HIPAA Compliance
How Scribe360 meets healthcare data protection requirements
About HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individuals' medical records and personal health information. Scribe360 is designed with HIPAA compliance as a foundational requirement — not an afterthought.
HIPAA Safeguards
Administrative
- Role-based access — physicians, practice admins, and clinical assistants have distinct permission sets
- Physician acknowledgment — physicians must acknowledge AI disclaimer before accessing clinical features
- Owner hierarchy — structured user management with clear accountability
- Workforce training — acknowledgment flow educates users on AI limitations
Physical
- Encrypted storage — VirtualBox encrypted VDI (full-disk encryption at rest)
- Access-controlled infrastructure — server access limited to authorized administrators
- No public cloud PHI storage — data resides on controlled, encrypted infrastructure
Technical
- TLS encryption — all data encrypted in transit
- Session security — 30-minute timeout, HttpOnly/Secure/SameSite cookies
- Audit logging — immutable logs of all PHI access (3-year retention)
- PHI-safe logging — PhiLogTarget strips patient data from application logs
- Anti-enumeration — generic error messages prevent account discovery
Patient Data Lifecycle
| Stage | Data | Protection | Retention |
|---|---|---|---|
| Recording | Audio captured locally in browser | No network dependency during recording. Encrypted at rest if saved to server. | Until physician approval |
| Transcription | Audio sent to ASR provider (dual-provider failover) | BAA with ASR providers. Primary: browser-direct. Fallback: server proxy with TLS, audio deleted after transcription. | Transcript stored with encounter. Audio not retained by ASR providers. |
| SOAP Generation | Transcript sent to LLM | BAA with LLM provider, encrypted in transit | Not retained by provider |
| Review & Approval | SOAP notes, codes | Role-based access, physician-only editing | Stored with encounter |
| Post-Approval | Audio deleted | Automated cleanup cron job | Audio removed permanently |
| Transfer | SOAP copied to EHR | Copy-to-clipboard, no network transfer | Encounter marked as transferred |
Business Associate Agreements
Scribe360 maintains Business Associate Agreements (BAAs) with all third-party providers that process PHI:
| Provider | Service | PHI Exposure | BAA Status |
|---|---|---|---|
| LLM Provider (primary) | SOAP note generation | Encounter transcript | Required |
| LLM Provider (fallback) | SOAP note generation (failover) | Encounter transcript | Required |
| ASR Provider (primary) | Speech-to-text transcription | Encounter audio | Required |
| ASR Provider (fallback) | Speech-to-text transcription (failover) | Encounter audio | Required |
Patient Consent
Guardian consent is required before any encounter recording begins. Key consent safeguards:
- Consent must be captured in the application before the record button becomes available
- Audio is automatically deleted after the physician approves the encounter
- Consent status is recorded in the encounter audit trail
- Post-encounter data deletion requests handled via support (HIPAA individual rights)
Questions About HIPAA Compliance?
We're happy to discuss our compliance measures in detail.
Contact UsOr email support@scribe360.app