The Sharp HealthCare Complaint
Filed November 26, 2025, in San Diego Superior Court, Saucedo v. Sharp HealthCare centers on plaintiff Jose Saucedo, who discovered his July 2025 medical appointment had been recorded without consent only after reading AI-generated notes in his medical records. When he contacted the clinic, Sharp allegedly apologized, acknowledged the recording, but informed him that audio files would remain on vendor servers for approximately 30 days before deletion—and could not be immediately removed upon request.
The lawsuit names Abridge, a Pittsburgh-based generative AI company valued at $5.3 billion after raising $300 million in June 2024, as the ambient documentation provider. Sharp deployed Abridge across its clinical locations in April 2025 to serve over 1 million patients annually through its four acute-care hospitals, three specialty hospitals, and three affiliated medical groups including Sharp Rees-Stealy.
Fabricated Consent Documentation
The complaint raises particularly troubling allegations about fabricated consent documentation. According to the filing, Abridge's system allegedly auto-inserted false statements into patient medical charts claiming patients "were advised" of recording and "consented" to AI documentation—when patients had received no such notification. This amounts to falsification of medical records at scale, a claim that, if proven, could expose both Sharp and Abridge to significant liability beyond privacy violations.
Medical Record Falsification Risk
Auto-inserting consent statements into medical records when no consent was obtained constitutes falsification of medical records—a serious compliance violation independent of privacy law. Organizations using ambient AI tools must verify that consent documentation accurately reflects what actually occurred during patient encounters.
Legal Theories and Exposure
The legal theories target California's strictest privacy protections:
- California Penal Code § 631 (wiretapping) — prohibits electronic interception of communications without consent
- California Penal Code § 632 (eavesdropping) — prohibits recording confidential communications without all-party consent
- California Confidentiality of Medical Information Act (CMIA, Civil Code § 56) — requires written patient authorization before disclosing identifiable medical information to third parties
CIPA damages can reach $5,000 per violation per recording, creating potential exposure in the hundreds of millions for a class exceeding 100,000 patients.
A Wave of AI Recording Litigation
Sharp's lawsuit does not arise in a legal vacuum. Courts throughout 2024-2025 have been actively shaping how century-old wiretapping statutes apply to AI-powered recording and analysis, establishing precedents that will likely influence healthcare litigation.
The Capability Test: Ambriz v. Google LLC
The most consequential development came in Ambriz v. Google LLC (N.D. Cal., February 2025), where Judge Rita Lin denied Google's motion to dismiss claims that its Cloud Contact Center AI violated CIPA by intercepting customer service calls for clients like Verizon, Home Depot, and GoDaddy.
The court adopted the "capability test"—holding that an AI vendor need only possess the technical capability to use intercepted data for its own purposes (such as model training) to be considered a third-party eavesdropper, regardless of whether it actually exercised that capability. This plaintiff-friendly standard dramatically expands exposure for AI vendors whose terms of service permit using customer data to improve their products.
Key AI Recording Precedents (2024-2025)
| Case | Date | Key Holding |
|---|---|---|
| Ambriz v. Google LLC | Feb 2025 | Established "capability test" — vendor liable if it could use data for training, regardless of actual use |
| Taylor v. ConverseNow | Aug 2025 | Rejected argument that pizza orders lack privacy expectations; AI order-taking liable under CIPA |
| Brewer v. Otter.ai | Aug 2025 | AI meeting transcription liable when recording without all-party consent (25M users affected) |
| Apple Siri Settlement | Sep 2025 | $95M settlement for Siri activating without consent and sharing recordings with contractors |
| Kaiser Pixel Settlement | Dec 2025 | $46-47.5M for Meta Pixel disclosure of 13.4M members' health information |
Voice Assistant Settlements
Consumer voice assistant litigation has already produced major settlements establishing that passive AI listening creates substantial liability:
- Apple paid $95 million (final approval September 2025) to resolve claims that Siri activated without user consent and shared recorded conversations with human contractors and allegedly advertisers
- Amazon faces a certified nationwide class action over Alexa privacy violations after already paying a $25 million FTC penalty for COPPA violations involving children's voice recordings
Healthcare Tracking Technology Settlements
Healthcare organizations have faced massive privacy settlements even before ambient AI litigation emerged:
- Kaiser Permanente: $46-47.5 million (preliminary approval December 2025) to resolve claims that Meta Pixel tracking technology disclosed 13.4 million members' health information to third parties
- Mount Sinai: $5.26 million over MyChart portal data sharing with Facebook
- Nuance Communications: $8.5 million to settle MOVEit hack claims affecting 1.23 million patients across 14 healthcare clients
California’s Privacy Framework
California's Invasion of Privacy Act provides uniquely powerful tools for challenging AI recording because it requires all-party consent—stricter than the federal Wiretap Act's one-party standard. This means every participant in a conversation must agree to recording, not just the party initiating it. For healthcare, this means both physicians and patients must consent before ambient AI documentation begins.
Extension Test vs. Capability Test
The statute has evolved through recent judicial interpretation in ways that expand AI vendor liability. The critical distinction lies between two competing analytical frameworks courts have adopted:
Extension Test (Defense-Favorable)
Third-party software functions as a mere "extension" of the website operator—like a tape recorder—if it doesn't independently use captured data. Plaintiffs must prove the AI vendor actually used intercepted data for its own purposes.
Capability Test (Plaintiff-Favorable)
Vendor liable if it merely possesses the ability to use data for independent purposes—regardless of actual use. Because most AI vendors' terms reserve training rights, this standard dramatically expands potential liability.
Ninth Circuit Uncertainty
The Ninth Circuit remains divided on foundational questions. In a July 2025 concurrence in Gutierrez v. Converse Inc., Judge Bybee argued that CIPA Section 631(a)'s first clause "does not apply to internet communications" because the 1967 statute targeted telegraph and telephone wires—not internet traffic. If this interpretation gains traction, it could limit CIPA's application to cloud-based AI processing while preserving liability for traditional phone-based interception.
For healthcare ambient AI, the wiretapping analysis intersects with confidential communication protections under Section 632. Doctor-patient conversations represent the archetypal "confidential communication"—precisely the category California law most strongly protects.
CMIA: Healthcare-Specific Liability
The Confidentiality of Medical Information Act predates HIPAA and in many respects provides stronger patient protections. Under Civil Code § 56.10(a), healthcare providers cannot disclose medical information without first obtaining written authorization meeting specific statutory requirements—including clear statements of authorized uses, recipient identification, and expiration dates.
AI Vendor Disclosure Issues
For ambient AI documentation, CMIA liability focuses on whether transmitting recorded conversations to vendor cloud infrastructure constitutes unauthorized "disclosure" of medical information. The Sharp complaint alleges that symptoms, diagnoses, medications, treatment plans, and personal identifiers were transmitted to Abridge's servers where vendor personnel could access them—without patient authorization meeting § 56.11's rigorous requirements.
California AG Advisory on AI in Healthcare (January 2025)
The California Attorney General explicitly warned that AI systems handling patient data must adhere to CMIA, that using patient data to train AI models without proper authorization could constitute violations, and that entities cannot use "dark patterns" or manipulative interfaces to obtain consent. The advisory specifically flagged that California is a two-party consent state requiring all-party consent before audio recording begins in clinical settings.
Class Certification Challenges
CMIA presents unique challenges for class certification. In Vigil v. Muir Medical Group (2022), California's Court of Appeal held that CMIA requires proof that confidential information was "actually viewed" by unauthorized persons—an individualized inquiry that cannot be established class-wide. This requirement, established in Sutter Health v. Superior Court (2014), creates substantial barriers for CMIA class certification.
However, the Sharp complaint's allegations about systematic false consent documentation could potentially satisfy common questions requirements by establishing uniform practices across the class. If plaintiffs can prove that Abridge's system automatically inserted false consent statements for all recorded encounters, this pattern evidence might overcome individualized viewing requirements.
Retention and Deletion Obligations
Healthcare data retention requirements create particular complications for AI ambient documentation. California mandates that licensed healthcare facilities retain medical records for minimum 7 years after the last patient encounter. HIPAA requires documentation of policies, procedures, risk analyses, and authorizations for at least 6 years.
Audio as Transitory Data
The Sharp complaint highlights that Abridge allegedly retained audio recordings for approximately 30 days and could not immediately delete them upon patient request. This raises questions about whether audio recordings constitute part of the "medical record" (subject to retention requirements) or transitory processing data (subject to minimization principles).
Best practices from legal experts recommend treating AI-processed audio as transitory—to be deleted same-day or within one week maximum after generating the clinical note. Physicians must review and edit AI-generated documentation before finalization, and only the physician-approved note should become part of the permanent medical record.
AI Training Data Complications
For AI training data, organizations face tension between model improvement needs and privacy obligations:
- The "minimum necessary" standard under HIPAA requires AI tools to access only PHI strictly necessary for their intended purpose
- De-identification through Safe Harbor (removing 18 identifiers) or Expert Determination methods can enable training while reducing privacy exposure
- Re-identification risks remain when de-identified data can be triangulated with other datasets
- The capability test means simply having terms that permit training data use creates liability exposure
Evolving Regulatory Frameworks
Federal regulators are actively developing AI-specific guidance while using existing authorities to enforce against healthcare AI violations.
Federal Developments
Key Federal AI Regulations (2024-2025)
| Regulation | Agency | Key Requirements |
|---|---|---|
| HIPAA Security Rule Update | HHS/OCR (Jan 2025) | AI tools included in risk analysis; vulnerability scanning every 6 months; annual penetration testing |
| Section 1557 AI Provisions | HHS (May 2025) | Prohibits AI discrimination; requires identification of AI tools using protected characteristics |
| ONC HTI-1 Final Rule | ONC (Dec 2024) | First federal AI transparency "nutrition label" requirements for certified health IT |
| FDA AI/ML Guidance | FDA (Jan 2025) | Draft guidance on AI device lifecycle; most ambient scribes currently not regulated as devices |
State Enforcement
State attorneys general have begun enforcement. Texas reached the first-of-its-kind healthcare AI settlement in September 2024 against Pieces Technologies, imposing five-year obligations including disclosure of:
- Training data types
- Calculation methodologies for accuracy claims
- Known limitations and risks
- Potential harmful misuses
The settlement signals that AI accuracy claims will face scrutiny under deceptive trade practices laws.
Regulatory Classification Gap
Notably, most ambient AI clinical documentation tools are not currently classified as FDA-regulated medical devices because they don't provide diagnoses or treatment recommendations—they passively capture conversations and produce draft notes. This creates a regulatory gap where sophisticated AI systems processing sensitive health information fall outside traditional medical device oversight.
Meaningful Consent Practices
The ambient clinical documentation market's trajectory reveals fundamental tensions between AI efficiency gains and privacy obligations. With approximately 60 vendors currently competing and projections of consolidation to 6-7 dominant players expected by 2026, the industry's growing concentration means that compliance practices established now will shape how AI documentation functions industry-wide.
The Consent Gap
Research findings on consent practices are particularly troubling. A JAMA Network Open study found that when patients received basic information about ambient AI:
This gap between simple notification and truly informed consent exposes the inadequacy of current disclosure practices. When provided details about AI features, data storage locations, and corporate involvement, consent dropped nearly 30 percentage points.
Low Refusal Rates: Informed or Uninformed?
Kaiser Permanente's implementation achieved less than 0.5% patient refusal rates using standardized notification procedures including signage and verbal explanation—but this success rate may reflect patients' lack of understanding rather than genuine informed consent. The research suggests that meaningful consent requires going "beyond generic disclosure to ensure patients understand what ambient recording entails, how their data will be used, and their right to opt out."
Best Practice Consent Elements
Expert recommendations converge on several practices:
Consent Implementation Checklist
- Encounter-specific verbal consent: Not just general signage; explicit confirmation before each recording
- Pre-visit written notices: Advance notification allowing patients to consider before appointment
- Active recording indicators: On-screen or auditory signals when recording is active
- Clear opt-out options: Refusal must not affect care quality; this must be explicitly stated
- Data transparency: Storage location, access controls, corporate involvement, retention periods
- Deletion rights: Clear process for patients to request audio deletion
The Path Forward
The Sharp HealthCare lawsuit represents an inflection point for healthcare AI adoption. The case will test whether ambient documentation tools—deployed by over 150 health systems using Abridge alone—can survive scrutiny under California's strict privacy framework. The outcome will influence deployment decisions nationwide and potentially establish consent requirements that become de facto industry standards.
Immediate Actions for Healthcare Organizations
- Audit current AI recording deployments — verify consent documentation accurately reflects patient interactions
- Review vendor contracts — ensure prohibition of data use for training without explicit patient authorization
- Implement encounter-specific consent protocols — go beyond signage alone
- Establish audio retention policies — minimize exposure through rapid deletion after note generation
- Document consent refusals — track opt-out rates as indicator of consent quality
Immediate Actions for AI Vendors
- Evaluate terms of service — determine if training data clauses create "capability test" liability
- Implement contractual restrictions — explicit prohibitions on using customer data for model training
- Ensure transparency — clear documentation of data flows and processing locations
- Verify consent accuracy — eliminate any auto-insertion of consent statements that may not reflect reality
The Benefits Case Remains Strong
The technology's promise remains substantial: 70% of clinicians using ambient scribes report improved patient interactions, 62% report being more likely to extend their clinical careers, and same-day documentation closure rates improve significantly. But realizing these benefits requires building consent infrastructure that respects patients' fundamental privacy interests—not retrofitting compliance after deployment.
Cross-Industry Implications
The broader lesson extends beyond healthcare. $5,000 per-violation statutory damages under CIPA, applied across thousands of daily customer interactions or clinical encounters, creates enterprise-threatening exposure. As one Fisher Phillips analysis noted, the Sharp lawsuit "will ripple well beyond healthcare"—every industry deploying AI recording, transcription, or ambient listening technology faces analogous risks.
Frequently Asked Questions
Do I need patient consent to use an ambient AI scribe?
Yes. In California and other two-party consent states, all parties to a conversation must consent before recording begins. Doctor-patient conversations are confidential communications entitled to the strongest privacy protections. Failure to obtain consent can result in CIPA violations with damages up to $5,000 per recording. Even in one-party consent states, HIPAA and state medical privacy laws may require disclosure.
Is posting signage sufficient for consent?
No. Signage alone is likely insufficient for meaningful consent in clinical settings. Best practices require encounter-specific verbal consent, pre-visit written notices, clear opt-out options that don't affect care quality, and transparency about data storage and corporate involvement. The significant drop in consent rates when patients receive detailed disclosures suggests that simple signage does not produce informed consent.
How long should audio recordings be retained?
Best practices recommend treating AI-processed audio as transitory—deleted same-day or within one week maximum after generating the clinical note. Only the physician-approved note should become part of the permanent medical record. Longer retention increases breach exposure, discovery liability, and deletion request complications. The Sharp complaint's allegation of 30-day retention periods highlights this as a risk factor.
What is the “capability test” and why does it matter?
The capability test, established in Ambriz v. Google LLC (2025), holds that an AI vendor can be liable as a third-party eavesdropper if it merely possesses the technical capability to use intercepted data for its own purposes (like model training)—regardless of whether it actually exercises that capability. Since most AI vendor terms of service reserve rights to use customer data for product improvement, this standard creates broad exposure for healthcare organizations and their AI vendors.
Are ambient AI scribes regulated by the FDA?
Most ambient AI clinical documentation tools are not currently classified as FDA-regulated medical devices because they don't provide diagnoses or treatment recommendations—they passively capture conversations and produce draft notes. This creates a regulatory gap where sophisticated AI systems processing sensitive health information fall outside traditional medical device oversight, though this may change as regulations evolve.
What states have two-party consent requirements?
California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington all have two-party (or all-party) consent requirements for recording conversations. Healthcare organizations operating in these states face the strictest exposure. Even one-party consent states may have healthcare-specific requirements under state medical privacy laws.
Key Takeaways
- Consent before recording — all-party consent required in California and 14 other states; signage alone is insufficient
- Verify consent accuracy — auto-inserted consent statements without actual consent constitutes medical record falsification
- Capability creates liability — vendor terms permitting training data use create exposure even without actual use
- Minimize retention — delete audio same-day or within one week; only retain physician-approved notes
- $5,000 per violation — CIPA damages multiply across patient populations, creating massive aggregate exposure
- Build consent infrastructure now — the Sharp lawsuit will shape industry standards going forward
For more on healthcare AI compliance and evidence infrastructure, explore our other resources: