Back to blog

AI Scribes and HIPAA, What Every Practice Should Verify

2026-07-05 · 3 min read
hipaa privacy compliance ai scribe

An AI scribe touches your most sensitive data. Vetting one is a governance exercise, and these are the controls a practice should confirm before signing.


An AI scribe is a business associate. It records the most sensitive conversation in your practice and turns it into structured data, which puts it squarely inside the scope of HIPAA and inside your risk. Anyone who has run security for a health system will tell you that vetting a vendor like this comes down to asking clear questions and verifying the answers. Trust, but verify. Here is the short list of controls worth confirming before you sign anything.

Start with the Business Associate Agreement

Any vendor that creates, receives, or stores protected health information on your behalf is a business associate, and HIPAA requires that relationship to be governed by a signed Business Associate Agreement. This is the foundation, not the fine print. A serious vendor offers one without hesitation and can explain, in plain language, how they meet the Security Rule. If a BAA is hard to get, you already have your answer.

Follow the data

Good security starts with a simple discipline. Follow the data. Ask where the audio goes the moment it is captured, where the transcript lives, which service providers touch it, and how long every copy is kept. A recording you have already deleted cannot leak. Retention is where practices get quietly exposed, because audio tends to pile up on a server long after anyone needs it. Scribe360 keeps the recording only long enough to be certain the note is right, so a failed transcription can be run again, then deletes it within a week. Transcription and note generation are handled by outside providers, which is normal for a system like this, and the question worth pressing on any vendor is whether every provider in that path is under a Business Associate Agreement and holds the data no longer than it must.

Enforce least privilege and log everything

HIPAA calls it minimum necessary. Security professionals call it least privilege. They mean the same thing. A person should see only the information their job requires, and nothing beyond it. Confirm that access is controlled by role, so a scheduler cannot open a clinical note, and confirm that every access to a record is written to an audit log that no one can quietly alter. When someone asks who viewed a patient record and when, the answer has to come from the log, not from memory. Scribe360 enforces role-based access and writes an immutable audit trail of PHI access, with patient-level disclosure tracking built in.

Keep PHI out of the plumbing

Here is a failure I have seen more than once. The clinical system is locked down, and then protected health information leaks out through the side channels, the application logs, the error reports, the analytics, the crash traces. Those systems are rarely held to the same standard as the database, and they should be. Ask the vendor how they keep PHI out of logs and telemetry by design. A control that depends on someone remembering to redact is not a control.

Security is a program, not a checkbox

No single feature makes a system safe. Real protection comes from defense in depth, from people and process and technology working together, and from a vendor who treats security as an ongoing program rather than a certificate on a wall. The questions above will not hand you certainty, because certainty is not on offer. They will tell you whether the vendor thinks about risk the way you have to. Get straight answers, write them into the contract, and revisit them on a schedule. That is how you let an AI listen to every visit and still sleep at night.

This is general guidance, not legal advice. For your practice's specific obligations, work with your privacy officer or counsel.