Written by: Drew Duffy, MHA, FACHE, Founder & Managing Director

The promise of AI ambient scribes in healthcare is undeniable—reduced administrative burden, improved patient interactions, and enhanced documentation accuracy. However, as healthcare organizations rush to implement these revolutionary tools, a critical question emerges: How do we balance innovation with the stringent privacy and security requirements that govern healthcare data? The intersection of AI ambient scribes and HIPAA compliance represents one of the most complex regulatory challenges facing digital health leaders today.

The HIPAA Reality Check: Why AI Scribes Are High-Risk Territory

Behind the scenes, AI scribes handle a high volume of protected health information (PHI) in real time, across multiple modalities (e.g., audio, transcripts, structured EHR data). As a result, AI scribes fall under HIPAA regulations. This seemingly simple statement carries enormous implications for healthcare organizations.

Unlike traditional medical scribes who are physically present and bound by employment agreements, AI scribes operate as third-party technologies that process sensitive conversations between physicians and patients. “Technically, it's a third party listening into the conversation,” says Aaron Maguregui, a partner with the Foley & Lardner law firm who specializes in AI and healthcare technology.

This fundamental shift in how healthcare documentation occurs creates new categories of risk that organizations must address systematically.

The Financial Stakes: Understanding HIPAA Penalty Exposure

The financial implications of HIPAA non-compliance in the age of AI are staggering. Under HIPAA, unauthorized disclosure of PHI can lead to penalties ranging from $141 to $2,134,831 per violation. When AI systems process thousands of patient encounters daily, the potential for widespread violations—and corresponding financial exposure—multiplies exponentially.

Each improperly handled patient conversation, misrouted clinical note, or unauthorized data access incident represents a potential violation. The scale at which AI scribes operate means that compliance failures can affect hundreds or thousands of patients simultaneously, creating massive penalty exposure.

Key HIPAA Compliance Risks: The Hidden Pitfalls

Healthcare leaders implementing AI ambient scribes must navigate several critical risk areas that traditional documentation methods never presented.

Data Training and Model Development Violations

One of the most significant risks involves how AI vendors train their systems. If a vendor is training its model on customer data without patient authorization—or without a defensible treatment, payment, or health care operations basis—such use may constitute a HIPAA violation.

Many organizations unknowingly enter agreements where their patient data becomes part of broader AI training datasets, potentially violating HIPAA’s minimum necessary standard and patient consent requirements. This risk extends beyond initial implementation to ongoing system improvements and updates.

Documentation Accuracy and Patient Safety Risks

The intersection of clinical accuracy and HIPAA compliance creates complex liability scenarios. If PHI is inserted into the wrong chart or disclosed to the wrong individual, it could constitute a breach under HIPAA and state data breach laws. Inaccurate documentation may also jeopardize patient safety, potentially leading to malpractice exposure.

The automated nature of AI scribes can amplify these risks if proper safeguards aren’t in place.

Unauthorized Access and Data Breach Vulnerabilities

AI systems require large datasets, which often include PHI. This creates new attack vectors for cybercriminals, including cloud storage vulnerabilities, API security weaknesses, and data transmission risks.

The real-time nature of AI scribes means breaches can expose ongoing patient conversations, resulting in immediate and ongoing privacy violations.

Risk Management Strategies: Building Compliance Into AI Implementation

Implementing Human-in-the-Loop Safeguards

Organizations should implement human-in-the-loop review for all AI-scribed notes. This safeguard ensures every AI-generated clinical note undergoes human review before becoming part of the permanent medical record.

Protocols should define review timelines, designate responsible reviewers, and outline escalation procedures for questionable content. This oversight serves as both a quality-control mechanism and a HIPAA compliance safeguard.

Technical Security Controls

To remain HIPAA-compliant, AI scribes must include multiple layers of security:

• End-to-end encryption for audio capture and storage

• Secure API connections

• Role-based access controls

• Comprehensive audit logging

Regular penetration testing and security assessments should validate the effectiveness of these controls.

Vendor Due Diligence and Business Associate Agreements

Healthcare organizations must thoroughly vet AI vendors’ security practices and compliance history. Business Associate Agreements (BAAs) should specifically address AI-related risks, including:

• Explicit prohibitions on using organizational data for model training without authorization

• Breach notification requirements

• Audit rights

• Data deletion protocols

Regulatory Trends and Future Considerations

The regulatory landscape for AI in healthcare is evolving rapidly. Expect increased scrutiny from regulators, more detailed HIPAA guidance, and penalty structures that account for the scale of AI systems.

Building a Compliance Culture

Technical controls alone are not enough. Organizations must foster a privacy-first culture, supported by:

• AI-specific staff training

• Policies governing tool use

• Accountability mechanisms for compliance monitoring

Regular compliance audits should include AI systems, reviewing access logs, note accuracy, and vendor performance.

Emergency Response and Breach Management

Organizations must have AI-specific incident response plans, including procedures for immediate system shutdown, rapid patient impact assessment, and coordinated communication with vendors, patients, and regulators.

Best Practices for Sustainable Compliance

HIPAA compliance with AI scribes should be treated as an ongoing operational requirement, not a one-time project. Best practices include:

• Continuous monitoring and alerting

• Maintaining detailed compliance documentation

• Conducting regular staff training updates

• Establishing metrics such as audit findings, security incidents, and patient complaints

Conclusion: Balancing Innovation with Responsibility

AI ambient scribes represent a transformative opportunity for healthcare, but they also introduce complex privacy and security challenges. Leaders who approach these technologies with a compliance-first mindset—treating HIPAA requirements as design constraints rather than afterthoughts—will be best positioned to realize the benefits while safeguarding their organizations and patients.

The future of healthcare documentation depends on striking this balance: leveraging AI to reduce burdens and improve care, while upholding the trust that patients place in providers to protect their most sensitive information.

-Drew

At ClearPath Compliance, we help healthcare organizations navigate this exact challenge. From vendor due diligence and Business Associate Agreement reviews to developing HIPAA-aligned policies and training programs, our team ensures that innovation does not come at the cost of compliance. We partner with clinics and health systems to build secure, sustainable frameworks for adopting AI scribes—so providers can focus on patients, not paperwork.

About the Author
Drew Duffy, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

The healthcare industry is under siege. While medical professionals remain focused on patient care, cybercriminals are increasingly targeting the very systems that support life-saving treatments. The statistics are sobering healthcare data breaches now average $9.7 million per incident—more than double the cross-industry average—and attacks are only accelerating.

The Perfect Storm: Why Healthcare Is a Prime Target

Healthcare organizations store what hackers want most: full identity profiles, financial details, and sensitive medical records—each of which can sell for hundreds of dollars on the dark web. Unlike credit card data, medical records contain immutable personal details, retaining value indefinitely.

Many clinics are vulnerable due to:

• Outdated or unsupported systems

• Limited cybersecurity funding

• Overworked staff with minimal training on security protocols

By 2025, more than 68% of healthcare IoT devices are expected to remain unpatched—leaving critical holes for attackers to exploit.

Beyond the Balance Sheet: The Real-World Impact

A ransomware attack doesn’t just cause financial strain. It disrupts appointments, delays diagnoses, and in urgent cases, endangers lives. In 2024 alone, over $133.5 million was paid out to ransomware groups—but that doesn’t account for regulatory fines, legal costs, or long-term reputation damage.

When systems go down:

• Providers must revert to paper documentation

• Patient care is delayed

• Emergency departments may divert patients

These aren’t just IT issues—they’re patient safety concerns.

2025 Threats Keeping Security Experts Awake

The threat landscape is evolving fast, and the risks are real:

• Third-Party Vendor Breaches – Your clinic is only as secure as your software and billing partners.

• IoT Device Weaknesses – Many network-connected medical devices lack basic security.

• AI Manipulation – As AI tools become integrated, they become new attack surfaces.

• Sophisticated Phishing – Social engineering attacks now convincingly mimic coworkers, vendors, and even regulators.

New Regulations Are Coming—Is Your Practice Ready?

Regulators are responding. In 2024, the FDA finalized new cybersecurity guidance for medical device manufacturers. Now in 2025, the proposed Healthcare Cybersecurity Improvement Act could make baseline cybersecurity a Medicare Condition of Participation and allocate $100 million to help smaller facilities catch up.

This marks a shift toward mandatory compliance—meaning failure to act could lead to exclusion from federal programs.

Building Your Clinic’s Cybersecurity Foundation

Every clinic—regardless of size—should take the following steps:

• Risk Assessments: Evaluate vulnerabilities across systems, devices, and staff training.

• Multi-Factor Authentication (MFA): A simple but powerful barrier to unauthorized access.

• Incident Response Plan: Be prepared to act quickly and contain damage.

• Ongoing Staff Training: Human error is the #1 security risk.

• Vendor Oversight: Require proof of cybersecurity compliance from all partners.

• Secure Backups: Ensure quick recovery from system failures or attacks.

The Cost of Inaction

Cybersecurity is often seen as a cost center—but in truth, it’s a safeguard. Comprehensive protection for a small or midsize practice may run $10,000–$50,000 annually. Compared to the $9.7 million average cost of a breach—and the ROI becomes clear.

The Bottom Line

Cyber threats are no longer an “if”—they’re a “when.” Clinics that take proactive steps today will be far better equipped to survive the challenges of tomorrow.

This is about more than just data. It’s about protecting your patients, your team, your license, and your future.

Need support evaluating or improving your cybersecurity readiness?
ClearPath Compliance offers risk assessments, vendor management strategies, and ongoing compliance support tailored for small and mid-sized clinics.

By Drew Duffy ClearPath Compliance

Introduction

Telehealth has evolved from a temporary solution during the COVID-19 pandemic to a permanent fixture in modern healthcare delivery. As we move further into 2025, healthcare providers must adapt to a rapidly changing regulatory environment to ensure compliance and continue delivering quality care.

1. Reinstatement of Pre-Pandemic Restrictions

The Centers for Medicare & Medicaid Services (CMS) has begun reinstating certain telehealth policies that were relaxed during the public health emergency. These changes include:

• Geographic Restrictions: Telehealth services are now limited to rural areas and specific healthcare settings.

• Eligible Providers: Only certain healthcare professionals are authorized to offer telehealth services.

• In-Person Visit Requirements: Some services now require an in-person visit within a specified timeframe.

These reinstatements aim to balance the convenience of telehealth with the need for in-person evaluations in certain situations.

2. Expansion of Telehealth Services

Despite the reinstatement of some restrictions, there have been notable expansions in telehealth services:

• Coverage for Additional Services: Medicare now covers a broader range of telehealth services, including physical therapy and occupational therapy.

• Audio-Only Telehealth: CMS has permanently expanded the definition of "interactive telecommunications system" to include two-way, real-time audio-only communication, allowing providers to offer services to patients who may not have access to video technology.

These expansions aim to increase access to care, particularly for patients in underserved areas.

3. Interstate Licensure Compacts

To address the challenges of providing telehealth across state lines, several licensure compacts have been established:

• Interstate Medical Licensure Compact (IMLC): Allows physicians to practice in multiple states with a single license.

• Nurse Licensure Compact (NLC): Permits nurses to practice in member states without obtaining additional licenses.

These compacts facilitate the delivery of telehealth services across state lines, improving access to care for patients in various regions.

4. Enhanced HIPAA Compliance Requirements

The U.S. Department of Health and Human Services (HHS) has proposed new regulations to enhance cybersecurity protections for electronic protected health information (ePHI) under HIPAA. Key proposed changes include:

• Mandatory Annual Technical Inventories: Healthcare providers must conduct annual inventories of their technical systems.

• Enhanced Vendor Oversight: Business associates must notify entities within 24 hours of activating a contingency plan.

• Mandatory Multi-Factor Authentication (MFA): Providers must implement MFA for accessing ePHI.

• Encryption Standards: All ePHI must be encrypted both at rest and in transit.

These proposed changes aim to strengthen security controls and reduce breach risks, ensuring greater protection of ePHI.

5. State-Specific Regulations

In addition to federal regulations, healthcare providers must navigate state-specific laws that govern telehealth practices. These laws can vary significantly and may include:

• Consent Requirements: Some states require explicit patient consent for telehealth services.

• Prescribing Regulations: Certain states have specific rules regarding the prescription of medications via telehealth.

• Record-Keeping Mandates: States may impose additional documentation requirements for telehealth encounters.

It's essential for providers to familiarize themselves with the telehealth regulations in each state where they practice to ensure compliance.

Conclusion

The telehealth landscape in 2025 presents both opportunities and challenges for healthcare providers. By staying informed about the latest regulatory changes and implementing robust compliance strategies, providers can continue to offer high-quality care while mitigating legal and financial risks.

At ClearPath Compliance, we specialize in helping healthcare organizations navigate the complexities of telehealth regulations. Contact us today to learn how we can support your compliance efforts.

Sources:

• Reuters: Top 10 takeaways from the new HIPAA security rule NPRM

• MarketWatch: 67 million Medicare recipients face 'chaos' if Congress cuts telehealth benefits

• Wipfli: New healthcare policies and regulations 2025

• Seabridge Health: Recent Updates in Telehealth Regulations (2025)

• HHS.gov: HIPAA and Telehealth

By Drew Duffy | ClearPath Compliance Founder/CEO

The Quiet Compliance Killer

In the complex world of healthcare regulation, the most dangerous threats often come from the least obvious places. While most practices focus heavily on HIPAA training, audit prep, and coding accuracy, many overlook a crucial blind spot: third-party vendor risk.

From your billing company to your IT provider to the cloud service that stores patient documents — these “behind-the-scenes” vendors could be exposing your practice to regulatory violations, data breaches, or even federal penalties.

And in 2025, the stakes have never been higher.

A Regulatory Crackdown on Vendor Oversight

Over the past 18 months, regulators at the Office for Civil Rights (OCR), Centers for Medicare & Medicaid Services (CMS), and even the Federal Trade Commission (FTC) have sharpened their focus on third-party vendors in healthcare. This is largely in response to several high-profile data breaches — including Change Healthcare’s February 2024 ransomware attack, which exposed sensitive health information tied to nearly 1 in 3 Americans [1].

In a 2024 statement, OCR Director Melanie Fontes Rainer said:

"Covered entities cannot outsource accountability. Business associates must be monitored, audited, and held to the same privacy and security standards as internal staff." [2]

Translation: You’re responsible for your vendors. And in 2025, regulators are coming to verify that you know it.

Real-World Risks for Small Practices

Let’s break this down with examples that directly impact smaller providers and clinics:

Vendor TypeCompliance RiskIT & Cloud StoragePoorly secured servers can lead to HIPAA breaches or data lossBilling & RCM FirmsImproper coding, unverified licenses, or kickback exposure under the Stark and Anti-Kickback lawsTelehealth PlatformsUnvetted APIs or third-party data analytics without BAAsMarketing VendorsSharing patient data for testimonials or ad targeting = HIPAA violationCredentialing ServicesFalsified documents or inconsistent monitoring can expose you to liability

The No-Surprises Act Connection

The No Surprises Act also makes vendors a potential source of legal exposure — especially in how they manage cost estimates, out-of-network data, or coordination with insurance carriers. If your outsourced vendors don’t comply with federal guidelines for transparency, your name ends up on the penalty notice.

What You Should Be Doing Right Now

Here's what ClearPath Compliance recommends all healthcare providers implement immediately:

1. Review All Business Associate Agreements (BAAs)

• Ensure each is current, signed, and explicitly defines security expectations.

• Include a right to audit clause whenever possible.

2. Vet Vendors Like You’d Vet an Employee

• Check licensing, insurance, references, and data protection practices.

• Use a standardized vendor risk checklist — we can provide one.

3. Audit Your Critical Vendors Annually

• Especially for billing, IT, and cloud storage partners.

• Document everything — OCR considers written records essential.

4. Limit Data Access

• Follow the “minimum necessary” rule with vendors just as you would internally.

• Use role-based access and data encryption wherever possible.

5. Train Your Staff

• Staff should know how to spot a suspicious vendor request or data access pattern.

• Ensure everyone understands the importance of vendor security awareness.

Closing Thought

You may trust your vendors — but that won’t protect you if something goes wrong.

In 2025, federal agencies are making it crystal clear: outsourced does not mean off the hook. The healthcare organizations that stay ahead are the ones who treat vendor risk with the same urgency as HIPAA compliance or audit readiness.

At ClearPath Compliance, we help clinics like yours identify hidden risks, tighten policies, and build a defensible posture against government scrutiny. Don’t let a trusted partner become your weakest link.

📚 Sources:

1. HHS Statement on Change Healthcare Cyberattack

2. OCR Director Remarks on Business Associate Oversight

3. FTC Health Breach Notification Rule Update

© ClearPath Compliance 2025
Need help reviewing your vendor risk? Call us at 1-888-996-8376 or Contact Us for a free consultation.