What HIPAA compliance means for AI medical scribing
HIPAA compliance is not a single checkbox or a certification badge a vendor can display. It is a set of administrative, physical, and technical safeguards that both the healthcare organization and the vendor must implement and maintain when protected health information (PHI) is involved.
For AI medical scribes, compliance involves several overlapping areas: whether the vendor has signed a Business Associate Agreement (BAA), how clinical audio and text are processed and stored, who can access transcripts and generated notes, whether data is used for model training, how long encounter data is retained, and what happens to PHI when a clinician cancels their account.
No AI documentation tool is inherently “HIPAA compliant.” Compliance depends on how the tool is configured, how the practice uses it, and what safeguards are in place at both the vendor and the organization level. When a vendor claims HIPAA compliance, the practical question is always: what specific policies, controls, and contractual obligations back up that claim?
Questions to ask any AI scribe vendor
HIPAA security checklist
- BAA available
- Zero audio retention
- No model training on patient data
- End-to-end encryption
- Clinician review before EHR
- SOC 2 certified
- Access audit logs
- Data deletion on cancel
Before signing a BAA or starting a trial, clinicians and practice administrators should get clear answers to the following questions. Vague responses or redirections to marketing language are a signal to dig deeper.
Vendor evaluation checklist
- ✓Is a Business Associate Agreement (BAA) available?
- ✓Is clinical audio or text used to train AI models?
- ✓How long is encounter data retained after processing?
- ✓Who can access transcripts and generated notes?
- ✓Is data encrypted in transit and at rest?
- ✓Can clinicians review notes before they reach the EHR?
- ✓Where are servers located?
- ✓What happens to data if I cancel my account?
- ✓Is there an audit log of data access?
- ✓What third-party processors handle PHI?
Any vendor that processes clinical encounters should be able to answer these questions clearly and in writing. If the information is not available in their security documentation, request it directly before committing to a contract.
Data retention and model training
Data retention and model training are two separate concerns that practices often conflate. Retention refers to how long the vendor keeps clinical data after it has been processed. Model training refers to whether that data is used to improve the vendor’s AI systems.
Some AI scribe vendors use de-identified or anonymized clinical data to train and improve their models. Others commit to never using patient data for training purposes. Both approaches can be legitimate, but practices should understand which model their vendor follows and what safeguards are in place.
For audio specifically, the key question is what happens to recordings after transcription is complete. Some vendors retain audio for quality assurance or model improvement. Others process audio in real time and delete it immediately after generating the transcript. Practices with strict data minimization policies should prioritize vendors that offer zero audio retention.
Clinicians should also understand whether generated notes — the SOAP notes, summaries, and letters the AI produces — are stored on the vendor’s servers, and if so, for how long and under what access controls.
BAAs and vendor responsibilities
A Business Associate Agreement establishes the vendor’s legal obligations when handling PHI on behalf of a covered entity. Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI must enter into a BAA with the healthcare organization.
A BAA does not guarantee security. It establishes accountability — if the vendor fails to protect PHI as required, they are legally liable under HIPAA. The BAA should specify how the vendor will safeguard data, what they will do in the event of a breach, how they will support the practice’s compliance obligations, and what happens to data when the relationship ends.
Practices should request and review the BAA before sharing any patient data with an AI scribe vendor. If a vendor does not offer a BAA or claims one is not necessary, that is a significant red flag regardless of other security claims they make.
Clinician review and EHR workflow
HIPAA compliance extends beyond how data is stored and transmitted — it also involves how clinical documentation reaches the medical record. AI-generated notes should be reviewed by the clinician before they are added to the patient’s chart, both for clinical accuracy and for compliance with documentation standards.
Clinicians should review AI-generated documentation before adding it to the medical record and should use any AI scribe tool in accordance with their organization’s policies and applicable laws.
The workflow matters here. Tools that automatically push notes into an EHR without a review step create risk — the clinician may not catch errors, omissions, or hallucinated content before it becomes part of the legal medical record. A responsible workflow includes a clear review step where the clinician verifies the note, makes corrections, and explicitly approves it before export.
For details on how Dictum handles the export step, see EHR export and integration.
Vendor comparison checklist
The following table compares publicly available information about security and compliance across several AI medical scribe vendors. Where specific policies could not be independently verified, the table notes “Check vendor” — practices should confirm these details directly.
| Criteria | Dictum | Freed | Heidi | Suki | Abridge | DeepScribe | Nabla |
|---|---|---|---|---|---|---|---|
| BAA available | Yes | Yes | Check vendor | Yes | Yes | Yes | Check vendor |
| Audio retention | Zero retention after processing | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor |
| Data used for training | No | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor |
| End-to-end encryption | Yes | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor | Check vendor |
| Clinician review before EHR | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| SOC 2 certification | Yes | Check vendor | Check vendor | Yes | Yes | Check vendor | Check vendor |
This table reflects publicly available information as of May 2026. Verify directly with each vendor for current policies.
How Dictum approaches security
Dictum is built around HIPAA-focused workflows designed to minimize risk at every step of the documentation process. Rather than claiming blanket compliance, Dictum implements specific safeguards that clinicians and administrators can verify.
- Zero audio retention.Clinical audio is processed in real time and is not stored on Dictum’s servers after transcription is complete.
- No model training on patient data. Transcripts, generated notes, and clinical audio are never used to train or fine-tune AI models.
- BAA available. Dictum provides a Business Associate Agreement for all practices that process PHI through the platform.
- Clinician review required before EHR. Notes are generated as drafts that the clinician reviews and edits before exporting to their medical record system.
- Encryption in transit and at rest. Data is encrypted in transit and at rest using industry-standard protocols.
For a detailed overview of Dictum’s security practices and compliance posture, visit the HIPAA compliance page. For details on how notes move from Dictum to your EHR, see EHR export and integration.
Methodology and disclaimer:This page is intended as an educational resource for clinicians evaluating AI documentation tools. Competitor information is based on publicly available documentation, vendor websites, and published security pages as of May 2026. Dictum does not claim to have independently audited any competitor’s security practices. Practices should conduct their own due diligence, request BAAs directly from vendors, and consult with their compliance officers before adopting any AI tool that handles protected health information.
Last updated: May 2026
Frequently asked questions
No. HIPAA compliance is not a product certification — it depends on how the vendor handles protected health information, whether a Business Associate Agreement is in place, and how the practice uses the tool. Some vendors have stronger security postures than others, and compliance is a shared responsibility between the vendor and the healthcare organization.
A Business Associate Agreement (BAA) is a legal contract between a healthcare provider and a vendor that handles protected health information. Under HIPAA, any vendor that processes, stores, or transmits PHI on behalf of a covered entity must sign a BAA. If you are using an AI scribe that processes patient encounters, you need a BAA with that vendor.
No. Dictum does not use clinical audio, transcripts, or generated notes to train or fine-tune AI models. Patient data is processed to generate documentation for the clinician and is not repurposed for any other use.
Recording requirements vary by jurisdiction and clinical setting. Many states require two-party consent for audio recording, and healthcare organizations typically have their own policies about recording patient encounters. Clinicians are responsible for obtaining appropriate consent before recording with any AI scribe tool, regardless of what the vendor requires.
This varies by vendor. Some retain data for a defined period after account closure, while others delete it promptly. Before signing up with any AI scribe, ask the vendor what their data retention and deletion policies are upon cancellation. With Dictum, audio is not retained after processing, and clinicians can export or delete their notes at any time.
Not necessarily. Security depends on the implementation, not just the architecture. Cloud-based systems can be highly secure with documented encryption practices, strict access controls, and zero-retention policies. On-device processing avoids transmitting data but introduces risks around device security and local storage. Both models can meet HIPAA requirements when properly implemented.
Security-first AI documentation
Dictum processes clinical encounters with zero audio retention and clinician-controlled export. Try it free.
Start Free with Dictum