How Dictum Supports Secure, HIPAA-Focused AI Medical Documentation

Last updated May 22, 2026

Our Commitment

Dictum is committed to protecting the privacy and security of Protected Health Information (PHI) in support of HIPAA-compliant clinical documentation workflows. We maintain SOC 2 Type I & Type II certification and implement safeguards designed to protect the confidentiality, integrity, and availability of health information processed through our platform.

Administrative Safeguards

• Designated privacy and security officers responsible for HIPAA compliance
• Regular workforce training on privacy and security policies
• Documented policies and procedures for handling PHI
• Regular risk assessments and audits to identify and mitigate vulnerabilities
• Workforce clearance procedures and access management controls
• Sanctions policy for non-compliance with privacy and security policies

Physical Safeguards

• All infrastructure hosted in SOC 2 certified, HIPAA-compliant data centers
• Strict facility access controls and visitor logs
• Workstation security policies for all team members
• Proper disposal procedures for hardware and media containing PHI

Technical Safeguards

• Encryption for data at rest and TLS 1.3 for data in transit
• Unique user identification and multi-factor authentication
• Automatic session timeout and emergency access procedures
• Comprehensive audit controls logging all access to PHI
• Integrity controls to ensure PHI is not improperly altered or destroyed

Data Processing

Dictum processes audio data in real-time and does not retain patient audio recordings on our servers. Our architecture is designed with privacy by default:

• Audio is processed in real-time and purged immediately after transcription
• No patient audio is stored on Dictum servers
• Transcriptions are encrypted and stored only in the user's account
• Data minimization principles are applied — we only process information necessary for the service

Business Associate Agreements

Dictum executes Business Associate Agreements (BAAs) with all covered entities that use our platform. We also maintain BAAs with all subcontractors who may have access to PHI. Our BAA outlines:

• Permitted uses and disclosures of PHI
• Safeguards required to prevent unauthorized use or disclosure
• Breach notification requirements and timelines
• Obligations upon termination of the agreement

Incident Response

We maintain a comprehensive incident response plan that includes:

• Immediate identification and containment of security incidents
• Risk assessment and determination of breach notification requirements
• Notification to affected individuals and HHS within required timeframes (60 days for breaches affecting 500+ individuals)
• Thorough documentation and post-incident analysis
• Remediation measures to prevent recurrence

Data and AI Model Training

Dictum does not use patient encounter data, transcripts, or generated clinical notes to train AI models. Audio is processed in real-time for transcription and note generation only, and is purged immediately after processing. Generated documentation is stored encrypted in the clinician's account and is not used for any purpose beyond providing the service to that clinician.

Patient Consent for AI-Assisted Documentation

Clinicians and practices should follow applicable laws, policies, and institutional requirements when using AI-assisted documentation tools. Dictum helps clinicians document more efficiently, but each practice is responsible for using the product in accordance with its own consent and compliance obligations.

Contact

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern, please contact our Privacy Officer:

Tapnetic LLC — Privacy Office
Email: mail@tapnetic.ai