data flow, retention + deletion option, training-data policy. A coral dashed line separates the two halves. Bottom label reads 'YOUR EXISTING FORM ISN'T ENOUGH — THE AI ADDENDUM IS WHAT'S MISSING'. The hero captures the article's central argument at a glance: standard consent forms cover treatment scope but leave the AI-specific data flow undocumented.

As AI scribes enhance clinical documentation, they also create a blind spot in compliance. Most patient consent forms were written before AI notes existed. They cover treatment, payment, and operations, yet rarely mention real‑time audio processing, third‑party AI vendors, or how voice data is handled. Without explicit, documented consent for HIPAA-compliant AI notes, practices risk patient distrust and state law violations. Discover exactly what your practice must document, so you can adopt ambient AI without compromising compliance.

Standard HIPAA consent covers treatment, payment, and operations (TPO), but not AI‑specific risks. AI note generation introduces three new elements:

  • Third-party AI Vendors: Data often leaves your practice to external servers, requiring a Business Associate Agreement (BAA) and patient disclosure.
  • Potential Data Re-use: Some vendors train models on encounter data unless explicitly prohibited. Standard consent never mentions this.
  • Real-time Audio Processing: AI listens to live voice audio, which many patients would not expect.
Six elements an AI-specific consent form must include. (1) AI scribe vendor named — name the specific vendor processing audio, not 'an AI tool.' (2) Data flow disclosed — what gets sent (audio, transcript, structured note), to whom (vendor + subprocessors), through what channels. (3) Retention + deletion path — default audio retention, transcript retention, patient-initiated deletion workflow. (4) Training-data policy — whether patient audio or transcripts can be used to train the vendor's model; conservative default is no. (5) Right to decline AI — patients must be able to say no without affecting care; the practice needs an operational fallback. (6) Re-consent triggers — vendor changes, audio-handling changes, scope changes are re-consent events; consent is for the current configuration, not a forever-blank check.

Every AI consent addendum must include these seven items:

  1. Scope of AI use: Name the specific tool (e.g., “Twofold Health,” “Abridge,” “Suki”).
  2. Data Captured: Specify audio, video, or text; real-time or stored.
  3. Purpose Limitation: Clinical note drafting only, no secondary uses.
  4. Third-party Access: Identify all AI vendors as business associates.
  5. Data Retention & Deletion: How long audio is processed and when it’s permanently deleted.
  6. Patient Opt-Out: Right to refuse AI notes without affecting care.
  7. Review & Correction: How patients can request amendments to AI-generated notes.

“This practice utilizes Twofold Health’s AI scribe to draft clinical notes from our conversations. Your voice is processed in real time and not stored after the note is generated. No data is used to train AI models. You may decline AI documentation at any visit.”

Operational records beyond the consent form, in two dated stacks. VENDOR-FACING RECORDS: vendor BAA on file with current subprocessor list, audio-retention default policy archived (dated), training-data policy archived (dated), deletion-request workflow documented. PRACTICE-FACING RECORDS: each patient consent recorded in chart with date and version, re-consent log for vendor or configuration changes, decline-AI fallback workflow documented, annual review log comparing your consent form to current vendor policy. Together these stacks make consent auditable across time, not just at the moment of signature.

These documents should be kept in your compliance file or folder:

  1. Signed AI-specific consent form.
  2. Patient opt-out log, along with proof of the alternatives offered.
  3. Business Associate Agreement (BAA) with AI vendor.
  4. AI system configuration logs (audio deletion proof).
  5. Staff training records on the AI consent process.

Obtain patient consent again when any of these occur:

  • Changing AI vendors.
  • Enabling any form of data re-use (e.g., fine-tuning models).
  • Expanding AI use to new note types (telehealth, procedures, behavioral health).
  • After a breach or patient complaint related to AI documentation.

Follow these four steps to operationalize AI consent documentation:

  1. Audit Existing Forms: Review your current consent forms. Do they mention AI, ambient listening, or automated documentation?
  2. Create an AI Consent Addendum: Develop a standalone, AI-specific form. Keep it separate from general HIPAA paperwork for clarity and easier updates.
  3. Train Front Desk and Clinicians: Provide a simple script for offering the AI option at check-in (e.g., “We use an AI tool to draft visit notes. May I review a short consent form with you?”).
  4. Document Every Refusal: When a patient declines, note it in the EHR with a structured reason (e.g., “Patient declined AI scribe, manual note taken”). Avoid vague free-text entries.

Handling the “No” Gracefully

When handling situations where the patient refuses to record, you should respect their decision and have a fallback workflow ready. Prepare a non‑AI documentation option, such as a human scribe, clinician self‑notes, or a simple visit summary template as well.

Conclusion

Standard consent forms were never designed for ambient AI. They omit audio processing, third‑party vendors, and data re‑use risks. To safely implement HIPAA-compliant AI notes, practices must document more than a signature. That means AI‑specific consent addenda, operational logs, patient opt‑out records, and signed BAAs with every vendor. It also means training staff to handle refusals gracefully and knowing when re‑consent is required. If your consent form doesn’t name your AI medical scribe, start writing the addendum today.


References

Alder, S. (2026, January 5). HIPAA Business Associate Agreement - 2026 Update. The HIPAA Journal.

Badahman, S. (2017). What Are TPO Disclosures? HIPAAtrek

Pickett, T. (2025, January 7). AI scribes and patient consent. Avant.

FAQ

Frequently asked questions

  • Do we need a separate consent form for AI notes, or can we just add a line to our existing HIPAA form?

    You need a separate, dedicated AI consent addendum. Adding a single line to a general HIPAA form does not provide sufficient notice or documented patient understanding.

    • Risk of Ambiguity: A single line like “We may use AI” is too vague. Patients cannot meaningfully consent without knowing what data is captured (audio), who accesses it (vendor), and how long it is retained.
    • Easier Updates: AI tools, vendors, and policies change faster than general HIPAA notices. A separate addendum can be revised and re-presented without redoing the entire consent form.

  • What should we document if a patient refuses AI notes during a visit?

    Document the refusal in a structured EHR field, and note the alternative documentation method used.

    • Use a dropdown or discrete field: This ensures searchability for audits.
      • Reason (optional but helpful): “Patient voiced privacy concerns” or “Patient preferred clinician to type notes directly.”
    • Alternative Workflow Recorded: Indicate what replaced AI (e.g., “Manual SOAP note entered,” “Human scribe used,” “Visit summary provided post-visit”).
    • Document that care was unaffected. Avoid phrases like “patient non-compliant with AI.”


  • Does verbal consent suffice for HIPAA-compliant AI notes, or must it be written?

    Written consent (electronic or paper signature) is the best practice.

    • HIPAA Baseline: Treatment, payment, and operations (TPO) do not strictly require written authorization. However, AI notes introduce elements (third-party vendors, audio processing) that go beyond typical TPO.
    • State Laws Often Require Writing: Many all-party consent states (e.g., CA, PA, WA) require explicit written consent for audio recording or real-time transmission, which applies to AI scribes.
    • Enforcement Risk: Without a signed form, your practice bears the burden of proving the patient understood and agreed to AI-specific data flows. Written documentation is thus the best path forward.
More

Continue reading