Ambient Clinical Documentation: The AI Scribe

This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you run or build a telehealth product, the ambient scribe is the AI feature your clinical users will ask for first, because documentation is the single biggest source of clinician burnout and the easiest place for AI to pay for itself. But it is also the feature most likely to put patient data somewhere it should not be: the audio of an entire consult is among the most sensitive data a health system holds, and the scribe by definition sends it to a model to be processed. A founder or product lead needs to understand three things before committing budget — how the technology actually works, exactly where the patient-data path leaves the protected boundary, and what the human-review step has to look like so the feature helps clinicians instead of exposing them to liability. Get those right and the scribe is the highest-leverage thing you can ship; get them wrong and it is the fastest way to a breach or a malpractice headache.

What an ambient scribe actually is

Start with the everyday picture. In a traditional in-person visit a busy clinic might hire a person — a medical scribe — to sit quietly in the corner and write up the visit while the doctor focuses on the patient. An ambient AI scribe is the software version of that person: it sits invisibly inside the video call, listens to the whole conversation, and produces a first draft of the clinical note by the time the call ends. "Ambient" means it works in the background from the natural conversation, without the clinician dictating to it or stopping to type.

The clinical note it drafts is a specific, structured document. Most visits are written up in a format clinicians call a SOAP note — four sections covering what the patient reports (Subjective), what the clinician observes or measures (Objective), what the clinician concludes (Assessment), and what happens next (Plan). The scribe's job is to listen to a free-flowing conversation and reorganize it into those sections, pulling out the symptoms, the history, the medications, and the follow-up plan, and leaving out the small talk.

One distinction matters before we go further, because it sets up everything about compliance. A scribe is a documentation tool: it records and organizes what was said. It is not a decision tool: it does not tell the clinician what is wrong with the patient or what to prescribe. That line — documentation versus decision — is the same line that decides whether the feature is an ordinary product or a regulated medical device, and we will return to it. For now, hold the simple version: the scribe writes down the visit; the clinician still makes every clinical call.

How it works: the three-step pipeline

Under the friendly description is a chain of three machine-learning steps. Each one is a place where audio or text is handed to a model, and — keep this in mind — each one is a place where patient data moves.

Figure 1. The ambient-scribe pipeline. Audio enters on the left and a draft note leaves on the right; every stage sits inside the compliance boundary and every model vendor needs a BAA.

Step 1 — Speech recognition (turning audio into words). The first model is an automatic speech recognition system, usually shortened to ASR. It takes the audio of the consult and produces a running transcript of words. Clinical ASR is harder than the dictation on your phone, because it has to cope with drug names, anatomy, accents, cross-talk, and the background noise of a patient sitting in a kitchen. General speech models get the everyday words right and stumble on the medical vocabulary, which is why clinical scribes either use medically tuned models or add a medical-terminology correction layer. The internals of streaming speech recognition — which models, how they run live — are covered in the AI engineering section's streaming ASR article; this article stays on the clinical and compliance side.

Step 2 — Speaker separation (working out who said what). A raw transcript is just words; a clinical note needs to know that "I've had the cough for three days" came from the patient and "let's start you on an inhaler" came from the clinician. The step that attributes each sentence to a speaker is called diarization. In a telemedicine call this is easier than in a crowded exam room, because each participant often arrives on a separate audio channel — the patient's microphone and the clinician's microphone are already distinct streams — which the system can use to label speakers reliably. Getting this wrong is not cosmetic: a note that attributes the patient's symptom to the doctor, or puts the doctor's instruction in the patient's mouth, is a clinical error.

Step 3 — Clinical summarization (shaping the note). The third model is a large language model — the kind of general text model behind modern chat assistants — given the speaker-labeled transcript and asked to produce the structured note. This is where the conversation becomes a SOAP note: symptoms sorted into the Subjective section, the plan into the Plan section, the chit-chat dropped. This step is also where the technology is most powerful and most dangerous, because a language model can write fluent text that was never said. We treat that risk in its own section below.

Three steps, three models, one through-line: audio in, structured note out. Everything else — the user interface, the EHR connection, the review screen — wraps around this core.

Why this is the highest-ROI AI feature in telehealth

Clinicians do not burn out on medicine; they burn out on paperwork. Surveys of physicians have for years put documentation at the top of the burnout list, and the phrase clinicians use for the documentation they finish at home after the kids are in bed — "pajama time" — tells you how the burden feels. The promise of the ambient scribe is simple: give that time back.

Walk the arithmetic out loud, because it is the whole business case. Suppose a clinician does 16 telehealth visits in a day and spends, on average, 6 minutes documenting each one by hand:

Manual documentation:
   16 visits × 6 minutes  = 96 minutes/day of typing notes

With an ambient scribe (draft written automatically, clinician reviews):
   16 visits × 2 minutes  = 32 minutes/day reviewing and signing

Time returned to the clinician:
   96 − 32 = 64 minutes/day  ≈ more than an hour a day

The numbers in the field vary — studies report clinicians spending five to ten minutes reviewing an AI note against thirty to forty-five minutes writing one from scratch — but the shape is always the same: the scribe does not just save minutes, it removes the after-hours tail of documentation. That is why, of the six AI features in the map of where AI fits in a telemedicine product, the ambient scribe is the one that consistently shows a return, and why most clinical-AI budgets start here.

The return is not only clinician time. A more complete, more consistent note also improves the record for the next clinician who sees the patient, and it captures the detail that billing depends on. But the time saving is the headline, and it is the number that justifies the project.

The compliance picture: where the patient data goes

Now the hard part, and the reason this is a Block 2-adjacent article wearing a Block 5 hat. The audio of a medical visit is Protected Health Information — PHI for short, meaning any health data that can be tied to an identifiable person. A recording of a patient describing their symptoms is about as identifiable and as sensitive as health data gets. And the scribe, by its nature, sends that audio to a model to be processed. So the central compliance question from the AI map applies in full force: does PHI leave your protected boundary, and if so, who is on the receiving end and what have they signed?

Figure 2. The scribe's data path. The consult audio is PHI; it may go to a model only if that vendor is under a BAA and barred from training on it. The public-AI path is never allowed.

The contract gate: a signed BAA, plus the no-train clause

Under the US health-privacy law known as HIPAA (the Health Insurance Portability and Accountability Act), any outside company that handles PHI on your behalf is a business associate, and you must have a signed Business Associate Agreement — a BAA — with them before they touch a single record. The BAA is the signed promise a contractor makes before they get a key to the building. The rule is explicit: a business associate is anyone who "creates, receives, maintains, or transmits" PHI for you (45 CFR §160.103), and the agreement is required (45 CFR §164.502(e), §164.504(e)).

For an ambient scribe this gate is non-negotiable, because the scribe vendor receives the most sensitive stream you have. The good news is that the serious clinical-scribe vendors offer a BAA as standard — it is table stakes in this market. The trap is the same one that catches every AI feature: a vendor offering a BAA and your use being covered by that BAA are two different facts. The free or consumer tier of a general AI tool has no BAA; pasting a transcript into it is a violation no matter how good the output.

One clause is specific to AI and easy to miss. A standard BAA stops the vendor from misusing your data, but it may not stop the vendor from using your patients' conversations to train its general model. For an AI vendor you usually have to add that prohibition in writing. A vendor can be fully HIPAA-covered and still, by default, learn from your patients unless your contract says no. Insist on the no-train clause, and read the full BAA article before you sign.

The minimum-necessary and consent gates

Two more rules shape the scribe specifically. First, HIPAA's minimum necessary standard (45 CFR §164.502(b)) says you should send only the data the task requires — a reason to question whether you need to retain the raw audio after the note is drafted, or whether the transcript can be discarded once the clinician signs. Second, recording a visit at all is governed by consent and retention rules that differ by state and by whether you keep the audio; the patient should know the visit is being captured for documentation, and you need a defensible answer to how long the recording lives and who can reach it. The mechanics of consent, recording, and retention have their own article: patient consent, recording, and data retention.

If you do keep audio or transcripts, they are PHI at rest and inherit every storage rule — encryption, access control, and the audit log that records who opened what (45 CFR §164.312(b) requires that logging). The cheapest scribe architecture, from a compliance standpoint, is often the one that keeps the least: draft the note, let the clinician sign, and delete the raw audio.

The FDA line: a scribe is documentation, not a device — until it isn't

The second line that decides whether an AI feature is safe to ship is the regulatory one. The US Food and Drug Administration (FDA) regulates software that diagnoses, treats, or drives clinical decisions — a category called Software as a Medical Device, or SaMD. It does not regulate software that merely records and organizes information.

A pure ambient scribe sits comfortably on the safe side of that line. It documents what happened; it does not decide anything. The FDA's Clinical Decision Support Software guidance, updated to a new final version in January 2026 (docket FDA-2017-D-6569), draws the boundary, and documentation assistance falls outside it. The January 2026 update generally loosened the agency's posture toward lower-risk software, which is good news for scribe builders — but it kept the hard cases hard.

The catch is that scribes do not stay pure. The moment a scribe starts suggesting — proposing billing codes, flagging a care gap ("this patient is due for a screening"), or recommending a diagnosis from the conversation — it edges from documentation toward decision support, and the FDA line comes back into view. The rule of thumb that keeps a feature safe is the one from the CDS guidance: it must offer a recommendation to a clinician who can independently review the basis for it, not push a conclusion the clinician has to trust blindly or that goes straight to the patient. A scribe that drafts a note for a clinician to sign is documentation. A scribe that auto-codes a claim with no human able to check the reasoning is something the FDA — and your billing-compliance team — will want to look at. Design the suggestion features so a human can always see and override the reasoning, and you keep the scribe on the non-device side. The broader treatment of this line lives in the compliance and safety layer for clinical AI.

Accuracy, hallucination, and who is liable

A language model's gift and its curse are the same thing: it writes fluent, confident prose. In a clinical note, confident prose that was never said is a patient-safety risk. Three failure modes matter, and a product has to be designed against all three.

The first is hallucination — the model inventing something. The dangerous version in a scribe is a fabricated finding: a note that records a physical-exam step that never happened, or a symptom the patient never mentioned, simply because such things commonly appear in notes like this one. The second is omission — the model leaving out something that was said and mattered, like an allergy or a dose change. The third is the speaker mix-up from a diarization error, putting one person's words in another's mouth. Studies of clinical AI notes put raw hallucination rates in the low single digits — roughly one to three percent of notes — which sounds small until you multiply it by the millions of visits a health system runs, and remember that a single fabricated allergy can harm a patient.

This is why the human-review step is not a nicety; it is the core of the design. No scribe output becomes part of the medical record until a qualified clinician has read it, corrected it, and signed it. The clinician is legally responsible for the note they sign, AI-drafted or not, so the product's job is to make review genuinely possible: surface the draft quickly, make edits easy, and never auto-file.

Figure 3. The review gate. The scribe produces a draft only; a clinician must review, edit, and sign before the note enters the record. No path skips the human.

Two design details have emerged from early deployments and malpractice discussion in 2025–2026, and both belong in a product spec. One is the idea of a reasonable review window: if the workflow leaves a clinician only a few seconds before the next patient, "review" becomes a rubber stamp, and a note signed without real review is hard to defend. Build the schedule and the interface so review has time to be real. The other is the discipline of keeping a draft state that is visibly unsigned and excluded from the legal record until the clinician acts — so an unreviewed draft can never be mistaken for a finished note. How the signed note then becomes a permanent, structured record is the EHR-integration question we turn to next.

EHR write-back: getting the note into the chart

A note that lives only in the scribe tool is half a feature. The value lands when the signed note flows into the patient's chart in the electronic health record (EHR) — the system of record clinics actually work in. This is the write-back step.

In 2026 the cleanest path uses the healthcare data standard called FHIR (Fast Healthcare Interoperability Resources), which models a clinical note as a DocumentReference resource that can be posted into the chart through the EHR's API. The important design rule mirrors the review gate: the integration writes the note in a draft status and the clinician's signature in the EHR is what finalizes it, so the human action — not the AI — is the thing that commits the record. The full mechanics of FHIR, HL7, and the realities of connecting to a specific EHR are covered in HL7, FHIR, and the EHR integration reality.

There is a strategic wrinkle worth flagging for product planners. In February 2026 Epic — the EHR most large US health systems run on — began rolling out its own native AI charting, and Epic has been adding ambient-scribe vendors into its in-EHR toolbox. For a telehealth product that means the write-back target is a moving one: build the integration so the note lands correctly whether the clinician finishes it in your app or in Epic, and assume the EHR vendors themselves are now competitors and partners at the same time.

Build vs buy: the vendor landscape and the build path

Almost every team faces the same fork: integrate an existing scribe vendor, or build the pipeline in-house. The honest answer for most telehealth products in 2026 is buy the model, own the workflow — use a mature scribe or ASR vendor under a BAA for the hard machine-learning, and build the parts that are specific to your product (the review screen, the EHR write-back, the consent flow). The table below lays out the buy options; every row includes the column that matters most in healthcare.

Figure 4. Four ways to add an ambient scribe, compared. The BAA column is the one that decides whether an option is even on the table for PHI.

Approach	What it is	EHR integration	Medical accuracy	BAA available?
Enterprise (Microsoft/Nuance DAX, Dragon Copilot)	Incumbent, deep EHR ties	Deepest native Epic / Oracle Health	High, clinically tuned	Yes
Specialist startups (Abridge, Suki, Nabla, Ambience, DeepScribe)	Purpose-built scribes	Strong Epic partnerships, varies	High, clinically tuned	Yes — confirm tier
EHR-native (Epic AI Charting)	Scribe built into the EHR	Native by definition	Improving fast	Via the EHR's BAA
Self-build (ASR API + LLM)	You assemble the pipeline	You build it	Depends on your tuning	Yes — from each vendor

Read the table by its last column first. Every serious option can be put under a BAA — but for the startups you must confirm the BAA covers the tier you are on, and for a self-build you need a BAA from each vendor in your chain (the ASR provider and the language-model provider both receive PHI). The self-build path is viable and gives you the most control: a clinical-grade speech API for steps 1 and 2, a language model on a BAA-covered tier for step 3, and your own review-and-write-back layer around them. It costs more engineering and more compliance work; you take it when the scribe is core to your product rather than a feature bolted on. The model-engineering details of that build live in the AI section's telemedicine AI-scribe engineering playbook and the intake-and-scribe system design; this article covers the clinical wiring and compliance around them.

A common, expensive mistake

The most frequent failure is not technical. It is a clinician, or a developer testing the feature, pasting a real consult transcript into a free, public AI chatbot to "clean up the note." That single paste sends PHI to a vendor with no BAA, and on a consumer tier the data may feed model training. It is a HIPAA violation whether or not anything bad ever happens, because the patient data crossed to an uncontracted vendor.

The fix is boring and absolute. Every tool that can touch a transcript is on an approved list, runs under a BAA on the exact covered tier, and the public consumer tiers are blocked at the network. Make the compliant path the easy path inside your product — a one-click "draft my note" that routes to the approved model — or the convenient shortcut wins and someone reaches for the public chatbot. The second-most-common mistake is the inverse of the review gate: letting a draft note auto-file or letting the clinician sign a stack of them without real review. Both are design failures, and both are preventable in the product.

Where Fora Soft fits in

We build the telemedicine and real-time-video platforms that an ambient scribe attaches to, and we build them compliance-first: the patient-data path before the feature. When a client wants an ambient scribe, our work is to route the consult audio so the model vendor sits under a BAA with a no-train clause or never receives identifiable data, to keep the feature on the documentation side of the FDA line, to build the review-edit-sign gate into the product rather than bolt it on, and to wire the signed note into the EHR as a draft the clinician finalizes. The machine learning is increasingly a commodity you can buy; placing it correctly relative to the PHI boundary, the device line, and the clinician's signature is the engineering that keeps a launch — and the clinicians using it — out of trouble.

What to read next

• Real-time transcription and captioning for consults
• Visit summarization and patient-facing after-visit notes
• The compliance and safety layer for clinical AI

Download the AI scribe build & compliance checklist (PDF)

Call to action

• Talk to a telemedicine engineer — book a 30-minute scoping call to talk through your ai medical scribe plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the AI Scribe Build & Compliance Checklist — One page: run an ambient clinical-documentation feature through the four gates — a BAA with a no-train clause, the PHI boundary, the FDA documentation-versus-decision line, and the clinician review-and-sign step — before you build.

References

1. HHS, HIPAA Privacy Rule — business-associate definition and contract requirement, 45 CFR §160.103, §164.502(e), §164.504(e). Why any AI scribe vendor that receives consult audio or transcripts needs a signed BAA. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html — tier 1.
2. HHS, HIPAA Privacy Rule — minimum necessary standard, 45 CFR §164.502(b) and §164.514(d). The basis for limiting retained audio/transcripts to what the documentation task requires. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html — tier 1.
3. HHS, HIPAA Security Rule — audit controls, 45 CFR §164.312(b), and technical safeguards, §164.312(a)(1),(e)(1). Logging and access control for stored PHI (audio, transcripts, notes). https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html — tier 1.
4. FDA, Clinical Decision Support Software — Guidance for Industry and FDA Staff (Final, January 2026; docket FDA-2017-D-6569). The documentation-versus-decision line; documentation assistance falls outside device regulation. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software — tier 1.
5. 21st Century Cures Act §3060(a) (2016), amending §520 of the Federal Food, Drug, and Cosmetic Act to exclude certain decision-support software from the device definition. The statutory basis the FDA CDS guidance interprets. tier 1.
6. HHS, Guidance Regarding Methods for De-identification of PHI under 45 CFR §164.514(b) — Safe Harbor and Expert Determination. Relevant if transcripts are reused for analytics or model evaluation. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html — tier 1.
7. HHS, HIPAA Security Rule NPRM (RIN 0945-AA22; Federal Register, Jan 6, 2025) — proposed strengthening of technical safeguards (MFA, encryption). Proposed, not final as of 2026-06-14; cited as proposed. tier 1.
8. HL7 FHIR R4 (2019) — DocumentReference resource and SMART on FHIR app-launch; the standard mechanism for writing a signed note back into an EHR. https://hl7.org/fhir/R4/documentreference.html — tier 1.
9. Beyond human ears: navigating the uncharted risks of AI scribes in clinical practice, npj Digital Medicine (2025). Peer-reviewed account of hallucination, omission, and speaker-attribution failure modes in clinical scribes. https://www.nature.com/articles/s41746-025-01895-6 — tier 5.
10. Transforming clinical documentation with ambient AI scribes: a narrative review of technology, impact, and implementation, PMC (2025–2026). The ASR + diarization + summarization pipeline and reported time-savings. https://pmc.ncbi.nlm.nih.gov/articles/PMC12973079/ — tier 5.
11. Texas Medical Liability Trust, Using AI Medical Scribes: Risk Management Considerations (2026). Practitioner guidance on the clinician's review-and-attestation duty and the reasonable-review-window idea. https://www.tmlt.org/resource/using-ai-medical-scribes-risk-management-considerations — tier 5.
12. Fierce Healthcare, How Epic's latest EHR features could shift the AI scribe market (2026). Market orientation on Epic AI Charting (Feb 2026) and the Epic ambient-vendor toolbox. https://www.fiercehealthcare.com/ai-and-machine-learning/how-epics-ai-moves-could-shake-health-tech-market — tier 6, orientation only.

Where sources disagreed, the article follows the controlling rule. Vendor and market pieces (refs 11–12) describe practice; the BAA requirement, the minimum-necessary standard, the audit-control obligation, and the documentation-versus-device line are stated from HHS and FDA primary sources (refs 1–7), which override any looser vendor framing. The FDA CDS guidance is cited at its January 2026 final version. Hallucination-rate figures (refs 9–10) are peer-reviewed observations, not regulatory thresholds, and are presented as ranges.