State-by-State Patient Consent Requirements
A comprehensive guide for clinicians using AI scribes like Doctora. Understand HIPAA compliance and state recording laws to protect your practice and build patient trust.
Quick State Reference
Click any state to see specific consent requirements and legal citations
Interactive Consent Map
Hover or tap a state to preview the strictest consent rule.
Tap any state to open detailed workflow recommendations and legal citations.
Legend & Quick Guidance
Colors show the strictest consent requirement for in-practice recording or live AI scribing.
All-Party Consent (10)
Get explicit patient consent before any recording or transmission.
Mixed Rules (3)
Rules change based on in-person vs. telehealth conversations.
One-Party Consent (38)
Provider consent is sufficient, but clear patient notice builds trust.
Use all-party workflows everywhere when possible.
The modal templates include scripting for verbal consent, chart documentation, and signage so teams can standardize quickly.
All-Party Consent Required (10 states)
Must obtain explicit patient consent before any audio capture or transmission.
Mixed Rules (3 states)
Requirements vary for in-person encounters versus telephone or telehealth.
One-Party Consent (38 states)
Physician consent alone satisfies the statutes, but we still recommend announcing and documenting consent everywhere.
HIPAA Fundamentals
Good News: No Patient Authorization Required Under HIPAA
If Doctora is a Business Associate (BA) under a BAA and only uses PHI to create documentation for the clinician (i.e., TPO — treatment, payment, health care operations), patient authorization is not required under HIPAA for that disclosure.
Translation: Your HIPAA posture (BAA at sign-up; no model training on PHI; HIPAA-compliant processing) is the correct federal setup. You do not need a HIPAA authorization form from each patient just to use Doctora as an AI scribe.
What Matters: State Audio Recording Laws
State "wiretap" and eavesdropping laws determine whether you must tell the patient and obtain their consent before you capture audio of the clinical encounter, or before a remote service "listens in" (intercepts) even if you don't keep the audio file.
Key Nuance
Even if you don't save audio, streaming exam-room audio to a remote scribe/AI can still count as an "interception" in all-party states — so obtain patient consent there.
Recommended Baseline Workflow
Follow this workflow everywhere, and you'll be compliant in all 50 states + DC:
One-Time Written Consent at Intake
Plain-English disclosure that your clinician may use secure audio capture and an AI scribe (Doctora) to help document visits. Include that it's HIPAA-compliant, used only for clinical notes, no model training on PHI, and patients can opt out anytime.
Note: A "posted sign only" is not enough in all-party states.
Verbal Consent at Start of Each Visit
Ask: "To help me document accurately, I use a secure AI scribe that records our conversation and turns it into my clinical note. It's HIPAA-compliant and used only for your chart. Is it okay to proceed?"
Document in chart: "AI scribe used (Doctora). Patient gave verbal consent to audio capture at [time]."
Clear Signage
Post at check-in and in exam rooms: "We use secure audio transcription to help document your visit. Tell us any time if you prefer no recording."
Telehealth/Phone Visits
Always open with the verbal consent and record the "yes."
In Connecticut and Nevada, make sure the consent is on the recording at the start of the call (or use an audible beep where allowed).
Why this works: This workflow meets the strictest state requirements (all-party consent) while building patient trust and demonstrating transparency everywhere.
Ready-to-Use Templates
Copy and paste these templates into your practice workflows
Intake Form Language
One-time written consent for new patients
How to use: Add this to your new patient intake forms (paper or digital)
Verbal Consent Script
Say this at the start of each visit
How to use: Verbal consent before starting any audio recording. Document the consent in your chart.
Chart Documentation Macro
Document consent in the patient chart
How to use: Add this note to each patient encounter where AI scribe was used
Office Signage
Post in waiting room and exam rooms
How to use: Print and display at check-in desk and in examination rooms
Telehealth Phone Script
For Connecticut & Nevada telehealth calls
How to use: Use at the start of every phone/telehealth visit in CT and NV (and recommended for all states)
Special Considerations
Cross-Border Telehealth
If participants are in different states, follow the stricter of the two states' rules. For example, California's all-party rule applies to calls with any participant in California, regardless of where the other party is located.
Substance Use Disorder (42 CFR Part 2) Programs
After the 2024 final rule, a single patient consent for TPO is permitted and Business Associates can receive Part 2 records under that consent. However, you still need the Part 2–compliant consent if you're a Part 2 program. Build this into intake for those clinics.
Minors & Sensitive Services
For reproductive health, mental health, and minor patients, follow your state's existing minor-consent/guardian rules for consent to recording. Keep the opt-out process frictionless and ensure confidentiality.
Common Pitfalls to Avoid
❌ Relying only on signage in all-party states
Signs alone are not sufficient. You must obtain actual verbal consent.
❌ Starting the recording before obtaining consent
Always get verbal "yes" before pressing record.
❌ Forgetting telehealth/phone rules
Connecticut, Nevada, and California have special telephone consent requirements.
❌ Assuming "no recording saved" means no consent needed
Live transmission/streaming can still be an "interception" requiring consent.
Frequently Asked Questions
Is a line on the intake form enough?
Not by itself in any all-party state. You need actual patient consent before recording each visit (verbal is okay if documented). Intake language is still useful to set expectations.
Can we rely on posted signs?
No as the only measure in all-party states. Use signs to supplement (awareness), not to replace getting consent.
Is verbal consent okay, or do we need signatures?
Verbal consent is legally sufficient in most states if you document it. Some telephone statutes (e.g., Connecticut) specify exactly how to give notice. For simple operations, do verbal at the start of every visit + one-time written intake everywhere.
What about cross-state telehealth?
Apply the stricter law if participants are in different states. For example, California's all-party rule applies to calls with a California patient, regardless of where you are.
Do we need consent if we're not saving the audio?
Yes. Even live streaming audio to an AI service can count as "interception" under state wiretap laws. Obtain consent before any transmission.
Additional Resources
HHS Business Associate Guidance
Official HIPAA guidance on Business Associate Agreements
RCFP Reporter's Recording Guide
Comprehensive state-by-state recording law reference
Sample Business Associate Agreement
HHS model BAA contract provisions
MGMA Practice Resources
Medical Group Management Association templates and guides
Questions About Compliance?
Our team is here to help you navigate the compliance landscape and implement Doctora in a way that works for your practice and meets all legal requirements.
Disclaimer: This guide provides general information and should not be considered legal advice. Consult with your own legal counsel for specific compliance questions.