Telehealth transcription HIPAA 2026: multi-state visits, BAA chain, and the cross-border compliance map

May 8, 2026 · 7 min read

Telehealth is now embedded in primary care. About 22% of all US ambulatory encounters happen by video or audio in 2026, and a meaningful share of those cross state lines — the patient is in one state, the clinician is licensed in another. Add AI transcription on top, and you've stacked three compliance regimes: federal HIPAA, state consent laws, and state telehealth licensure rules.

Most clinics implementing AI scribes for telehealth handle the HIPAA piece and miss the state pieces. Audit findings in 2025 produced six-figure settlements for two practices that recorded patient sessions without two-party consent in California and Massachusetts. Here's the 2026 map for staying clean.

The three compliance layers

Two-party consent map (the part most scribes get wrong)

If the patient is physically located in one of these states during the visit, you need explicit consent from both parties before recording — including AI transcription. The state of the recording is determined by the patient's location, not the clinician's:

• California — Penal Code §632, all-party consent
• Florida — §934.03, two-party
• Illinois — 720 ILCS 5/14-2, two-party (eavesdropping statute)
• Maryland — §10-402, two-party
• Massachusetts — M.G.L. ch. 272 §99, all-party
• Montana — §45-8-213, all-party
• New Hampshire — RSA 570-A, two-party
• Pennsylvania — 18 Pa. C.S. §5704, two-party (with telehealth carve-out under 2024 amendment)
• Washington — RCW 9.73, two-party
• Connecticut, Delaware, Hawaii, Vermont — mixed; check current state of statute

Best practice: treat all 50 states as two-party. Build the consent dialog into the visit start. The cost is 30 seconds per visit; the upside is no §632 lawsuit.

The HIPAA BAA chain for telehealth + AI transcription

Every entity that touches PHI between the patient's mouth and the EHR field needs a Business Associate Agreement. For telehealth + AI transcription, the typical chain is:

1. Telehealth platform — Doxy, Zoom for Healthcare, Updox, etc. (BAA required)
2. Recording capture — usually the same platform's recording feature (covered under the same BAA) or a third-party recorder (separate BAA)
3. Storage — AWS S3, GCP, or vendor cloud (BAA via cloud provider's healthcare offering)
4. Transcription engine — OpenAI Whisper API, Anthropic Claude, AssemblyAI, Deepgram, or self-hosted (BAA needed unless self-hosted)
5. EHR integration — Athena, Epic, eClinicalWorks (BAA already in place)

The chain breaks at step 4 if you use consumer OpenAI or Anthropic without their enterprise/BAA tier. Both offer healthcare-tier accounts in 2026; both require sign-off and stricter retention controls.

The four compliant telehealth transcription stacks

Multi-state licensure: where AI doesn't help

The Interstate Medical Licensure Compact (IMLC) covers 41 states for MDs/DOs as of 2026. PA and NP compacts are growing but still patchy. For LCSWs, the Counseling Compact and Social Work Compact each cover 25+ states.

None of this is solved by AI scribes — the clinician has to be licensed where the patient is sitting. What an AI scribe can do is geotag the visit (with consent) and flag mismatches before billing: patient ZIP + clinician state license → cross-reference table → warning if licensure gap.

Retention and audit

HIPAA requires 6-year retention of audit logs and access records. State medical board rules add their own retention (commonly 7–10 years for adult patients, longer for minors). Recordings used for medico-legal defense can be relevant 20+ years out.

What to retain:

• Patient consent timestamp + recording
• Original audio file (or hash if you delete original)
• Verbatim transcript
• Final note as filed in EHR (for diff with transcript)
• Access log: who opened the audio/transcript and when

What to delete on a schedule:

• Working LLM intermediate outputs (suggested codes that were rejected)
• Cached transcripts in vendor cloud (set TTL)
• Mobile device local copies (auto-purge after upload)

The patient consent script that survives a state audit

"Before we start: I'm using an AI tool to transcribe today's visit so I can focus on you
instead of taking notes. The audio and transcript are stored securely under HIPAA, and only
your care team has access. We can delete it after the note is finalized if you prefer.
Do I have your consent to record this visit and use AI transcription? Please say yes or no."

[Wait for explicit verbal yes — do not start recording before. Document patient response in
the audit log: patient name + timestamp + response.]

The 30 seconds spent on this script protects against every two-party consent claim.

Common 2026 pitfalls

• Recording the waiting-room small talk. Some platforms start recording at appointment scheduled time. Stop the recording until consent is captured.
• Family members on the call. If a spouse or adult child is present, two-party consent extends to them. Get verbal yes from each adult voice.
• Pediatrics. Parental consent — document who has legal authority. Custody documentation matters in split-custody cases.
• Mental health under 42 CFR Part 2. Substance use treatment records have stricter rules than HIPAA. Consent is per-recipient, not blanket.
• Embedded interpreter on call. Interpreter is also a covered entity in most cases — their consent is required and they're bound by HIPAA.

When to operationalize

If you do more than 5 telehealth visits per week and any of them cross state lines, set up the BAA chain and consent script before your next visit. The vendor sign-up takes a few hours; the consent dialog is a script change. The downside is real — one §632 lawsuit settles north of $50k for a small practice — and the upside (5–15 minutes saved per visit, fewer documentation gaps) compounds for years.