January 15, 2026

If AI Reads Your Notes, Who Owns Patient Consent: The Hospital or the Clinician?

Today, artificial intelligence (AI) is increasingly used in healthcare across Ireland.

From summarising clinician’s notes to supporting clinical decision-making, AI tools are quietly becoming part of everyday medical practice.

But as soon as AI starts reading patient notes, an important legal and ethical question arises:

Who is responsible for the patient consent, the hospital or the clinician?

The answer is not always straightforward. It depends on a lot of factors such as how AI is used, who controls it, and how patient data is processed under Irish and EU data protection laws.

Consent was designed for humans, but patient data now feeds the machines.

All of this creates a tension modern healthcare hasn’t fully resolved yet.

Why This Question Is Hard to Answer

Traditionally consent lived inside the clinician–patient relationship.

A patient told their story.

A doctor recorded it.

That information stayed within the bounds of direct care.

AI disrupts that simplicity.

Once AI touches clinical notes, it can:

Surface sensitive details beyond the immediate consultation
Link records across teams or systems
Generate insights patients never expected
Enable secondary uses like training, audit, research, or billing

From a patient’s perspective, there is no clear distinction between “my doctor” and “the hospital system”.

They only know their story is being read.

Where AI Touches Notes In Practice

Here are some examples of how AI touches clinical notes:

Coding: Suggests clinical codes from GP written notes to help GP and hospital records align.
Discharge letters: Drafts clearer summaries and follow-up instructions after hospital care.
Referral letters: Organises history, medicines, and questions for faster specialist review.
Triage flags: Highlights urgent symptoms so patients are prioritised safely.
Risk scores: Calculates recognised scales to guide, not replace clinician judgement.
Templated documentation: Formats text into agreed hospital templates to save typing time.
Analytics: Reviews groups of notes to identify trends and service needs across Ireland.

These examples show that AI mainly organises, drafts, and calculates where it benefits the patient, while the clinician remains the final decision-maker.

The Legal Backbone in Ireland: GDPR Still Rules

In Ireland, consent and responsibility around AI use in healthcare sits firmly with GDPR.

Under GDPR:

Data concerning health is special category data
There must be clear lawful basis for processing
Roles must be defined, data controller vs data processor
Patients must be informed, not surprised

Who Is a Data Controller in Practice?

In most Irish settings (both public and private care) the organisation usually controls the system, making the hospital the primary owner of consent obligations.

That includes:

Public hospitals and services under Health Service Executive (HSE)
Private hospitals
GP practices as legal entities

They decide:

Which AI tools are deployed
What data those tools access
How long data is stored

From a regulatory point of view, this makes the hospital or practice the primary owner of consent obligations.

They must:

Set policies
Update privacy notices
Ensure lawful and secure processing

Where the Clinician Still Carries the Weight

Even though clinicians are not usually the formal data controllers, their role does not disappear.

Clinicians introduce AI into the consultation, they carry the patient’s trust and remain professionally accountable.

If a clinician uses AI outside approved systems or relies on AI without oversight, then responsibility can quickly become personal rather than institutional.

Where Things Commonly Go Wrong

The risk isn’t just legal, it’s relational.

Problems usually arise when AI is added quietly in the “background”, patients are not clearly informed, and clinicians cannot confidently explain how the system works and why it is being used.

A Better Way Forward: Shared Consent as Clinical Practice

The real opportunity is to stop treating consent as a legal checkbox and start treating it as a shared clinical workflow.

That means:

Plain-language disclosure at the point of care
Genuine opt-out routes
Clear audit trails clinicians can explain
AI use limited to direct patient benefit

When hospitals and clinicians move together, consent becomes clearer, not heavier.

Two Accountabilities at Once

Consent for AI in healthcare has to live in two places at the same time:

The hospital or practice that governs the technology
The clinician who speaks directly to the patient

Each has a different responsibility, and both need to be visible if we want consent to be genuine.

Hospital / Practice Responsibilities

The organisation acts as the data controller and carries responsibility for:

Controller governance and policies: Setting rules on which AI systems are approved, how long the data is kept, and who can access it.
Procurement and procurement assurance: Choosing vendors that meet Irish and EU GDPR standards and completing due diligence before contracts are signed.
Data Protection Impact Assessments (DPIAs): Formally assessing risk to patient rights before any deployment
Transparency materials: Creating leaflets, posters, and scripts that help explain AI to patients

Clinician Responsibilities

The clinician is accountable for:

Being the trusted explainer: Talking directly to the patient about why AI is relevant to their case.
Appropriate use: Staying within approved pathways and documenting clinical justification.
Avoiding unapproved tools: Not using personal apps or external AI platforms that the hospital has not assessed, even if they appear convenient.

Visibility Mechanisms for “Two Accountabilities at Once”

EHR banner showing when AI is active, for example: AI-assisted summary enabled for documentation.
Patient leaflet and QR code at registration with plain-language information about the tool.
Consent or objection captured in the patient portal to create a clear audit trail.
One-sentence script for clinicians so they can explain AI use during consultation.
Public register webpage listing approved AI tools and their purpose.