Your BAA Is Not a Consent Strategy: What the Sutter Health AI Scribe Lawsuit Means for Healthtech
Here is the detail most coverage of the Sutter Health lawsuit is burying: the complaint does not allege a HIPAA violation. Not one count.
In April, patients filed a proposed class action in the Northern District of California against Sutter Health and MemorialCare over their use of Abridge, an ambient AI scribe that records clinical visits, transmits the audio to external systems for processing, and generates draft notes that flow into the EHR. The plaintiffs say nobody clearly told them any of that was happening.
Abridge signs business associate agreements with its covered entity clients. Under HIPAA, recording and processing a visit to support documentation falls under healthcare operations, which generally does not require patient authorization when a compliant BAA is in place. By the standard most healthtech companies use to define compliant, this deployment likely checked every box.
The lawsuit goes around HIPAA entirely. The claims run through the California Invasion of Privacy Act, the Confidentiality of Medical Information Act, California's Unfair Competition Law, the federal Wiretap Act, and common law invasion of privacy. The theory is that the violation happens at the moment of interception — when a live conversation is recorded and sent out of the room — regardless of how carefully the data is handled afterward.
If that playbook sounds familiar, it should. These are the same statutes plaintiffs used to turn hospital website tracking pixels into a multi-year litigation wave. Per-encounter statutory damages, multiplied across every recorded visit at two large health systems, is the same math that drove pixel cases to settlement. Plaintiffs' firms found a formula that works, and ambient AI is the next application of it.
A BAA answers one question: is the vendor contractually obligated to safeguard PHI under HIPAA? It says nothing about whether the patient consented to the recording itself. State wiretap and medical confidentiality laws impose separate obligations that HIPAA does not preempt. California requires all-party consent to record a conversation, and roughly a dozen other states have similar statutes. A perfectly executed BAA does not create consent under CIPA any more than a privacy policy created consent in the pixel cases.
The consent gap here is specific. Language that covers we maintain your medical record is not the same disclosure as your voice will be recorded during this visit, transmitted to a third-party AI platform, processed by a model, and potentially retained. Those are different facts, and patients are entitled to the second set before the microphone turns on.
The earlier case against Sharp HealthCare, filed in late 2025 over the same technology, added an aggravating detail. According to that complaint, EHR notes contained boilerplate attestations stating patients had been advised of and consented to AI recording when no such conversation occurred. Auto-inserted consent language is not consent. It is evidence.
For years, healthtech companies could treat HIPAA as the ceiling. Sign the BAA, encrypt the data, pass the security review, done. This lawsuit is part of a broader shift where HIPAA is the floor and the real exposure lives in state privacy statutes that plaintiffs' attorneys have already learned to weaponize. The organizations that will come through this well are the ones whose consent architecture was designed against the actual legal landscape rather than against a HIPAA checklist.
Stag Compliance provides expert HIPAA and privacy validation for healthtech companies, pressure-testing consent frameworks, disclosures, and compliance documentation before a plaintiff's attorney does it for you.