The Microphone in the Examination Room

A federal court in San Francisco cleared a class action this week against Sutter Health and MemorialCare. The core allegation: the AI transcription system Abridge AI recorded doctor-patient conversations, transmitted them to third parties, and processed them outside the clinical environment—without the subjects giving clear consent. The plaintiffs call this a violation of federal law and the California Invasion of Privacy Act (CIPA), which requires the consent of all parties involved in recordings. Abridge AI—valued at $5.3 billion as of June 2025—has not responded.

←TODAY: Abridge is already running at Kaiser Permanente, Mayo Clinic, and Duke Health; Sutter Health has been a partner for two years.
→3012: In Zurich-3012, consent layers in AI systems are architecturally coded—sound, light, display—before the microphone opens.
Fulcrum: Consent is not a form. It’s an interface-design problem.

Abridge does exactly what the market has demanded since 2022: it records the conversation, transcribes it, summarizes it, and generates clinical notes. The doctor saves time; the hospital saves costs. The business model is sound—so is the consent problem. As Ars Technica reports, the reporting journalist himself consented in Kaiser facilities, which shows: consent processes exist somewhere in the system. The question is whether they were deficiently implemented at Sutter and MemorialCare or simply designed differently. That difference is the core of the case.

The control-mechanism problem doesn’t lie in the algorithm; it lies in the default setting. When recording is the standard state and refusal requires an active step the patient doesn’t know about in a vulnerable situation, that’s not an oversight—that’s system design. Sutter spokesperson Liz Madison stressed that the technology is deployed “in accordance with applicable law.” That phrasing leaves open whether the applicable standard is sufficient or merely sufficiently documented.

What this means for DACH architecture practices

PAZ readers who don’t design clinics might be tempted to dismiss this case as a US legal problem. Wrong. The structural mechanism—AI recording tool runs in the practice, data leaves the controlled environment, consent is unclear—is identical to what’s happening right now in every second architecture studio.

Otter.ai, Microsoft Copilot, Zoom AI Companion, Firefly: these tools transcribe client meetings, competition briefings, Bauleitung calls. Project names, cost structures, client data—all of it lands on third-party servers. This isn’t a worst-case scenario; it’s the default mode of operation. The revised nDSG (Switzerland, in force since September 2023) and the GDPR classify conversations involving identifiable persons as personal data. Anyone serving public clients—Kantone, municipalities—owes them transparency about which AI systems process their communications. That’s not opinion; that’s contract risk.

The EU AI Act, whose high-risk requirements fully take effect in 2026, classifies AI systems that process sensitive personal data in high-stakes decision contexts as high-risk—with mandatory conformity assessment and transparency documentation. The clinics in this lawsuit would have barely met these requirements in a European context.

Atelier: Before your practice deploys an AI transcription tool for project meetings, clarify three things in writing: Where is the data processed (server location and subprocessor chain)? What’s the default setting—recording on or off? And which party in the service contract carries nDSG responsibility if client communication is sent to third-party servers? Without this clarity, you are Sutter Health.

Get the privacy policy and data processing agreement (DPA) of the tool your team uses, right now. Read the section on subprocessors. If you can’t find it or don’t understand it, that’s your answer.

Source: Ars Technica