AI Meets Regulated Data
When an AI medical scribe listens to a patient encounter, it processes some of the most sensitive data in existence: a patient describing their symptoms, a physician discussing diagnoses, medication names, family histories, mental health concerns, and substance use. All of this is protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
This is not a technicality. HIPAA violations carry penalties of up to $2.1 million per violation category per year, and the Office for Civil Rights (OCR) has increased enforcement actions by 34% since 2022. For healthcare organizations evaluating AI scribing tools, HIPAA compliance is not a feature to check off — it is a prerequisite that should eliminate any vendor that cannot meet it.
The Business Associate Agreement
Under HIPAA, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a "business associate" and must sign a Business Associate Agreement (BAA). An AI medical scribe vendor is unambiguously a business associate — it receives audio containing PHI, processes it, and returns clinical documentation.
A BAA is a legally binding contract that requires the business associate to implement specific safeguards, report breaches, and limit how PHI is used. If your AI scribe vendor has not signed a BAA with your organization, you are in violation of HIPAA, full stop. This is not an edge case — it is a bright-line rule.
What to ask: Does the vendor sign a BAA? Not "will they discuss one" — have they executed BAAs with healthcare organizations, and can they provide a template for your legal team to review?
Data in Transit and at Rest
HIPAA's Security Rule requires covered entities and business associates to implement technical safeguards to protect electronic PHI (ePHI). For AI scribes, this means two critical areas: data in transit (audio and text traveling between the point of care and the AI system) and data at rest (PHI stored on the vendor's infrastructure).
For data in transit, the standard is TLS 1.2 or higher. TLS 1.3 is preferred and is what WhisperFlow uses for all data transmission. Audio from the encounter should be encrypted before it leaves the provider's device and remain encrypted until it reaches the processing environment.
For data at rest, ePHI should be encrypted using AES-256 or equivalent. But encryption alone is not sufficient — access controls, audit logging, and data retention policies are equally important. Ask your vendor: Who has access to stored PHI? How long is it retained? Can it be deleted on request?
The AI Training Question
This is where many providers express the most concern, and rightfully so. When an AI system processes patient encounter audio, is that data used to train or improve the AI model? If so, patient PHI could effectively become embedded in the model's weights — a situation that is extremely difficult to reverse and may constitute a use of PHI not authorized by the patient.
WhisperFlow's position is unambiguous: we do not use customer PHI to train models. Encounter audio is processed, the note is generated, and the audio is deleted within 24 hours. The generated note is stored only in the provider's EHR, not on our infrastructure. This is not just a policy — it is an architectural decision enforced by our data pipeline.
Ask your vendor directly: Is patient data used for model training? If the answer is anything other than a clear "no," your compliance team should investigate further.
Minimum Necessary Standard
HIPAA's minimum necessary standard requires that access to PHI be limited to the minimum amount necessary to accomplish the intended purpose. For AI scribes, this means the system should only access and retain the data needed to generate the clinical note — nothing more.
Questions to consider: Does the AI scribe store the full encounter audio after the note is generated? Does it retain patient identifiers beyond what is needed for the documentation task? Does it aggregate data across patients or providers in a way that creates additional PHI exposure?
A well-designed AI scribe should be ephemeral by default: audio in, note out, data deleted.
Breach Notification
Under the HITECH Act, business associates are required to notify covered entities of any breach of unsecured PHI within 60 days. Your BAA should specify the notification timeline, the process for investigation, and the vendor's obligations regarding breach remediation.
Ask: What is the vendor's incident response plan? Have they experienced any breaches? Do they carry cyber liability insurance? How quickly will they notify you if a breach occurs?
A Practical Checklist
Before deploying any AI medical scribe, ensure the vendor can confirm the following: a signed BAA is in place; all data is encrypted in transit (TLS 1.2+) and at rest (AES-256); PHI is not used for model training; access controls and audit logs are implemented; data retention policies are defined and enforced; breach notification procedures are documented; and the vendor has completed a SOC 2 Type II audit or equivalent third-party security assessment.
If a vendor cannot check every box on this list, they are not ready for clinical deployment — regardless of how impressive their AI capabilities may be.
The Stakes Are Real
AI medical scribes have the potential to transform clinical documentation and give physicians back hours of their day. But that potential is meaningless if the tool exposes patients to privacy risks or exposes your organization to regulatory liability. Compliance is not a barrier to innovation — it is the foundation that makes innovation trustworthy.
At WhisperFlow, we built compliance into the architecture from day one because we believe healthcare AI must earn the trust of both providers and patients before it earns their business.