HIPAA guide for AI medical scribes (plain-English, 2026)
A plain-English guide to HIPAA compliance for AI scribes used by small clinics: BAA, encryption, retention, audit logging, breach obligations.
- Updated
- 2026-07-15
- Read time
- 4 min
- Words
- 705
- Editor
- Editorial board
Key takeaways
- A signed BAA is non-negotiable — no BAA, no PHI.
- Encryption in transit and at rest is table-stakes; ask about audit logging and retention next.
- SOC 2 Type II is a useful attestation, not a baseline requirement; HITRUST is a stronger signal for health-system-affiliated clinics.
- Third-party LLM providers must be covered by a BAA downstream, and their terms must forbid PHI training.
- 'HIPAA-compliant software' is a marketing phrase — compliance lives in the relationship, not the product.
Executive summary
- A signed BAA is non-negotiable — no BAA, no PHI.
- Encryption in transit and at rest is table-stakes; every scribe in our ranking meets it.
- Retention defaults vary widely. Ask, in writing, how long audio and transcripts are kept and whether that is configurable.
- SOC 2 Type II is a useful attestation, not a baseline requirement; HITRUST is a stronger signal for health-system-affiliated clinics.
What HIPAA requires from an AI scribe vendor
HIPAA applies to the clinic (a covered entity). The AI scribe vendor is a business associate. That relationship must be documented in a Business Associate Agreement (BAA) before any real PHI is sent to the vendor. Without a BAA, running one real patient encounter through the scribe is a HIPAA violation, even if the vendor is otherwise secure.
The BAA binds the vendor to HIPAA's Security Rule: administrative, physical, and technical safeguards. That's audit logging, workforce training, access controls, encryption in transit and at rest, and breach notification.
Questions to ask every vendor
Common myths
'HIPAA-compliant software' is not a thing. HIPAA compliance is a property of a relationship (covered entity plus business associate under a BAA), not a checkbox on a product page.
Encryption alone is not enough. Encryption in transit and at rest is required but not sufficient. Audit logging, retention controls, and breach procedures matter as much.
The model provider matters. If the scribe sends audio or transcripts to a third-party LLM, that provider must also be a covered business associate in the chain, and its data-use terms must not train on PHI.
Frequently asked questions
Is an AI scribe HIPAA-compliant?
HIPAA compliance is a property of a relationship, not a product. An AI scribe is HIPAA-usable when the vendor signs a Business Associate Agreement with the clinic and demonstrates the Security Rule safeguards: access controls, audit logging, encryption in transit and at rest, workforce training, and breach procedures.
What is a BAA and why does my clinic need one before using an AI scribe?
A Business Associate Agreement is the HIPAA contract that binds the vendor (the business associate) to protect PHI on behalf of the clinic (the covered entity). Without a BAA, sending real patient audio or a transcript to the vendor is a HIPAA violation — even if the vendor is otherwise secure.
How long do AI scribe vendors keep audio and transcripts?
Defaults vary widely: some scribes delete audio within minutes of note generation; others retain it for 30–90 days. Always confirm the default in writing and ask whether retention is configurable per practice.
Do AI scribes need SOC 2 and HITRUST?
No. A signed BAA and documented Security Rule safeguards are the practical baseline for any scribe touching PHI. SOC 2 Type II is a useful attestation of controls, and HITRUST is a stronger signal often required by health-system-affiliated clinics. Neither certification is a substitute for a BAA.
Are third-party LLMs (OpenAI, Anthropic, Google) covered by the BAA?
They must be. If the scribe routes audio or transcripts to a third-party model provider, that provider must be a downstream business associate with a BAA in the data chain, and its terms must forbid training on PHI.
Sources
- HHS — HIPAA for Professionals
- HHS — Security Rule Summary
- NIST SP 800-66 — Implementing the HIPAA Security Rule
- HITRUST — CSF framework overview
Full scoring rubric and independence disclosures are on the Methodology and Independence pages.
Related buyer guides
- Best AI scribe for small clinics (2026 ranking)
A vendor-neutral ranking of the top AI medical scribes for independent clinics with 1–50 clinicians. Scored on HIPAA, note quality, EHR fit, workflow, pricing, and support.
- AI scribe EHR integration guide (Epic, Athena, eClinicalWorks, and more)
How AI medical scribes actually integrate with the EHRs small clinics use — native write-back, SMART on FHIR, browser extensions, and copy-paste.
- AI scribe implementation checklist: a 14-day rollout for small clinics
A 14-day rollout plan for AI-scribe deployment in an independent practice: procurement, BAA, pilot, EHR integration, template tuning, and clinician training.