Are all AI medical scribes HIPAA compliant?

No. HIPAA compliance is not automatic — it depends on how the vendor handles PHI, whether they sign a BAA, how data is encrypted and stored, and whether they use patient data for model training. Each vendor must be evaluated individually.

What is a Business Associate Agreement (BAA)?

A BAA is a legal contract required by HIPAA when a third party — like an AI scribe vendor — handles protected health information on behalf of a covered entity. It defines each party's responsibilities for safeguarding PHI.

Can an AI scribe vendor use patient recordings to train their AI?

Under HIPAA, using PHI for model training is only permitted if it is explicitly covered in the BAA or if proper de-identification procedures are followed. Many vendors do use patient data for training. Always ask directly and get the answer in writing.

Does HIPAA require patient consent for AI scribes?

HIPAA itself doesn't require patient consent for treatment, payment, or healthcare operations uses. However, state laws, facility policies, and recording consent laws may impose additional requirements. Check your jurisdiction.

What encryption standard should an AI scribe use?

Look for AES-256 encryption at rest and TLS 1.2 or higher in transit. These are widely accepted standards for protecting PHI.

Is SOC 2 certification the same as HIPAA compliance?

No. SOC 2 is a third-party audit of security controls — it demonstrates that a vendor follows good security practices. It complements HIPAA compliance but does not replace it. A vendor can be SOC 2 certified without meeting every HIPAA requirement.

What happens if an AI scribe vendor has a data breach?

Under HIPAA, the vendor (business associate) must notify the covered entity within a timeframe specified in the BAA. The covered entity is then responsible for notifying affected patients and HHS. Breach notification requirements are strict and carry penalties for non-compliance.

Are AI Medical Scribes HIPAA Compliant? (2026)

Not automatically. An AI medical scribe is only as HIPAA compliant as the vendor behind it. Some products meet the standard. Others cut corners on encryption, data retention, or Business Associate Agreements. Before you trust any vendor with patient audio and clinical notes, you need to verify their security practices yourself. There is no industry-wide certification that guarantees compliance — it comes down to vendor policies, technical safeguards, and your own due diligence.

Here's what to check and why it matters.

What HIPAA compliance actually requires

HIPAA doesn't specifically mention AI scribes. It sets rules for how protected health information (PHI) must be handled by covered entities (your practice) and their business associates (vendors who touch PHI).

The relevant requirements fall into three categories:

Administrative safeguards — policies governing who can access PHI, workforce training, and incident response procedures.

Physical safeguards — controls over physical access to systems that store PHI, including servers, devices, and workstations.

Technical safeguards — encryption, access controls, audit logs, and transmission security for electronic PHI (ePHI).

An AI medical scribe touches all three. It captures audio (often containing PHI), processes it through speech recognition and language models, generates clinical notes, and may store data temporarily or permanently. Every step in that pipeline must be secured.

What the vendor is responsible for

When you use an AI scribe, the vendor becomes a business associate under HIPAA. Their responsibilities include:

Encrypting data in transit and at rest — AES-256 for storage, TLS 1.2+ for transmission
Maintaining access controls — restricting who within the company can view patient data
Providing audit logs — documenting who accessed what, when
Defining data retention and deletion policies — specifying how long recordings and notes are kept, and when they're purged
Reporting breaches — notifying you within the timeframe specified in your BAA
Not using PHI for unauthorized purposes — including model training, unless explicitly covered

Some vendors meet all of these. Others are vague about data retention, silent on model training, or don't offer audit logs. The absence of information is itself a red flag.

What your practice is responsible for

HIPAA compliance isn't only on the vendor. Your practice carries obligations too:

Signing a BAA before using the product with patient data
Training staff on how the AI scribe handles PHI
Configuring the product correctly — enabling auto-delete, setting retention windows, managing access permissions
Reviewing AI-generated notes before they enter the medical record
Maintaining documentation of your risk assessment and vendor evaluation
Following state-specific recording consent laws that may go beyond HIPAA

Even a perfectly compliant vendor can't protect you if your internal processes are weak.

Business Associate Agreements: the non-negotiable

A BAA is a legal contract that defines how a vendor will protect PHI. Under HIPAA, you cannot share patient data with a third party without one. Period.

Before signing, check that the BAA covers:

What PHI the vendor will access and process
How they will secure it
What happens in the event of a breach
Data retention and deletion obligations
Whether sub-processors (the vendor's own third-party services) are also covered
Restrictions on using PHI for model training or product improvement

If a vendor won't sign a BAA, stop the evaluation there. If the BAA is vague about data use or model training, get clarification in writing before proceeding.

Data retention and model training

These two issues deserve special attention because they're where vendors diverge most.

Data retention. Some vendors store recordings and transcripts indefinitely. Others auto-delete after a configurable period. From a risk standpoint, shorter retention windows reduce exposure — data that doesn't exist can't be breached.

Ask specifically:

How long are audio recordings stored?
How long are transcripts and generated notes stored?
Can you configure auto-deletion?
Is data fully purged, or just soft-deleted?

Model training. This is the question clinicians increasingly care about: does the vendor use your patient encounters to improve their AI? Some do. Some claim they don't but reserve the right in their terms of service.

Read more about this in our guide on whether AI medical scribes train on patient data.

Vendor evaluation checklist

Use this checklist when evaluating any AI medical scribe for HIPAA readiness. A "no" or "unclear" answer on any item warrants further investigation.

| # | Question | What to look for | |---|----------|------------------| | 1 | Does the vendor sign a BAA? | Should be standard, not an add-on or enterprise-only feature | | 2 | Is data encrypted at rest and in transit? | AES-256 at rest, TLS 1.2+ in transit | | 3 | Does the vendor hold SOC 2 Type II certification? | Independent audit of security controls | | 4 | What is the data retention policy? | Configurable auto-delete is preferred | | 5 | Does the vendor use patient data for model training? | Get this in writing, not just a FAQ answer | | 6 | Where is data processed — cloud, on-device, or hybrid? | On-device processing reduces third-party exposure | | 7 | Who within the vendor organization can access PHI? | Strict role-based access controls | | 8 | Are audit logs available to your practice? | You should be able to see access history | | 9 | What sub-processors does the vendor use? | Cloud providers, ASR services, LLM APIs — all must be covered | | 10 | What is the breach notification timeline? | Should be specified in the BAA | | 11 | Can data be exported or deleted on request? | You maintain control over your PHI | | 12 | Does the product support on-device/offline processing? | Minimizes data leaving the device |

For a downloadable version of this checklist plus additional practice-side questions, see our HIPAA checklist for AI medical scribes.

How Dictum approaches security

Dictum was built with HIPAA-focused workflows from the start, not bolted on after launch. Here's how it addresses the checklist above:

BAA available — Dictum signs Business Associate Agreements with all clinical users
End-to-end encryption — AES-256 at rest, TLS 1.2+ in transit
Configurable auto-delete — set retention windows and data is purged automatically
No model training on patient data — your encounters are not used to train or fine-tune Dictum's models
On-device processing available — offline mode processes audio locally, so PHI never leaves the device
Minimal data exposure — audio is processed and discarded; only the structured note remains for your review

Learn more about Dictum's full security posture on our HIPAA compliance page and security overview.

Clinicians should review AI-generated documentation before adding it to the medical record and should use Dictum in accordance with their organization's policies and applicable laws.

Privacy risks beyond HIPAA

HIPAA sets a floor, not a ceiling. There are privacy risks in AI clinical documentation that go beyond what HIPAA covers — including how vendors handle de-identification, human review processes, and cross-border data storage. Understanding these risks helps you make a more informed decision.

The bottom line

An AI medical scribe can be used in a HIPAA-compliant way, but compliance depends entirely on the vendor's practices and your own safeguards. Don't take marketing claims at face value. Ask the hard questions, read the BAA carefully, and verify that the vendor's technical controls match their promises.

If you're evaluating AI scribes for your practice, start with our HIPAA-compliant AI medical scribe comparison or explore how Dictum's EHR export fits into a secure documentation workflow.