Professional Responsibility, Accuracy, and Disclosure When AI Summarizes Medical Records
AI tools now draft medical chronologies, summaries, and timelines that lawyers sign and file.
The work product reaches insurers, mediators, and courts.
The ethical responsibility for that work product still belongs to the attorney.
Most PI firms have figured out that AI saves time. Fewer have worked out what their professional responsibility obligations look like when a model writes the first draft.
The questions are not theoretical. State bars have started issuing formal opinions. Sanctions have been imposed for AI-generated legal filings that contained fabricated citations. Clients are asking whether their records were processed by a tool — and whether they consented to it.
This guide walks through the ethical framework lawyers need before letting AI touch a medical record. It covers competence, confidentiality, supervision, accuracy verification, disclosure, and the practical workflows that turn rules into routine.
Why Attorney Ethics Apply to AI Medical Record Tools
Professional responsibility does not transfer to vendors
When a PI firm uses an AI platform to summarize hospital records, the platform is doing legal-adjacent work. The lawyer who relies on the output is the one who owes a duty to the client.
Vendor disclaimers do not shift that duty.
A platform may include language saying outputs are “informational only,” but the attorney who quotes a chronology in a demand letter is the one signing it.
The American Bar Association has been explicit on this point. ABA Formal Opinion 512 — the first formal guidance on generative AI — states that the existing Model Rules already apply.
There is no separate “AI exception” to professional responsibility.
Medical records concentrate every ethics issue at once
A medical record summary touches several rules simultaneously.
It involves confidential client data.
It produces factual claims that a lawyer must verify.
It supports work product that affects case outcomes and client recoveries.
If the summary is wrong, the lawyer’s filings can be wrong. If the data leaks, the duty of confidentiality has been breached. If the workflow lacks oversight, supervision rules are implicated.
Few legal tasks compress this many obligations into a single tool’s output. That is why medical summarization sits at the center of every state-bar AI advisory issued so far.
The duty exists whether you build or buy.
Lawyers sometimes assume that buying a SaaS tool insulates them more than running an in-house workflow. The opposite is closer to the truth.
Outsourcing PHI to a third party adds a business associate relationship under HIPAA on top of the underlying ethics obligations.
The lawyer remains responsible for vetting the vendor, reviewing output, and confirming that the workflow protects client information.
Competence Under Model Rule 1.1
The technology competence amendment
ABA Model Rule 1.1 was updated in 2012 to add a comment requiring lawyers to keep abreast of the benefits and risks of relevant technology.
Forty states have since adopted some version of that competence standard. The duty is no longer aspirational — it is part of basic competent representation.
Using AI without understanding how it works is not a defense.
What “understanding” means in practice
Lawyers do not need to write code. They do need to understand at a working level:
- What kind of model the tool uses
- Whether the model has been fine-tuned on medical content
- How the tool handles uploaded documents and outputs
- Where the data goes when the lawyer presses upload
- What the tool’s known failure modes are
Vendors that cannot answer these questions clearly are a competence risk.
A useful baseline: read the vendor’s documentation, request a security questionnaire, and confirm answers with someone technical at the firm.
Hallucinations and why they matter for medical records.
Large language models can produce confident, fluent text that is factually wrong. This is the hallucination problem — and it is the single biggest accuracy risk in medical summarization.
A hallucinated treatment date, a fabricated dosage, or a misattributed diagnosis can change settlement values and undermine credibility at deposition.
Tools that surface source citations linked back to specific record pages make verification feasible. Tools that do not are functionally unusable for legal work.
Confidentiality Under Model Rule 1.6
PHI is confidential client information by default
Medical records held by a lawyer for a client are confidential under Rule 1.6, regardless of how the lawyer obtained them.
The duty extends to subordinates, vendors, and any third party that handles the records on the lawyer’s behalf.
When a firm uploads records to an AI platform, the data has left the firm’s perimeter. The duty has not.
Reasonable safeguards in the AI era
Rule 1.6(c) requires lawyers to make reasonable efforts to prevent unauthorized disclosure. What counts as “reasonable” shifts as technology evolves.
Today, “reasonable” generally requires:
- Encryption in transit and at rest
- A HIPAA Business Associate Agreement with the vendor
- SOC 2 Type II attestation or equivalent
- Clear data retention and deletion terms
- No model-training rights over uploaded records
Vendors that train their general models on client uploads are presumptively unsafe. The training set effectively becomes a permanent disclosure.
Multi-tenant LLMs and cross-client exposure.
Most consumer AI tools share infrastructure across all users. That sharing is invisible at the user interface level but real at the model level.
If a vendor cannot demonstrate logical isolation of client data, the firm is using a system that could expose one client’s records to another client’s queries. Why general AI tools fall short of medical record review walks through this risk in more detail.
Purpose-built legal platforms typically isolate workspaces, encrypt per-tenant, and prohibit cross-tenant retrieval.
Supervision Duties Under Rules 5.1 and 5.3
AI as nonlawyer assistance
Model Rule 5.3 governs supervisory responsibilities for nonlawyer assistants.
State bar opinions have begun applying this rule to AI tools by analogy. The tool is not literally a person, but the lawyer’s duty to supervise the work product is identical.
A partner who hands off a chronology task to an associate must review the result. A partner who hands the same task to a model must review the result.
Workflow controls that satisfy the supervision duty
Effective supervision is not a single review at the end. It is a workflow.
A defensible supervision workflow includes:
- Assigning each AI-produced summary to a named reviewer
- Documenting the reviewer’s verification steps
- Flagging discrepancies between the AI output and the source records
- Retaining a copy of the original record set alongside the AI output
| Supervision element | Manual review | AI-assisted review | InQuery workflow |
|---|---|---|---|
| Source-linked citations | N/A | Optional | Built-in, page-level |
| Named reviewer per file | Manual log | Manual log | Audit-tracked |
| Discrepancy flagging | Reviewer notes | Reviewer notes | Human QA layer |
| Final attorney sign-off | Required | Required | Required |
Training the team.
Lawyers who supervise AI workflows need their teams trained on what to verify and how.
Paralegals checking AI summaries should know what a fabricated citation looks like, what unit conversions to double-check, and where to pull the original source page.
A short internal SOP — even a one-pager — usually satisfies both the supervision rule and the firm’s malpractice carrier.
Accuracy Verification in Practice
What needs verifying
Not every AI output needs the same scrutiny. A document index does not carry the same risk as a damages calculation.
The verification burden scales with downstream use.
| AI output type | Verification standard | Reviewer time per file |
|---|---|---|
| Document index | Spot-check a sample | 5-10 minutes |
| Medical chronology | Verify all dated entries used in filings | 30-60 minutes |
| Damage specials | Verify every line item against source bills | 20-40 minutes |
| Demand letter quotes | Verify each quote against the original record | 10-20 minutes |
Source linking is the workflow accelerator
The single biggest determinant of verification efficiency is whether the AI output links each claim to its source page.
When a chronology entry reads “10/14/2024 — MRI of lumbar spine revealed L4-L5 disc herniation (Source: p. 187),” the reviewer can confirm the claim in seconds.
When the same entry reads “10/14/2024 — MRI showed disc herniation,” the reviewer has to search the entire record.
The verification cost effectively destroys the time savings the AI was supposed to provide.
Tools that omit source linking are usually disqualified at this stage. DigitalOwl and Supio both offer source-linked outputs; smaller platforms vary.
The cost of skipping verification.
The Mata v. Avianca sanctions in 2023 — where lawyers filed an AI-generated brief containing fabricated case citations — were not an isolated event.
State bars have since disciplined attorneys in multiple jurisdictions including New York, California, and Texas for similar lapses.
Medical record summaries carry parallel risk.
A demand letter built on a hallucinated diagnosis can support a Rule 11 sanction or a fraud claim — even if the underlying records existed.
Disclosure and Discoverability of AI Outputs
Whether AI use must be disclosed
Disclosure obligations vary by jurisdiction and forum.
Several federal judges have entered standing orders requiring disclosure of AI use in filings.
Some state bars have issued advisories suggesting disclosure when AI substantially affects the work product.
The conservative posture: assume AI-assisted work product may need to be disclosed and design the workflow so that disclosure is easy.
Are AI outputs discoverable?
The question of whether AI drafts and chats are discoverable in litigation is unsettled.
Some courts have treated them as work product.
Others have treated them as ordinary business records.
Until the law clarifies, the safer assumption is that prompts, intermediate outputs, and final summaries may all be requested in discovery — and the firm should retain them in a way that does not create privilege complications.
Document retention for AI workflows.
A defensible retention policy includes:
- The original source documents
- The final AI-generated summary or chronology
- A log of which user uploaded the records and when
- The reviewer’s verification notes
- The final attorney-signed work product
Keep these for the matter retention period.
Avoid retaining intermediate AI drafts unless the firm has a specific reason to.
Client Communication and Informed Consent
Engagement letter language
Many firms now include a short paragraph in engagement letters explaining that AI tools may be used to assist with document review and summarization.
The language does not need to be lengthy.
It needs to be clear that the firm uses secure, attorney-reviewed AI workflows and that the client’s data is handled under HIPAA.
Responding to client questions
Clients increasingly ask whether AI is used on their case.
Firms should have a one-paragraph answer ready.
A typical version: “We use a secure AI platform to help our team summarize medical records. Every output is reviewed by an attorney or paralegal before it is used. Your records are stored under HIPAA-compliant safeguards and are never used to train any AI model.”
When consent matters more.
Some matters warrant a more cautious approach — minors, mental health records, sexual assault cases, or high-profile representations.
In those matters, firms increasingly opt for explicit consent to AI processing, documented in writing.
Risk Management Framework
Pre-engagement vendor review
Before adopting an AI medical record tool, complete a documented vendor review.
| Diligence area | What to confirm | Documentation to keep |
|---|---|---|
| Security posture | SOC 2 Type II, encryption standards | Audit report, security questionnaire |
| HIPAA compliance | Signed BAA, breach notification terms | Executed BAA |
| Data handling | Retention, residency, deletion | Data processing addendum |
| Model training | No training on uploaded records | Written confirmation |
| Audit capability | Source linking, per-matter logs | Sample export |
Vendor due diligence for AI medical record tools walks through this in detail.
Ongoing workflow audits.
Run quarterly audits on a sample of AI-produced summaries.
Check that source citations resolve correctly.
Check that reviewer sign-offs are recorded.
Check that no PHI leaked into unsecured channels.
A 30-minute audit per quarter is sufficient for most firms.
Insurance and malpractice coverage.
Many malpractice carriers have started asking about AI use on annual renewals.
Firms should confirm their policy covers AI-assisted work product. If the policy is silent or contains an AI exclusion, raise it with the carrier before adopting a tool.
How purpose-built platforms reduce the ethics surface
Platforms designed specifically for legal medical summarization usually solve several ethics problems at once.
InQuery ships with a HIPAA-compliant infrastructure, source-linked chronologies, a human QA layer that reviews every output, and a per-matter audit trail. The platform is purpose-built for PI firms — defensible, audit-ready, and attorney-reviewed by design.
That combination removes most of the rule-by-rule friction described above. Lawyers still own the final work product. The platform reduces the verification cost to a level where supervision is realistic on every file.
If you want to see the workflow before adopting, get started here or run the numbers on time savings.
Frequently Asked Questions
Do attorneys have to disclose that they used AI on medical records?
It depends on the jurisdiction and the forum. Some federal judges require disclosure in standing orders, and some state bars recommend it when AI substantially affects work product. Design the workflow so disclosure is easy, and retain a record of which tools were used on each matter.
Can a lawyer rely on an AI medical chronology without independently reviewing the source records?
No. Every state bar that has issued guidance to date requires the attorney to verify AI output before relying on it. Source-linked chronologies make this verification fast, but the duty to verify is not waivable.
Are AI prompts and drafts discoverable in litigation?
The law is unsettled. Treat prompts and intermediate outputs as potentially discoverable until courts clarify. Retain only what the firm needs and avoid creating drafts in personal accounts or unsanctioned tools.
How does InQuery support attorney ethics obligations?
InQuery provides source-linked summaries, a human QA layer that reviews every output, HIPAA-compliant infrastructure with BAAs, and an audit trail per matter. Combined with attorney sign-off, the workflow satisfies competence, confidentiality, and supervision requirements out of the box. See how it works.
What state bar opinions cover AI use in medical record review?
ABA Formal Opinion 512 is the most influential national guidance, and California, Florida, New York, and several other states have issued formal or informal opinions applying existing rules to AI tools. Check your jurisdiction for specifics.
What is the biggest ethics mistake firms make when adopting AI for medical records?
Skipping vendor diligence and using consumer-grade AI tools that lack BAAs, source linking, or data isolation. Why general AI falls short walks through the specific failure modes.
Erick Enriquez
CEO & Co-Founder at InQuery