HIPAA Compliance
How Scribe360 meets healthcare data protection requirements
About HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individuals' medical records and personal health information. Scribe360 is designed with HIPAA compliance as a foundational requirement — not an afterthought.
HIPAA Safeguards
Administrative
- Role-based access — physicians, practice admins, and clinical assistants have distinct permission sets
- Physician acknowledgment — physicians must acknowledge AI disclaimer before accessing clinical features
- Owner hierarchy — structured user management with clear accountability
- Workforce training — acknowledgment flow educates users on AI limitations
Physical
- Encrypted storage — VirtualBox encrypted VDI (full-disk encryption at rest)
- Access-controlled infrastructure — server access limited to authorized administrators
- No public cloud PHI storage — data resides on controlled, encrypted infrastructure
Technical
- TLS encryption — all data encrypted in transit
- Session security — 30-minute timeout, HttpOnly/Secure/SameSite cookies
- Audit logging — immutable logs of all PHI access (3-year retention)
- PHI-safe logging — PhiLogTarget strips patient data from application logs
- Anti-enumeration — generic error messages prevent account discovery
Patient Data Lifecycle
| Stage | Data | Protection | Retention |
|---|---|---|---|
| Recording | Audio stream | TLS in transit, encrypted at rest | Until physician approval |
| Transcription | Text transcript | BAA with ASR provider, encrypted processing | Stored with encounter |
| SOAP Generation | Transcript sent to LLM | BAA with LLM provider, encrypted in transit | Not retained by provider |
| Review & Approval | SOAP notes, codes | Role-based access, physician-only editing | Stored with encounter |
| Post-Approval | Audio deleted | Automated cleanup cron job | Audio removed permanently |
| Transfer | SOAP copied to EHR | Copy-to-clipboard, no network transfer | Encounter marked as transferred |
Business Associate Agreements
Scribe360 maintains Business Associate Agreements (BAAs) with all third-party providers that process PHI:
| Provider | Service | PHI Exposure | BAA Status |
|---|---|---|---|
| LLM Provider | SOAP note generation | Encounter transcript | Required |
| ASR Provider | Speech-to-text | Encounter audio | Required |
Patient Consent
Guardian consent is required before any encounter recording begins. Key consent safeguards:
- Consent must be captured in the application before the record button becomes available
- If consent is revoked mid-encounter, recording stops immediately
- Audio captured before revocation is deleted
- Consent status is recorded in the encounter audit trail
Questions About HIPAA Compliance?
We're happy to discuss our compliance measures in detail.
Contact UsOr email support@scribe360.app