Doctors are using AI scribes more than ever – but is your health data safe?

A growing number of doctors are turning to AI scribes to take notes during appointments. These tools listen to consultations and automatically generate clinical summaries, saving doctors hours of administrative work. But an official warning from the Australian government suggests that the privacy risks may outweigh the convenience for many patients.

The warning, reported by The Guardian, cites a rapid rise in the use of AI scribes by healthcare providers. While the technology is often marketed as a way to let doctors focus on patients rather than screens, the government’s Office of the Australian Information Commissioner (OAIC) has flagged that many implementations may breach the Privacy Act.

What happened

AI scribes work by recording or transcribing the conversation between a patient and a doctor. The audio or text is sent to cloud-based AI services – often run by companies like OpenAI, Microsoft, or specialised health-AI startups – which then produce structured notes. The doctor approves or edits the notes before they go into the medical record.

The OAIC’s concern is that patient health data is being handed to third-party companies without adequate consent, clear disclosure, or safeguards. According to the Guardian’s reporting, the government warned that such practices “may be unlawful” if the data is used for purposes beyond the immediate consultation, such as training AI models, or if it is stored overseas without proper protections.

Why it matters for patients

Your health information is among the most sensitive personal data you have. A diagnosis, a mental health conversation, a family history – once that data leaves the doctor’s office and enters a cloud service, you lose a degree of control over who can access it and how it may be used.

Data breaches in healthcare are not hypothetical. Medical records are highly valuable on the black market. Even if a scribe provider has strong security, the mere fact that your data is stored by a third party increases the attack surface. And because AI scribes are new, many doctors may not fully understand the data flow themselves.

There’s also the question of consent. Many patients are not told that an AI is listening and processing their words. The Australian warning makes clear that consent must be “voluntary, informed, and specific” – not something buried in a wall of clinic paperwork.

What readers can do

If you’re a patient, you have more agency than you might think.

  • Ask your doctor directly. Before or at the start of an appointment, ask: “Are you using any AI tool to take notes? If so, which one, and where is my data stored?” A straightforward question often reveals whether the practice has thought about privacy.
  • Request an opt-out. If you’re uncomfortable, ask if you can decline the AI scribe entirely. Some clinics may still offer manual note-taking or a paper alternative. If not, you can decide to take your care elsewhere.
  • Check your consent forms. If you signed a general consent form when registering with a clinic, it may not mention AI tools. You can ask for an addendum or clarification.

If you’re a healthcare professional considering AI scribes, here are practical steps:

  • Prioritise tools that process data locally (on-device rather than in the cloud). A growing number of companies offer local processing, which avoids sending audio to external servers.
  • Read the vendor’s data handling policy in detail. Look for commitments to not train models on your data, no secondary use, and storage within your jurisdiction.
  • Get written legal advice on whether the tool complies with your local privacy laws, especially if you’re in Australia, the EU, or a state with strong health-privacy rules like California.
  • Inform patients explicitly. Place a notice in the waiting room and verbally confirm consent at the start of each visit.

Looking ahead

The Australian government’s warning is a sign that regulators are paying attention. Similar concerns have been raised by privacy advocates in the US, UK, and Canada. What happens next likely depends on how quickly the industry responds. If more doctors choose transparent, privacy-first tools and patients start asking questions, the market can shift. If not, we can expect stricter rules.

For now, the safest approach is the same as with any new technology in healthcare: assume your data is being shared unless proven otherwise, and don’t be shy about asking.