I frequently hear from physicians who are frustrated that their institution has blocked their favorite AI tool, often with no explanation. When that free tool includes ambient scribe services, there is one big trap you need to watch out for.

Hopefully, this first post in the Ashoo Review helps clarify the issue.

~Sam

There’s a quiet pattern emerging with many of the new AI ambient scribe tools. It usually starts the same way: a clean interface, fast onboarding, assurance of HIPAA compliance, and a reassuring button that says something like “Sign BAA (Business Associate Agreement).”

That moment feels like compliance has been handled. It hasn’t.

Let’s walk through why this matters, especially for employed physicians.

1. Who actually holds the responsibility?

Under HIPAA, the covered entity is the organization responsible for protecting patient data. In most cases, that’s your hospital or health system.

As an employed physician, you are operating under that entity. You are not acting independently when you see patients, document care, or use clinical tools within that environment.

So when you personally sign a BAA with a vendor, you’re not stepping into the hospital’s legal role. You’re acting outside of it.

2. Why an individual BAA doesn’t solve the problem

A BAA is not just a statement of good intentions. It defines:

• Who is allowed to share protected health information

• Under what circumstances that sharing happens

• What safeguards are required across systems

• Who is accountable if something goes wrong

When a hospital signs a BAA, it is aligning the vendor with its entire compliance framework, including IT policies, audit controls, and data governance.

An individual clinician signing a BAA does none of that.

It does not:

• Integrate with hospital security controls

• Align with institutional policies

• Cover other users or workflows

• Protect the hospital from liability

From the hospital’s perspective, it’s essentially invisible.

3. The real risk you’re taking

If you use one of these tools inside the hospital environment without an institutional BAA, a few things are happening:

• You may be transmitting protected health information to a vendor that your hospital has not approved

• That vendor is not formally accountable to your organization

• Your hospital cannot verify how data is handled, stored, or reused

• You may be violating internal policy, even if the tool itself claims compliance

This is where the risk shifts from abstract to personal.

It can affect:

• Internal disciplinary action

• Credentialing concerns

• Legal exposure if a breach occurs

• Your reputation within the organization

None of that is mitigated by clicking a button on a website.

4. Why “free + BAA included” should raise questions

If a company is offering:

• A free product

• Instant BAA execution

• No enterprise review

• No contract negotiation

Then you should pause.

Hospitals typically go through months of review before approving a vendor that touches patient data. That process includes legal, compliance, security, and IT.

A one-click BAA bypasses all of that.

That doesn’t mean the company is acting in bad faith. It means the agreement you’re signing is not designed for the environment you’re working in.

5. The private practice exception

This changes if you are in private practice.

In that setting, you or your practice are the covered entity. You can sign a BAA directly with a vendor and use the tool within your own workflows.

The key difference is control. You own the systems, the policies, and the data governance.

Once you step into a hospital, that control shifts.

6. A simple way to explain it to colleagues

You can frame it like this:

• The hospital is responsible for the entire system

• A BAA connects a vendor to that system

• An individual agreement sits outside that system

So even if the tool feels safe, it is not approved for use inside the hospital until the hospital itself signs.

7. What to do instead

Before using any AI scribe that touches patient data:

• Ask if your hospital has an enterprise agreement in place

• Route the vendor through your compliance or IT team

• Avoid entering identifiable patient information until that’s confirmed, and that includes audio recordings of your patient, since voice data itself is identifiable and cannot be treated as deidentified

It may feel slow. It protects you and your patients.

8. When you step outside your role as an agent

There’s another layer that often gets overlooked. As an employed physician, you are acting as an agent of the hospital when you deliver care within its systems and workflows.

When you independently sign a BAA and use a tool that your hospital has not approved, you may be stepping outside that agency relationship.

That has consequences.

From a HIPAA standpoint, responsibility can shift in uncomfortable ways:

• You may be viewed as acting outside the scope of your employment

• Institutional protections may not fully apply to your actions

• Liability can become more personal rather than organizational

From a practical standpoint, this can lead to:

• Internal investigations or disciplinary action

• Mandatory reporting of a privacy incident

• Exposure to civil penalties tied to improper disclosure of PHI

• Scrutiny from licensing boards, depending on the severity

Hospitals carry insurance, legal infrastructure, and compliance programs designed to manage risk at scale. Those protections are built around approved workflows and authorized vendors.

When you go outside that structure, you are operating without that safety net.

There’s a strong pull toward tools that save time and reduce documentation burden. That need is real. The way we adopt these tools still matters.

A signed checkbox is not the same thing as institutional approval.