Written by: Drew Duffy, MHA, FACHE, Founder & Managing Director

The promise of AI ambient scribes in healthcare is undeniable—reduced administrative burden, improved patient interactions, and enhanced documentation accuracy. However, as healthcare organizations rush to implement these revolutionary tools, a critical question emerges: How do we balance innovation with the stringent privacy and security requirements that govern healthcare data? The intersection of AI ambient scribes and HIPAA compliance represents one of the most complex regulatory challenges facing digital health leaders today.

The HIPAA Reality Check: Why AI Scribes Are High-Risk Territory

Behind the scenes, AI scribes handle a high volume of protected health information (PHI) in real time, across multiple modalities (e.g., audio, transcripts, structured EHR data). As a result, AI scribes fall under HIPAA regulations. This seemingly simple statement carries enormous implications for healthcare organizations.

Unlike traditional medical scribes who are physically present and bound by employment agreements, AI scribes operate as third-party technologies that process sensitive conversations between physicians and patients. “Technically, it's a third party listening into the conversation,” says Aaron Maguregui, a partner with the Foley & Lardner law firm who specializes in AI and healthcare technology.

This fundamental shift in how healthcare documentation occurs creates new categories of risk that organizations must address systematically.

The Financial Stakes: Understanding HIPAA Penalty Exposure

The financial implications of HIPAA non-compliance in the age of AI are staggering. Under HIPAA, unauthorized disclosure of PHI can lead to penalties ranging from $141 to $2,134,831 per violation. When AI systems process thousands of patient encounters daily, the potential for widespread violations—and corresponding financial exposure—multiplies exponentially.

Each improperly handled patient conversation, misrouted clinical note, or unauthorized data access incident represents a potential violation. The scale at which AI scribes operate means that compliance failures can affect hundreds or thousands of patients simultaneously, creating massive penalty exposure.

Key HIPAA Compliance Risks: The Hidden Pitfalls

Healthcare leaders implementing AI ambient scribes must navigate several critical risk areas that traditional documentation methods never presented.

Data Training and Model Development Violations

One of the most significant risks involves how AI vendors train their systems. If a vendor is training its model on customer data without patient authorization—or without a defensible treatment, payment, or health care operations basis—such use may constitute a HIPAA violation.

Many organizations unknowingly enter agreements where their patient data becomes part of broader AI training datasets, potentially violating HIPAA’s minimum necessary standard and patient consent requirements. This risk extends beyond initial implementation to ongoing system improvements and updates.

Documentation Accuracy and Patient Safety Risks

The intersection of clinical accuracy and HIPAA compliance creates complex liability scenarios. If PHI is inserted into the wrong chart or disclosed to the wrong individual, it could constitute a breach under HIPAA and state data breach laws. Inaccurate documentation may also jeopardize patient safety, potentially leading to malpractice exposure.

The automated nature of AI scribes can amplify these risks if proper safeguards aren’t in place.

Unauthorized Access and Data Breach Vulnerabilities

AI systems require large datasets, which often include PHI. This creates new attack vectors for cybercriminals, including cloud storage vulnerabilities, API security weaknesses, and data transmission risks.

The real-time nature of AI scribes means breaches can expose ongoing patient conversations, resulting in immediate and ongoing privacy violations.

Risk Management Strategies: Building Compliance Into AI Implementation

Implementing Human-in-the-Loop Safeguards

Organizations should implement human-in-the-loop review for all AI-scribed notes. This safeguard ensures every AI-generated clinical note undergoes human review before becoming part of the permanent medical record.

Protocols should define review timelines, designate responsible reviewers, and outline escalation procedures for questionable content. This oversight serves as both a quality-control mechanism and a HIPAA compliance safeguard.

Technical Security Controls

To remain HIPAA-compliant, AI scribes must include multiple layers of security:

• End-to-end encryption for audio capture and storage

• Secure API connections

• Role-based access controls

• Comprehensive audit logging

Regular penetration testing and security assessments should validate the effectiveness of these controls.

Vendor Due Diligence and Business Associate Agreements

Healthcare organizations must thoroughly vet AI vendors’ security practices and compliance history. Business Associate Agreements (BAAs) should specifically address AI-related risks, including:

• Explicit prohibitions on using organizational data for model training without authorization

• Breach notification requirements

• Audit rights

• Data deletion protocols

Regulatory Trends and Future Considerations

The regulatory landscape for AI in healthcare is evolving rapidly. Expect increased scrutiny from regulators, more detailed HIPAA guidance, and penalty structures that account for the scale of AI systems.

Building a Compliance Culture

Technical controls alone are not enough. Organizations must foster a privacy-first culture, supported by:

• AI-specific staff training

• Policies governing tool use

• Accountability mechanisms for compliance monitoring

Regular compliance audits should include AI systems, reviewing access logs, note accuracy, and vendor performance.

Emergency Response and Breach Management

Organizations must have AI-specific incident response plans, including procedures for immediate system shutdown, rapid patient impact assessment, and coordinated communication with vendors, patients, and regulators.

Best Practices for Sustainable Compliance

HIPAA compliance with AI scribes should be treated as an ongoing operational requirement, not a one-time project. Best practices include:

• Continuous monitoring and alerting

• Maintaining detailed compliance documentation

• Conducting regular staff training updates

• Establishing metrics such as audit findings, security incidents, and patient complaints

Conclusion: Balancing Innovation with Responsibility

AI ambient scribes represent a transformative opportunity for healthcare, but they also introduce complex privacy and security challenges. Leaders who approach these technologies with a compliance-first mindset—treating HIPAA requirements as design constraints rather than afterthoughts—will be best positioned to realize the benefits while safeguarding their organizations and patients.

The future of healthcare documentation depends on striking this balance: leveraging AI to reduce burdens and improve care, while upholding the trust that patients place in providers to protect their most sensitive information.

-Drew

At ClearPath Compliance, we help healthcare organizations navigate this exact challenge. From vendor due diligence and Business Associate Agreement reviews to developing HIPAA-aligned policies and training programs, our team ensures that innovation does not come at the cost of compliance. We partner with clinics and health systems to build secure, sustainable frameworks for adopting AI scribes—so providers can focus on patients, not paperwork.

About the Author
Drew Duffy, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing  Director, ClearPath Compliance

The American healthcare landscape has undergone a seismic shift over the past two decades. What was once a profession dominated by independent physicians has transformed into an industry where nearly 70% of doctors now work as employees of hospitals or large health systems. This consolidation, while offering certain advantages in terms of resources and administrative support, has created an unexpected consequence: a growing movement of physicians breaking away to establish innovative independent practices that are reshaping healthcare delivery for the better.

The Consolidation Challenge: When Bigger Isn't Always Better

Healthcare consolidation has fundamentally altered the physician-patient relationship. Large health systems, driven by efficiency metrics and standardized protocols, often prioritize volume over individualized care. Physicians find themselves constrained by rigid scheduling systems, limited appointment times, and administrative burdens that distance them from their primary mission: healing.

The numbers tell a sobering story. Average patient consultation times have decreased to 15–20 minutes in many consolidated systems, leaving physicians feeling rushed and patients feeling unheard. Administrative tasks now consume up to 40% of a physician’s time, leading to widespread burnout and job dissatisfaction. Meanwhile, patients navigate complex referral systems, face longer wait times for specialists, and often feel like just another number in an increasingly impersonal healthcare machine.

The Independent Practice Renaissance: A Return to Patient-Centered Care

Against this backdrop, a new generation of physicians is choosing a different path. These healthcare entrepreneurs are establishing independent practices that blend the best of traditional medicine with innovative approaches to care delivery. This isn’t simply a return to the past—it’s a reimagining of what healthcare can be when physicians have the freedom to prioritize their patients’ needs above institutional constraints.

Personal Benefits for Independent Practitioners

Autonomy and Clinical Freedom
Independent physicians enjoy unprecedented control over their practice patterns. They can spend adequate time with each patient, pursue continuing education in areas that interest them, and implement treatment protocols based on the latest evidence rather than institutional preferences. This autonomy translates into higher job satisfaction and reduced burnout rates.

Financial Independence
While the initial investment in starting an independent practice requires capital and business acumen, successful independent practitioners often enjoy greater long-term financial rewards. They retain control over their revenue streams, can diversify their services, and aren’t subject to the salary caps common in employed positions. Many report earning 20–30% more than their employed counterparts within five years of independence.

Work-Life Integration
Independent practitioners can design their schedules around their lives rather than institutional demands. This flexibility allows for better work-life balance, opportunities for family time, and the ability to pursue personal interests and professional development.

Professional Fulfillment
Perhaps most importantly, independent physicians report higher levels of professional satisfaction. They can practice medicine the way they were trained to—focusing on healing relationships, personalized care, and clinical excellence rather than productivity metrics.

How Independent Practices Are Transforming Healthcare

Personalized, Relationship-Based Care
Independent practices are returning to the fundamental principle that healthcare is a relationship between physician and patient. With more time per appointment and continuity of care, these practitioners can address the whole person rather than just symptoms. This approach leads to better health outcomes, increased patient satisfaction, and more effective preventive care.

Innovation and Agility
Unencumbered by bureaucratic approval processes, independent practices can rapidly implement new technologies and treatment approaches. From telemedicine platforms to cutting-edge diagnostic tools, these practices often lead the adoption of innovations that improve patient care. They can also quickly adapt to changing patient needs and market conditions.

Cost-Effective Care
Independent practices typically operate with lower overhead costs than large health systems. This efficiency allows them to offer competitive pricing while maintaining quality care. Many independent practices are exploring direct-pay models, membership-based care, and other innovative payment structures that reduce costs for patients while ensuring fair compensation for physicians.

Community Health Leadership
Independent practitioners often become deeply embedded in their communities, understanding local health challenges and developing targeted solutions. They’re more likely to participate in community health initiatives, provide care to underserved populations, and build partnerships with local organizations.

The New Twist: Technology-Enabled Independent Practice

Today’s independent practices aren’t simply returning to the medicine of the past—they’re leveraging technology to create the future of healthcare delivery. Electronic health records designed for small practices, artificial intelligence diagnostic tools, and patient engagement platforms allow independent physicians to provide sophisticated care while maintaining the personal touch that large systems often lack.

Telemedicine Integration
Independent practices can quickly implement comprehensive telemedicine programs, offering patients convenient access to care while expanding the practice’s reach beyond traditional geographic boundaries.

Data-Driven Insights
Modern independent practices use advanced analytics to track patient outcomes, identify health trends, and optimize treatment protocols. This data-driven approach, combined with clinical intuition, produces superior results.

Patient Engagement Technology
From mobile apps to patient portals, independent practices can implement tools that keep patients engaged in their health while streamlining communication and administrative tasks.

The Path Forward: Supporting the Independent Practice Movement

As healthcare costs continue to rise and patient satisfaction with large health systems declines, supporting independent practices becomes a strategic imperative for improving American healthcare. This requires several key changes:

Policy Support
Healthcare policy should recognize and support the value that independent practices bring to the healthcare ecosystem. This includes fair reimbursement rates, reduced regulatory burdens for small practices, and protection from anti-competitive practices by large health systems.

Education and Resources
Medical schools and residency programs should provide business training and entrepreneurship education to prepare physicians for independent practice. Professional organizations should offer resources, mentorship, and support networks for physicians considering independence.

Patient Education
Patients need to understand the benefits of relationship-based care and the value that independent practices bring to their health outcomes. This includes recognizing that slightly higher upfront costs may result in better long-term health and lower total healthcare expenses.

Conclusion: The Future Is Independent

The healthcare consolidation of the past two decades has taught us valuable lessons about the limitations of one-size-fits-all healthcare delivery. While large health systems will continue to play important roles in complex care and medical education, the future of healthcare lies in a balanced ecosystem that includes thriving independent practices.

Independent physicians who choose to establish their own practices aren’t just pursuing personal and professional fulfillment—they’re pioneering a return to patient-centered care that benefits everyone. By combining the intimacy and personalization of traditional medicine with the technological capabilities of modern healthcare, these practices represent the best path forward for American healthcare.

The choice for physicians isn’t between the past and the future—it’s between accepting the limitations of consolidated healthcare and embracing the potential of independent, innovative practice. For those with the vision and courage to pursue independence, the rewards extend far beyond personal satisfaction to encompass the profound impact they can have on their patients’ lives and their communities’ health.

The renaissance of independent practice isn’t just coming—it’s already here. And it’s transforming healthcare one patient, one physician, and one community at a time.

-Drew

At ClearPath Compliance, we understand the unique challenges of building and sustaining an independent practice. From compliance and credentialing to risk management and operational support, our mission is simple: to help providers focus on patients, not paperwork. If you’re ready to take the next step toward independence, we’re here to guide the way.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By Drew Duffy | ClearPath Compliance Founder/CEO

The Quiet Compliance Killer

In the complex world of healthcare regulation, the most dangerous threats often come from the least obvious places. While most practices focus heavily on HIPAA training, audit prep, and coding accuracy, many overlook a crucial blind spot: third-party vendor risk.

From your billing company to your IT provider to the cloud service that stores patient documents — these “behind-the-scenes” vendors could be exposing your practice to regulatory violations, data breaches, or even federal penalties.

And in 2025, the stakes have never been higher.

A Regulatory Crackdown on Vendor Oversight

Over the past 18 months, regulators at the Office for Civil Rights (OCR), Centers for Medicare & Medicaid Services (CMS), and even the Federal Trade Commission (FTC) have sharpened their focus on third-party vendors in healthcare. This is largely in response to several high-profile data breaches — including Change Healthcare’s February 2024 ransomware attack, which exposed sensitive health information tied to nearly 1 in 3 Americans [1].

In a 2024 statement, OCR Director Melanie Fontes Rainer said:

"Covered entities cannot outsource accountability. Business associates must be monitored, audited, and held to the same privacy and security standards as internal staff." [2]

Translation: You’re responsible for your vendors. And in 2025, regulators are coming to verify that you know it.

Real-World Risks for Small Practices

Let’s break this down with examples that directly impact smaller providers and clinics:

Vendor TypeCompliance RiskIT & Cloud StoragePoorly secured servers can lead to HIPAA breaches or data lossBilling & RCM FirmsImproper coding, unverified licenses, or kickback exposure under the Stark and Anti-Kickback lawsTelehealth PlatformsUnvetted APIs or third-party data analytics without BAAsMarketing VendorsSharing patient data for testimonials or ad targeting = HIPAA violationCredentialing ServicesFalsified documents or inconsistent monitoring can expose you to liability

The No-Surprises Act Connection

The No Surprises Act also makes vendors a potential source of legal exposure — especially in how they manage cost estimates, out-of-network data, or coordination with insurance carriers. If your outsourced vendors don’t comply with federal guidelines for transparency, your name ends up on the penalty notice.

What You Should Be Doing Right Now

Here's what ClearPath Compliance recommends all healthcare providers implement immediately:

1. Review All Business Associate Agreements (BAAs)

• Ensure each is current, signed, and explicitly defines security expectations.

• Include a right to audit clause whenever possible.

2. Vet Vendors Like You’d Vet an Employee

• Check licensing, insurance, references, and data protection practices.

• Use a standardized vendor risk checklist — we can provide one.

3. Audit Your Critical Vendors Annually

• Especially for billing, IT, and cloud storage partners.

• Document everything — OCR considers written records essential.

4. Limit Data Access

• Follow the “minimum necessary” rule with vendors just as you would internally.

• Use role-based access and data encryption wherever possible.

5. Train Your Staff

• Staff should know how to spot a suspicious vendor request or data access pattern.

• Ensure everyone understands the importance of vendor security awareness.

Closing Thought

You may trust your vendors — but that won’t protect you if something goes wrong.

In 2025, federal agencies are making it crystal clear: outsourced does not mean off the hook. The healthcare organizations that stay ahead are the ones who treat vendor risk with the same urgency as HIPAA compliance or audit readiness.

At ClearPath Compliance, we help clinics like yours identify hidden risks, tighten policies, and build a defensible posture against government scrutiny. Don’t let a trusted partner become your weakest link.

📚 Sources:

1. HHS Statement on Change Healthcare Cyberattack

2. OCR Director Remarks on Business Associate Oversight

3. FTC Health Breach Notification Rule Update

© ClearPath Compliance 2025
Need help reviewing your vendor risk? Call us at 1-888-996-8376 or Contact Us for a free consultation.

July 17, 2025

Under the Microscope: Looming Medicare & Medicaid Overhauls That Could Shake Your Practice to Its Core

In April 2025, Washington unveiled a flurry of Medicare and Medicaid policy shifts that—while touted as cost‑containment and quality‑of‑care measures—carry the potential to undercut patient access and saddle providers with new layers of risk. From radical payment‑model rewrites to unprecedented data‑sharing pacts, these changes demand immediate attention. Without a proactive strategy, healthcare organizations could find themselves scrambling to stay compliant—or worse, fighting for their financial survival.

1. Medicare’s Double‑Edged Payment Proposals

On July 15, 2025, CMS floated a rule that would boost physician fees by up to 3.8% in 2026—but only for those in certain alternative payment models. Others would see a smaller 3.3% increase, effectively rewarding large, value‑based systems over small or independent practices . More ominously, on July 16, 2025, CMS proposed an $8.1 billion increase in hospital outpatient payments—yet simultaneously slashing reimbursement for high‑cost services like chemotherapy, in a push toward “site‑neutral payments” that pay the same whether care is delivered in a hospital or a private office.

These shifts are far from benign:

• Winners & Losers: Practices unable to join advanced payment models risk seeing their Medicare revenue fall further behind peers.

• Operational Overhaul: Changing reimbursement indices and billing codes will strain EHR and billing teams, raising denials and compliance flags.

• Patient Impact: Site‑neutral cuts may force hospitals to shift oncology and other specialty services back to outpatient clinics ill‑equipped to handle complex cases.

2. Medicaid on the Chopping Block—and Under ICE Surveillance

While providers grapple with Medicare’s mixed bag, Medicaid now faces two parallel storms: massive federal spending cuts and a controversial data‑sharing deal. In April 2025, the U.S. House budget resolution set the stage for $880 billion in Medicaid cuts over the next decade, a move that experts warn could strip coverage from millions and destabilize safety‑net hospitals.

At the same time, this July, CMS quietly agreed to grant ICE access to 79 million Medicaid records, including names, Social Security numbers, and addresses—ostensibly to detect fraud, but decried by advocates as a “privacy betrayal” that could deter vulnerable populations from seeking care.

The combined effect is terrifying:

• Coverage Cliff: State agencies, facing leaner federal dollars, may tighten eligibility, increase premiums, or slash optional benefits like dental and vision.

• Trust Erosion: Families who fear deportation could avoid necessary treatments, fueling public‑health crises and uncompensated‑care burdens.

• Compliance Minefield: Healthcare entities must navigate conflicting obligations—protect patient privacy under HIPAA while honoring a federal subpoena to hand over data.

3. Why You Can’t Afford to Wait

These policy changes aren’t distant threats—they’re unfolding now. Practices that delay will face:

• Revenue Shock: Misaligned billing workflows and missed opportunities to qualify for advanced payment models.

• Legal Exposure: Privacy lapses or flawed consent processes could trigger hefty civil penalties.

• Operational Chaos: Untrained staff and outdated policies will struggle under shifting audit criteria and enforcement priorities.

4. ClearPath Compliance: Your Strategic Shield

At ClearPath Compliance, we’ve distilled our decades of healthcare regulatory expertise into an Integrated Response Framework designed to neutralize these threats and bolster your competitive edge:

1. Advanced Revenue Optimization

• Analyze your current Medicare billing mix and identify high‑yield alternative payment models you qualify for.

• Remap EHR coding workflows to preempt denials under new site‑neutral and fee‑schedule rules.

2. Medicaid Program Resilience

• Conduct state‑by‑state impact assessments to forecast coverage changes and adapt enrollment strategies.

• Develop patient‑centric consent protocols and vendor agreements that safeguard privacy—even when federal data‑requests arrive.

3. Regulatory & Audit Readiness

• Revise privacy policies and train staff on handling ICE subpoenas without violating HIPAA.

• Perform mock audits for both Medicare and Medicaid regulations, ensuring your documentation survives heightened scrutiny.

4. Advocacy & Stakeholder Engagement

• Craft white‑papers and testimony to influence state budget committees on Medicaid funding decisions.

• Facilitate community outreach programs that reassure patients and preserve trust in your practice.

Don’t get blindsided by the next wave of policy mandates. Call ClearPath Compliance at 1‑888‑996‑8376 or visit clearpathcompliance.com to schedule your free 30‑minute strategic consultation. Together, we’ll transform regulatory upheaval into an opportunity for growth and reinforce your status as a trusted healthcare leader.

Drew Duffy,  MHA, FACHE

By A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance

What Is the Stark Law?

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring Medicare patients to entities they have a financial relationship with—unless an exception applies. Its core goal is to prevent conflicts of interest that could drive up healthcare costs or compromise care.

What Changed in 2024?

In April 2024, the Centers for Medicare & Medicaid Services (CMS) implemented key updates to the Stark Law under the CY2024 Medicare Physician Fee Schedule Final Rule. These changes reflect CMS’s continuing efforts to modernize healthcare regulation under value-based care models.

1. Expanded Flexibility for Value-Based Arrangements

CMS has broadened exceptions for:

• Shared savings programs

• Coordinated care models

• Health tech-enabled partnerships

Implication:
Physician practices and clinics entering into care coordination or quality improvement programs now have more legal protection when financial relationships are involved — as long as they’re structured properly.

Tip: If you're participating in an ACO or using digital tools for shared care, this rule may now protect you more than it did in 2023.

2. Clarification on "Commercial Reasonableness"

CMS clarified what counts as commercially reasonable — a core requirement for many Stark Law exceptions. The 2024 definition now explicitly allows arrangements that result in losses, as long as they still make sense from a business and care perspective.

Implication:
Medical groups no longer need to worry that unprofitable arrangements automatically violate Stark Law — as long as they have a logical, documented purpose (e.g., expanding access in rural areas).

Tip: Keep a clear justification in writing for any agreements that don’t look profitable on paper.

3. Tighter Language Around Indirect Compensation

New guidance narrows down the criteria for what qualifies as indirect compensation—meaning more arrangements may now fall under the Stark Law than before.

Implication:
Organizations that work with management companies, staffing agencies, or other third-party vendors must re-evaluate their indirect relationships. Many arrangements that flew under the radar now require a formal review.

Tip: If you contract out billing, staffing, or tech services, revisit those agreements now.

Why This Matters to Small Clinics and Independent Providers

You might think Stark Law is only for hospitals or large systems — but it absolutely affects:

• Solo practitioners

• Multi-specialty groups

• Concierge practices

• Clinics participating in Medicare

Failure to comply can mean:

• Civil penalties up to $15,000 per service

• Exclusion from federal programs

• Reputational harm

How to Stay Compliant in 2024

• Review your contracts (especially tech, staffing, or shared-revenue agreements)

• Document your commercial reasoning

• Know your value-based care exceptions

• Consult a compliance specialist (like ClearPath Compliance) if you’re unsure

📚 Sources

1. CMS CY2024 Final Rule (Medicare Physician Fee Schedule)

2. Federal Register: Stark Law Revisions

3. OIG Stark Law Overview

🧠 Final Thought

Regulations are evolving. So should your compliance strategy.
If you're unsure how these changes impact your practice, ClearPath Compliance is here to help.

Written by A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance.