Volume I  ·  Issue 01MD-reviewed
Healthcare AI HubA reference for clinicians
Issue 01 / Articles

Compliance / HIPAA / AI Scribes

Is Your AI Scribe HIPAA Compliant? A Practical Guide for Clinicians

HIPAA compliance is more than a vendor checkbox. Here are the specific questions to ask, the documents to require, and the audit signals that distinguish actual compliance from marketing claims.

Author
Healthcare AI Hub Editorial Team
Published
May 19, 2026
Reading time
4 minutes

Why this matters more than vendor marketing suggests

Every AI scribe vendor claims HIPAA compliance. Most have it. Some don't actually understand the requirements. A few use the claim as marketing while lacking the technical and contractual controls behind it. The penalty for picking wrong is not just a fine: it's a Federal Register breach notice with your practice name on it.

This article walks through the practical compliance checklist clinicians should run before deploying any AI scribe in clinical practice.

This is general guidance for clinicians, not legal advice. For specific compliance questions, consult your compliance officer or healthcare attorney. Schema: editorial guidance only.

1. Signed Business Associate Agreement (BAA)

HIPAA requires a signed BAA between the covered entity (your practice) and any business associate that handles Protected Health Information (PHI). Every AI scribe handles PHI. No BAA = no clinical use, full stop.

What to ask the vendor:

  • Do you provide a signed BAA at no additional cost?

  • Can I see the BAA template before I sign up for a trial?

  • Does the BAA cover all features I'm using, including any AI training on de-identified data?

Tools that delay the BAA conversation past the trial signup are a compliance risk signal. Freed AI, Heidi Health, Abridge, and DAX Copilot all publish BAA templates accessible during evaluation.

2. SOC 2 Type II report (current within 12 months)

HIPAA compliance is not a security standard, just a regulation. SOC 2 Type II is the practical audit framework that proves a vendor has the controls. Type II (not Type I) requires audited evidence over a 6-12 month period.

What to ask:

  • Can I see your most recent SOC 2 Type II report?

  • What date was it issued? (must be within 12 months)

  • Were there any qualified exceptions in the report?

3. Encryption (at rest and in transit)

Industry standard: AES-256 at rest, TLS 1.2+ in transit. Vendors should explicitly state both. If the answer is hand-wavy ("we encrypt everything!"), push for specifics.

4. Audio recording retention policy

AI scribes capture audio. The question is what happens to that audio after the note is generated. Reputable vendors delete audio within 24-72 hours. Some retain de-identified versions for model training and offer opt-out.

Red flags:

  • Recordings retained indefinitely "for quality assurance"

  • No clear opt-out from model training

  • Recordings stored in jurisdictions that lack HIPAA-equivalent protections

5. Audit logs and access controls

You must be able to see who accessed what and when. Specifically:

  • Per-user audit logs for note access + edits

  • MFA enforcement on admin accounts

  • Role-based access controls (the front-desk staff should not see clinical notes)

  • Quarterly access review reports

6. Breach notification SLA

HIPAA requires notification of breaches affecting PHI within 60 days of discovery. Vendor BAA should specify notification SLA. Industry-leading vendors commit to 24-72 hours for high-severity breaches affecting your data.

7. State-level requirements (often missed)

HIPAA is federal. State laws layer on top. California's CCPA + CMIA add patient-rights requirements. New York's SHIELD Act extends data breach notification. Texas has the Medical Records Privacy Act. For practices serving multiple states, vendors must comply with the strictest of the applicable state laws.

8. The free-LLM trap

ChatGPT (consumer), Claude (consumer), Gemini, Perplexity: none are HIPAA-compliant. Using them for patient-identified content (including in dictation tools or note-taking) creates HIPAA exposure. OpenAI's Enterprise tier and Anthropic's Enterprise contracts can be HIPAA-compliant but require explicit BAA and specific account setup.

If you're using a free LLM for any clinical task: stop immediately. Use a HIPAA-attested scribe instead.

Vendors we've verified for HIPAA + BAA + SOC 2

These vendors publicly document HIPAA compliance and provide BAAs on request:

The compliance checklist (one-page)

Before deploying any AI scribe in clinical use, verify in writing:

  1. Signed BAA in place

  2. SOC 2 Type II report from within the last 12 months

  3. AES-256 at rest + TLS 1.2+ in transit explicitly stated

  4. Audio retention policy ≤ 72 hours OR clear opt-out from training data

  5. Per-user audit logs available

  6. MFA on admin accounts

  7. Breach notification SLA within 72 hours

  8. Applicable state-law compliance documented

  9. Vendor compliance contact listed and responsive

Read our editorial methodology for the full source-weighting we use when evaluating compliance claims.