AI scribes gain traction in healthcare as lawyers flag risks

Consent, data governance, and vendor contracts raise liability questions for clinical adopters
AI scribes gain traction in healthcare as lawyers flag risks

Artificial intelligence-powered medical scribes are becoming increasingly common in Canadian healthcare settings as physicians seek relief from growing administrative workloads. While the technology is widely viewed as a productivity tool, legal experts say its adoption should be considered in light of concerns about privacy, consent, data governance, and liability. 

At their core, AI scribes are designed to convert spoken clinical interactions into written documentation. However, lawyers emphasize that modern systems go far beyond traditional dictation tools. 

More than a digital dictation tool 

Teresa Reguly, co-leader of the intellectual property and food and drug regulatory practices at Torys LLP in Toronto, explains that the key difference lies in how the information is processed and structured. “It’s not just a dictation, [i.e.] a literal transcript,” she says. “It’s taking in the information at the meeting or at the session, and then distilling it into a summary, and often including action items.” 

That structured output has made AI scribes particularly attractive in clinical environments where physicians face significant documentation pressures alongside limited appointment times. Reguly says the appeal is straightforward in practice. “A tool like this, where they don’t have to dictate [or] take notes, this allows physicians to spend less time on administrative tasks and focus on more clinical tasks,” she says. 

The efficiency gains, she adds, can have system-wide implications. “Anything where they can save time and effort and use that same time for actual healthcare is a huge advantage to the system,” Reguly says. 

However, she cautions that efficiency does not eliminate professional responsibility. Physicians remain obligated to review and validate AI-generated outputs before relying on them in clinical decision-making. “I don’t think they can just use the scribe and then not be proofing it or reviewing it,” she says. “If the scribe was making some recommendation, do they actually agree with that recommendation?” 

Patient consent and the governance gap 

These concerns become more pronounced as AI tools move beyond transcription and begin generating suggested actions. “It’s one thing to take in the information,” Reguly notes. “It’s another thing to take that information, and then there’s an action that comes from it.” 

Privacy and consent also remain central considerations. Reguly stresses that consent must extend beyond the act of recording. “It’s not just consent for collecting and using information,” she says. “It’s also consent for who else is going to have access to this information [and] how it’s going to be used.” 

She adds that as functionality expands, regulatory classification may also shift. “A software developer or manufacturer may want to promote a product that could replace decision-making – that would be a medical device that requires Health Canada approval before it could be sold,” she says. Health Canada's pre-market guidance for machine learning-enabled medical devices, published in February 2025, sets out the requirements of the approval pathway – including transparency obligations, algorithm change controls, and cybersecurity measures. 

From a regulatory perspective, Dana Siddle, partner with the technology law group at McCarthy Tétrault LLP in Vancouver and co-leader of its health industry group, says AI scribes should be understood as tools that extend well beyond basic transcription. 

“They are an artificial intelligence-enabled transcription tool,” she says, noting that they generate transcripts, summaries, and action items from clinical encounters. 

Siddle identifies efficiency as the primary driver of adoption. “The main argument in favour of doctors using an AI scribe is that they can help the doctor save time on administrative tasks like note-taking, which allows them to spend more time on patient care,” she says. 

Beyond documentation, she notes that some systems also support the automation of administrative workflows and could play a role in broader interoperability goals for healthcare data exchange. 

However, she emphasizes that regulatory frameworks specifically around AI are a work in progress. Canada does not currently have a comprehensive federal AI law. A proposed regime, the artificial intelligence and data act (AIDA), was introduced in 2022 but did not become law after it died on the order paper in 2025. Instead, Siddle points to an apparent shift in current strategy toward more targeted regulation. 

“The federal government’s AI strategy and newly proposed digital safety and privacy law regimes seem to suggest an intention to address certain types of AI risks, rather than reintroduce a comprehensive federal AI law at this time,” she says. 

In the absence of comprehensive legislation, provincial privacy commissioners and medical regulators have issued guidance focused on implementation safeguards. In Ontario, the Information and Privacy Commissioner released guidance on AI scribes in the health sector in January 2026, covering vendor assessment, contractual safeguards, and compliance with Ontario's health privacy law. These frameworks typically emphasize privacy impact assessments, human oversight, and risk evaluation before deployment. 

Siddle also highlights real-world risks, illustrated by a 2024 incident at an Ontario hospital involving an unauthorized AI transcription tool that joined and recorded a virtual clinical meeting. The resulting transcript contained sensitive patient information, exposing vulnerabilities related to system configuration and access controls. 

“Privacy of patient information is one of several relevant considerations when assessing AI scribes,” she says, also pointing to the potential for algorithmic bias, hallucinations, inaccurate outputs, and cybersecurity risks.  

Liability exposure and vendor contract risk 

Daniel Michaluk, national co-leader, privacy & cybersecurity at Borden Ladner Gervais LLP in Toronto, says the appeal of AI scribes lies in their ability to reduce documentation burdens. Still, he emphasizes that their legal and operational implications are significant. 

“At their core, they’re not different from your note taker… they turn speech into text,” he says. However, he explains that healthcare-specific systems go further by producing structured clinical documentation. “The text output will be structured… you’ll get an actual clinical note as an output with appropriate terminology and diagnostic billing codes,” he says. 

That structure, he notes, is designed for integration into electronic medical records systems and reflects training on clinical datasets and medical templates. 

Michaluk identifies efficiency as the primary benefit. “It’s about time saving,” he says, noting that physicians often spend substantial time on administrative work outside patient-facing care. 

However, he cautions against overreliance on AI outputs. “I think you’ve got to take that with a grain of salt,” he says. “You must very carefully review the output and determine that it’s accurate.” 

From a liability standpoint, he says the risk is heightened because AI-generated documentation becomes part of the official medical record. “Charting errors are a very significant patient safety issue,” he says. 

Privacy risks also arise from the creation of temporary transcripts or audio-derived records, which may contain more sensitive information than the final chart. Michaluk notes that these must be carefully managed throughout their lifecycle, particularly regarding access controls and disposal. “Any transitory transcripts… should be disposed of fairly early,” he says. 

Vendor contracts are another key area of risk. Michaluk warns that secondary use provisions in agreements can create significant exposure if not tightly controlled. “That’s too general a language… it opens up the potential for AI training,” he says, referring to clauses permitting use of aggregated data.  

Despite these concerns, lawyers suggest that existing legal frameworks are generally sufficient when properly applied. Regulators have largely adopted a process-based approach focused on consent, oversight, and governance rather than prohibiting the technology outright. 

“Medical scribes, as a use case, aren’t driving that need,” Michaluk says, referring to broader calls for standalone AI legislation. 

As adoption continues to accelerate, the challenge for healthcare providers, vendors, and regulators will be ensuring that efficiency gains do not outpace the legal safeguards needed to protect patient privacy, maintain clinical accountability, and preserve public trust.