Security and privacy for AI medical scribing

Dictum supports HIPAA-compliant clinical documentation workflows for clinicians using AI-assisted scribing. This page explains how we approach data handling, security review, and responsible use so practices can evaluate Dictum against their own policies and legal obligations.

How Dictum handles clinical documentation workflows

Dictum captures encounter audio through ambient recording or post-visit dictation, processes it to produce a structured note draft, and keeps clinician review at the center of the workflow. The generated documentation is intended to be reviewed and edited by the clinician before it is copied, exported, or added to the medical record.

Learn more about the capture workflows on the ambient AI scribe and AI SOAP notes pages.

Data privacy considerations for AI medical scribes

Practices should understand what data is collected, how it is transmitted, where it is processed, how long it is retained, who can access it, and whether encounter data is used for model training. Dictum documents its privacy commitments in its Privacy Policy and supports HIPAA-regulated workflows for covered entities that complete the required vendor review.

Clinician review remains required

AI-generated documentation can contain omissions or inaccuracies. Clinicians should review every generated note, confirm the clinical content, and use Dictum in accordance with their organization's policies and applicable laws.

Questions practices should ask before using an AI scribe

  • Will the vendor sign a Business Associate Agreement when required?
  • What audio, transcript, and note data is retained after processing?
  • Is patient encounter data used to train AI models?
  • Which subprocessors may handle protected health information?
  • How are access controls, audit logs, and incident response handled?
  • How should clinicians notify patients or obtain consent?

HIPAA-focused workflows

Dictum is built for HIPAA-compliant clinical documentation workflows, including clinician-controlled note review and documented privacy and security practices. Covered entities should confirm their internal requirements and execute a BAA where required. See the HIPAA compliance page for more detail.

Related policies

FAQ

Does Dictum replace clinician review?

No. Dictum generates documentation drafts for clinician review. Clinicians should verify, edit, and approve AI-generated notes before adding them to the medical record.

Can practices request a Business Associate Agreement?

Covered entities and business associates should execute a Business Associate Agreement where required. Contact Dictum to review BAA availability and the terms that apply to your organization.

What should practices verify before using an AI scribe?

Practices should review vendor policies for data handling, retention, security controls, model training, subprocessors, access controls, incident response, and compliance obligations.