Your AI Scribe Is a Recording Device: Consent, Retention, and the Lawsuit Every Practice Should Read
A proposed class action against Sharp HealthCare alleges patients were recorded by an ambient AI scribe without consent — and the health system, not the vendor, is the defendant. Here is what recording-consent law actually requires, what your scribe really keeps after the note is written, and the consent workflow that protects your practice.
In December 2025, a San Diego man named Jose Saucedo filed a proposed class action against Sharp HealthCare. The claim was not that his care was bad, or that his data was breached, or that an AI got something wrong. It was simpler than that: he says nobody told him the room was being recorded.
That lawsuit should change how every practice thinks about ambient AI scribes. Not because scribes are dangerous — they are, on balance, the most useful AI most clinicians will touch this decade — but because the industry spent three years selling them as a documentation product when they are, legally, a recording product. Those are governed by very different rules.
The lawsuit, and why the health system is the defendant
The complaint, filed in San Diego Superior Court, centers on a routine physical at a Sharp Rees-Stealy clinic. According to press coverage of the filing, Saucedo alleges his visit was captured by a microphone-enabled device and streamed to a third-party vendor's cloud to draft his note, without anyone asking him first. The tool was Abridge. The suit estimates more than 100,000 Sharp patient encounters may have been recorded since the rollout began in April 2025.
Two claims anchor it: California's wiretapping statute (CIPA), which requires all-party consent to record a confidential conversation, and the Confidentiality of Medical Information Act. CIPA is the one that concentrates the mind — it carries statutory damages of up to $5,000 per violation. Multiply that across a six-figure class and you understand why health-system general counsel started returning calls about this in January.
The allegations are unproven, and Sharp has said it cannot comment on pending litigation. But notice who got sued. Not the vendor. The health system. Abridge built the microphone; Sharp is the one alleged to have pointed it at a patient without asking. Whatever the outcome, that is the structural lesson for anyone shopping this category: your vendor's compliance posture does not transfer the consent obligation to your vendor. You are the covered entity. It is your exam room. The duty to ask is yours.
There is one more allegation in the complaint that deserves its own paragraph, because it is the part most likely to be quietly true somewhere in your own charts. Saucedo alleges Sharp's records contained boilerplate language stating that patients "were advised" of the recording and "consented" to it — when, he says, no such conversation ever happened. If your scribe's note template auto-inserts a consent attestation, you are not documenting consent. You are generating an unverified claim that consent occurred, signing it, and filing it in a legal record. Go check your template today.
This is a different question from "did you disclose the AI"
We wrote recently about the wave of state AI disclosure laws — California's AB 3030, Texas's TRAIGA, Utah, Illinois. Those laws ask: did you tell the patient an AI was involved in their care?
Recording-consent law asks a completely different question: did you get permission to capture the audio in the first place? It predates AI by decades, it lives in state wiretapping and eavesdropping statutes, and it does not care that your purpose was benign. A scribe running in the background of a visit is a recording device in a confidential conversation, and that is exactly the fact pattern those statutes were written for.
You can satisfy the AI-disclosure law and still violate the wiretap statute. Most practices I see are thinking about the first and have never thought about the second.
Where all-party consent actually applies
Most states are one-party consent: the clinician is a party to the conversation, so the clinician's own consent to record is enough. In those states, recording-consent law is not your primary exposure.
But roughly a dozen states require all-party consent. The commonly cited list is California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington — though be careful with it. The lists published by different firms disagree at the margins (Nevada in particular is contested), several states treat in-person conversations differently from phone calls, and penalties range from civil damages to felony charges. Florida's statute, for example, makes unlawful interception a third-degree felony.
Two practical implications:
- Telehealth crosses state lines, and the strict rule usually wins. If your patient is in an all-party state and you are not, the safe assumption is that the all-party rule governs. California courts have reached across state borders on exactly this point.
- "My EHR vendor says we're fine" is not a legal opinion. Whether an exam-room conversation is a "confidential communication" under your state's statute is a question for a lawyer licensed in your state, not for a sales engineer.
If you practice in a one-party state, you still want a consent process. Not because the wiretap statute compels it, but because of what the research below says about what happens when patients find out later.
The uncomfortable research finding
Here is the study every practice deploying a scribe should read, and almost nobody has.
In July 2025, researchers at NYU Grossman School of Medicine published a quality-improvement study in JAMA Network Open on informed consent for ambient AI documentation. They looked at 18 clinicians and 103 patients in an academic ambulatory setting. The headline number is not the 74.8% of patients who said they were comfortable with ambient documentation. It is this:
81.6% of patients consented when given basic information. Only 55.3% consented when told the specifics — what the AI actually does, how the data is stored, and which company is involved.
Full disclosure cost roughly a quarter of the consenting population. That is the number that explains why so many rollouts lean on a poster in the waiting room and a fast verbal aside.
The rest of the findings sharpen the point. 96.1% of patients rated details about how audio is used and stored as important or very important. 59.2% did not want their data shared with vendors. And patients told researchers they would self-censor: 51.5% said they would hold back when discussing illicit activity, 40.8% on sexual health. A scribe that quietly degrades candor in exactly the conversations where candor is clinical gold is not a neutral tool.
One more, and it lands squarely on the clinician: 64.1% of patients said the physician is accountable for a medical error linked to the tool. Not the vendor. You.
The researchers' recommendation is a two-step consent process — information provided before the visit (portal, intake, front desk), confirmed briefly in the room — rather than a rushed verbal ask while the patient is half-undressed and the clock is running. That is a workflow problem, and it is solvable. It just has to be designed on purpose.
What your scribe actually keeps
"The audio is deleted" is a sentence four vendors will say to you and mean four different things. The encounter generates at least three artifacts — raw audio, a transcript, and a draft note — and vendors treat them very differently. What each vendor publishes as of mid-2026:
- Heidi Health states plainly that no audio recordings are ever saved — "as soon as Heidi transcribes, the audio disappears" — and that it stores transcripts and notes only, deletable at any time. It also says it does not use your data to train its AI.
- Freed says audio is automatically deleted on successful note generation, typically within about 60 seconds of the encounter ending, and offers an optional 30-day retention policy for notes. It says it trains only on de-identified notes, not PHI.
- Nabla says it does not store audio by default — it processes audio in chunks and discards them — and retains transcripts and notes for a configurable period, 14 days by default.
- Abridge is an enterprise product, so retention is largely configured by the deploying health system. Published patient-facing pages from its customers are the clearest guide: UC Davis Health tells patients "all recordings are deleted after 30 days," and other deployments document 30-day deletion of both audio and transcripts.
Notice the pattern: audio deletion is not transcript deletion. The transcript is the thing that contains every word the patient said, including the parts that never belonged in the chart, and it is often the artifact with the longest and most configurable life. Ask about the transcript, not the audio.
Then ask the question almost nobody asks: what is our retention set to, and who set it? A default of "keep forever" is a defensible product decision by a vendor and an indefensible compliance decision by you.
Retention is a discovery problem, not just a privacy problem
Every artifact you keep is an artifact that can be subpoenaed.
If a malpractice claim is filed three years from now, the signed note is what you defended. But a retained transcript is a verbatim, timestamped account of the encounter that opposing counsel can lay next to your note and read for discrepancies — omissions, hedges, the symptom the patient mentioned that never made it into the assessment. Health-law commentators have been blunt about this all year: each additional layer a vendor retains creates more material to be requested in discovery and compared against the chart.
That is not an argument for sloppy documentation, and it is emphatically not an argument for destroying records. It is an argument for retaining deliberately — knowing what exists, for how long, and why, rather than discovering during litigation that your vendor has kept 400 hours of your patients' voices because nobody changed a default.
The same artifacts widen your breach surface, and they raise a live question about the designated record set and patient access that neither HHS nor the courts have fully answered. If you want the foundation here, our guide to what HIPAA compliance actually means for AI tools covers BAAs and the vendor questions that precede all of this.
And you still own the note
The consent problem sits on top of an accuracy problem that has not gone away. Peer-reviewed work puts scribe hallucination rates in the low single digits — real, if uncommon — and we went through the failure modes in what the research says about AI scribe accuracy.
Malpractice carriers have converged on unambiguous guidance. The Texas Medical Liability Trust tells physicians to set aside dedicated time each day to review AI documentation before sign-off, to add AI-scribe language to patient consent forms, and warns that automatic signatures on AI-generated content are discouraged. Their bottom line: the physician remains fully responsible for the content of all medical documentation, regardless of how it was generated.
The regulators are moving the same direction. In September 2025, the Joint Commission and the Coalition for Health AI issued their first joint guidance on responsible AI use, and it says patients should be notified when AI directly affects their care and, where appropriate, given the chance to consent. It is voluntary today. Guidance like that has a way of becoming an accreditation expectation.
What to do in the next week
None of this means don't use a scribe. It means close the gap between how you deployed it and how the law sees it.
- Find out if you are in an all-party consent state, and if you deliver telehealth, whether your patients are. Ask a healthcare attorney in your state — this is a cheap question with an expensive wrong answer.
- Open your note template and look for auto-inserted consent language. If a phrase like "patient consented to AI documentation" appears without a human typing it, disable it now. Attesting to a conversation that may not have happened is the single worst fact in the Sharp complaint.
- Build a two-step consent flow. Disclose in intake paperwork and the Notice of Privacy Practices; confirm verbally in the room. Twelve seconds: "I use an AI assistant that records our conversation so I can focus on you instead of the screen. It's deleted after the note is written. Is that okay? I'm glad to turn it off."
- Make the opt-out real. UC Davis tells patients plainly that they can decline and their care will not be affected. Copy that sentence. A consent nobody can refuse is not consent.
- Look up your actual retention settings for audio, transcripts, and draft notes — and change the defaults if you never chose them.
- Ask your vendor five questions in writing: Do you store audio, and for how long? How long do you keep transcripts, and can I set that? Do you train models on our data, and can I opt out? Who at your company can access an encounter? Can I get verified deletion on request?
- Give sensitive encounters an exception. Behavioral health, sexual health, immigration, substance use — the study says patients censor themselves in exactly these visits. If you run a therapy practice, consent should be per-encounter, not one-time. Our comparison of AI therapy note tools for solo practices flags which ones are built for that setting.
- Never sign a note you have not read. The carriers have made it clear where the liability lands.
The bottom line
The ambient scribe is the rare healthcare technology that delivers on its promise — hours back, less burnout, better eye contact. The category earned its adoption. But it got deployed at enterprise speed with consumer-app consent hygiene, and the bill for that gap is now arriving in the form of a proposed class action with six figures of potential class members.
The fix is not expensive. It is a paragraph in your intake form, one sentence spoken in the room, a retention setting somebody actually chose, and the discipline to read what you sign. Practices that do those four things get all the upside of ambient AI and none of the headline.
If you are still choosing a tool, start with our guide to choosing an AI medical scribe and the scribe comparison for family medicine — and this time, make retention and consent a column in the spreadsheet, not a footnote.
This article is informational only and is not legal or medical advice. The Saucedo v. Sharp HealthCare allegations described here are unproven claims in pending litigation. Recording-consent law varies significantly by state and changes frequently — consult a healthcare attorney licensed in your jurisdiction. Vendor retention and privacy practices are as published by those vendors as of July 2026 and can change; verify current terms directly with the vendor and in your BAA before relying on them.