Q: Who is legally responsible if an AI-generated recommendation harms a patient? A: States and medical boards increasingly expect clinicians to approve or reject AI outputs, so the provider who accepts an AI recommendation typically faces malpractice exposure. This allocation of responsibility is a central feature of AI liability for physicians, while the FDA only regulates AI indirectly when it is part of a medical device and vendor fault depends on contract terms and defects such as biased training data. Q: Should physicians document their use of AI in the medical record? A: Yes. Physicians should document if AI was used, whether they followed the recommendation and why, and if they deviated from or rejected a suggestion they should note their clinical reasoning in the chart, with some states offering explicit guidance such as North Carolina. Q: What should be included in vendor contracts to reduce AI-related legal risk? A: Contracts should include robust representations and warranties that the vendor is HIPAA compliant, written privacy and security policies, security risk assessments, and assurances about ongoing validation and bias testing. They should also grant audit and reporting rights, prohibit re-identification and off-target training on your PHI, and allocate indemnities and remediation timelines for vendor defects. Q: What are the risks of ambient scribing and how should clinicians mitigate them? A: Ambient scribing can produce incorrect transcriptions or fabricated details that misstate the encounter and expose the clinician. Clinicians must review and verify every AI-generated note, amend errors promptly and log changes, and comply with any state statutes that require verification of AI-recorded visits. Q: How should practices manage coding, prior authorization, and billing when using AI tools? A: Responsibility for billing accuracy remains with the provider, so practices must audit AI-influenced claims and ensure codes match the services documented. Regular monitoring, staff education, and retention of supporting documentation are necessary because an AI recommendation does not eliminate liability. Q: What privacy safeguards should practices require before vendors train models on patient data? A: Under one interpretation of HIPAA, vendors may only train on PHI if the training benefits the contracting provider, so practices should favor de-identified data and explicit contractual limits on data use. Business associate agreements should prohibit re-identification and vendors should provide written security risk assessments and breach history before contracting. Q: What governance, training, and auditing steps reduce malpractice exposure when adopting AI? A: Establish an AI review committee with clinical, compliance, privacy, and IT representation to define approved use cases, guardrails, and decommission steps, and require a clinician review and sign-off for AI outputs. Provide short repeatable training on verification steps, audit a sample of AI-influenced notes and claims monthly, and track incidents in a risk register to feed back into policies, which helps limit AI liability for physicians. Q: What immediate checklist items should my practice implement to limit AI malpractice risk? A: Map where AI touches your workflows, add verification steps and clinician sign-offs, update charting to capture when and how AI influenced care, and run monthly audits of AI-influenced notes and claims. Also harden vendor contracts (data use, bias testing, indemnities), refresh BAAs to ban re-identification, and plan patient disclosures for recordings; these steps will help reduce AI liability for physicians.