Do I need to complete this entire checklist before using an AI scribe?

You should evaluate every category, but not every item will apply to every practice. The vendor evaluation and BAA sections are non-negotiable. Internal practice and consent items depend on your specific setting and jurisdiction.

Who should be involved in this evaluation?

At minimum: the clinician(s) who will use the tool, your compliance officer or privacy lead, and someone from IT or security. Larger organizations should also involve legal counsel and procurement.

How often should I re-evaluate an AI scribe vendor?

At least annually, or whenever the vendor makes significant changes to their product, data handling practices, or terms of service. Also re-evaluate if you become aware of a security incident.

What if a vendor meets most but not all checklist items?

Document the gaps and assess the risk. Some items (like a signed BAA) are non-negotiable. Others (like on-device processing) may be preferred but not required. Make informed decisions based on your risk tolerance and compensating controls.

Can I use this checklist for vendors other than AI scribes?

Yes. Most items apply to any vendor that handles PHI — EHR add-ons, telehealth platforms, patient communication tools, etc. Adjust the AI-specific items (model training, sub-processor LLMs) as needed.

HIPAA Checklist for AI Medical Scribes (2026)

This checklist covers what to verify before bringing an AI medical scribe into your practice. It's organized into five categories: vendor security, data handling, internal practice safeguards, consent and documentation, and ongoing security review. Use it during vendor evaluation, annual reviews, or when onboarding a new AI documentation tool.

Copy the checklist below, adapt it to your organization's requirements, and track your evaluation.

Complete HIPAA evaluation checklist

Vendor security and compliance

☐ BAA signed before any patient data is processed — Non-negotiable. No BAA, no deal.
☐ BAA explicitly covers AI processing of PHI — Generic BAAs may not address audio recording, transcription, or AI-generated notes. Verify scope.
☐ SOC 2 Type II certification is current — Confirms a third-party audit of the vendor's security controls. Ask for the report date.
☐ Encryption at rest uses AES-256 or equivalent — This covers stored audio, transcripts, and notes.
☐ Encryption in transit uses TLS 1.2 or higher — Audio and data sent to the vendor's servers must be encrypted during transmission.
☐ Vendor provides a list of sub-processors — Cloud providers, ASR services, LLM APIs. Each one handles your data.
☐ Sub-processors are covered by data processing agreements — The BAA should extend to the vendor's supply chain, not just the vendor.
☐ Breach notification timeline is specified in the BAA — You need to know when and how the vendor will notify you of an incident.
☐ Vendor maintains role-based access controls — Not every employee should have access to patient data. Ask how access is restricted.
☐ Audit logs are maintained and available to your practice — You should be able to see who accessed data and when.

Data handling and model training

☐ Data retention policy is clearly documented — You should know exactly how long audio, transcripts, and notes are kept.
☐ Auto-deletion is configurable — You set the retention window, and data is purged when it expires.
☐ Deletion covers all copies, backups, and replicas — A deletion that leaves backup copies isn't really a deletion.
☐ Vendor explicitly states its model training policy — Do they train on patient data? Is it opt-in or opt-out? Get this in writing.
☐ If training occurs, de-identification methodology is documented — Safe Harbor or Expert Determination. "We de-identify" without methodology isn't sufficient.
☐ On-device or offline processing is available — Reduces data exposure by keeping audio on the clinician's device.
☐ Data storage locations are disclosed — Know where servers are physically located. Cross-border storage may trigger additional requirements.

Internal practice safeguards

☐ Staff training completed before go-live — Everyone who uses or manages the AI scribe should understand data handling procedures.
☐ Risk assessment documented — HIPAA requires a risk assessment. Incorporating a new AI tool into your workflow should trigger an update.
☐ Access permissions configured per role — Only clinicians who need the tool should have access. Admin, clinical, and support roles should have different permission levels.
☐ Review workflow established — AI-generated notes must be reviewed by the clinician before entering the medical record. Define when and how review happens.
☐ Incident response plan updated — Your breach response plan should account for AI scribe-related incidents.

Consent and documentation

☐ State recording consent laws reviewed — One-party vs. two-party consent. Ambient recording may trigger different requirements than post-visit dictation.
☐ Patient disclosure or consent process implemented — Intake form language, signage, or verbal disclosure — whatever your jurisdiction and organization require.
☐ Consent refusal workflow defined — Patients who decline should receive the same quality of care. Have a plan for manual documentation.
☐ Consent documentation retained — Whether written or verbal, keep a record that consent was addressed.

Ongoing security review

☐ Annual vendor re-evaluation scheduled — Security practices, certifications, and terms of service change. Review at least yearly.
☐ Vendor update notifications monitored — Subscribe to the vendor's security bulletins, changelog, and terms updates.
☐ Staff re-training on schedule — Annual HIPAA training should include AI documentation tool procedures.
☐ Audit log review performed periodically — Don't just have audit logs — actually review them.
☐ Risk assessment updated when vendor or workflow changes — New features, new integrations, or vendor policy changes should trigger a reassessment.

Vendor questions to ask during evaluation

Beyond the checklist items above, these open-ended questions help reveal how a vendor thinks about privacy:

"Walk me through what happens to a patient's audio from the moment I hit record to the moment it's deleted."
"What would happen to my data if your company were acquired?"
"Have you had a security incident in the past 24 months? If so, what was the outcome?"
"Can I see a copy of your most recent SOC 2 report?"
"What happens to data if I cancel my account?"
"How do you handle subpoenas or law enforcement requests for patient data?"

The answers won't always be what you hope for — but a vendor who answers transparently is a better partner than one who deflects.

How to use this checklist

During vendor evaluation: Score each item as Met, Partially met, Not met, or Not applicable. Items in the first two sections (vendor security and data handling) are largely non-negotiable. Items in the practice and consent sections should be adapted to your organization.

During annual review: Re-evaluate the vendor sections. Check if certifications are still current, if terms of service have changed, and if new sub-processors have been added.

When onboarding a new tool: Use the full checklist as a project plan. Assign owners to each item and track completion.

How Dictum measures up

Dictum was designed around the requirements in this checklist:

BAA available for all clinical users, with scope covering AI-processed PHI
End-to-end encryption — AES-256 at rest, TLS 1.2+ in transit
Configurable auto-delete — you set the retention window
No model training on patient data — encounters are processed and not retained for AI development
On-device processing — offline mode keeps audio on the device
SOC 2 compliance — independently audited security controls

For full details, visit Dictum's security overview and HIPAA compliance page.

Clinicians should review AI-generated documentation before adding it to the medical record and should use Dictum in accordance with their organization's policies and applicable laws.

Related resources

Are AI medical scribes HIPAA compliant? — full breakdown of what HIPAA requires and how to evaluate vendors
AI clinical documentation privacy risks — detailed look at the five major risk categories
AI medical scribe evaluation checklist — broader vendor evaluation covering features, workflow, and support beyond security