MD-reviewed ·  Healthcare editorial
MedAI Verdict
All articles

ai-scribes / hipaa / compliance

AI Scribe HIPAA Compliance in 2026: What Actually Counts

HIPAA compliance for AI scribes is more than a vendor checkbox. We break down what a signed BAA, SOC 2 attestation, and audit logging actually require in 2026, and which tools meet the bar.
Editorial summary
Author
Healthcare AI Hub Editorial Team
Published
May 21, 2026
Reading time
7 minutes

An AI medical scribe is HIPAA compliant in 2026 only when the vendor signs a Business Associate Agreement, encrypts audio and notes in transit and at rest, maintains immutable audit logs, and carries an independent attestation (SOC 2 Type II or HITRUST). A trust page is not enough. We verified the four vendors that meet every requirement: Abridge, DAX Copilot, Freed AI, and Heidi Health.

This guide pairs the HHS Office for Civil Rights enforcement record (HHS OCR, 2024-2025 resolution agreements) with the AMA's 2026 Augmented Intelligence in Health Care survey to separate marketing claims from compliance fact.

What does HIPAA actually require from an AI scribe?

The short answer: a Business Associate Agreement (BAA), administrative safeguards, technical safeguards, and physical safeguards under 45 CFR Part 164. The AI scribe is processing protected health information (PHI) the moment it records the encounter, so it qualifies as a Business Associate under HIPAA's definition. The HHS guidance updated in 2024 confirmed that ambient audio and AI-generated drafts are PHI when linked to a patient.

Five concrete requirements apply to any AI scribe in a clinical workflow: (1) a signed BAA that names the scribe vendor and any subcontractors; (2) encryption in transit (TLS 1.2+) and at rest (AES-256); (3) audit logs that record who accessed which note, when, and from which IP; (4) role-based access controls; (5) breach notification within 60 days of discovery. The OCR's 2024 resolution agreements show that audit logging gaps are the most common enforcement trigger.

The BAA: read it before signing

A BAA is a legal contract, not a checkbox. Two clauses to verify before signing: subcontractor flow-down (does the vendor pass HIPAA obligations to its subprocessors, especially the LLM provider?) and model training clauses. Several scribe vendors trained early models on customer audio with separate opt-out clauses. The compliant default in 2026 is no training on customer PHI unless the customer explicitly opts in.

Which AI scribes are actually HIPAA compliant in 2026?

Four vendors meet every requirement above with independent attestation as of May 2026: Abridge, DAX Copilot, Freed AI, and Heidi Health. Each provides a signed BAA without paid-tier gating, encrypts data in transit and at rest, carries SOC 2 Type II or HITRUST, and publishes its data retention defaults. We verified attestations against each vendor's trust portal in May 2026.

Abridge

Posture: HIPAA, SOC 2 Type II, HITRUST CSF r2 (renewed annually). BAA standard with enterprise contracts. Customer audio is not used for model training by default. See the full Abridge review for EHR integration and pricing.

DAX Copilot

Posture: HIPAA, SOC 2 Type II, HITRUST, ISO 27001, FedRAMP Moderate (Azure infrastructure). BAA bundled with Microsoft Cloud for Healthcare agreements. Strongest posture for hospitals already operating under a Microsoft Enterprise Agreement. See the DAX Copilot review.

Freed AI

Posture: HIPAA, SOC 2 Type II. BAA available on all paid plans including the $99/month individual tier (this is unusual; many self-service vendors gate the BAA behind enterprise contracts). Audio is deleted within 30 days by default. See the Freed AI review.

Heidi Health

Posture: HIPAA, SOC 2 Type II, ISO 27001, GDPR-aligned, APP-compliant (Australian Privacy Principles). BAA standard from the Pro tier upward. Audio retention configurable down to immediate deletion after note generation. See the Heidi Health review.

Can a free AI tool ever be HIPAA compliant for clinical notes?

Generally no. Free consumer LLMs (ChatGPT free tier, Claude free tier, Gemini free) do not sign BAAs at the free level. Microsoft's Copilot Chat for Microsoft 365 commercial customers and Google Workspace Healthcare-specific tenancies are exceptions when a paid BAA is already in place. The OCR's 2024 enforcement actions included a $480,000 settlement against a provider that pasted PHI into a non-BAA chatbot. Treat free tools as off-limits for any identifiable patient data.

There is one legitimate free pathway: HIPAA-compliant scribes that offer a free tier with a BAA already in place. Heidi Health's free tier (limited monthly notes) includes the same compliance posture as its paid tiers. Doximity GPT, free for verified US physicians, is HIPAA-compliant but is more communication-assistant than ambient scribe.

What should a solo practitioner check before signing?

Run this six-item checklist against any AI scribe vendor before signing. The KLAS Research 2026 ambient documentation report found that 38% of buyer regret in the scribe category traces to compliance gaps that were visible at signing, not later discoveries.

  1. BAA in writing. Not a checkbox on a trust page, not a marketing claim. A signed PDF that names your practice and the vendor entity.

  2. Independent attestation. SOC 2 Type II (preferred) or HITRUST. Type I means a snapshot; Type II means a 6-12 month observation window. Ask for the report under NDA.

  3. Subprocessor list. Which LLM provider, which cloud, which transcription vendor? Each must be covered under the BAA chain.

  4. Retention defaults. How long is audio kept? How long are notes kept? Can you delete on demand?

  5. Training opt-out. Is your audio used for model training by default? The compliant default in 2026 is no.

  6. Breach notification. 60 days is the HIPAA floor. Some vendors commit to 24-72 hours; that's the gold standard.

Where AI scribe compliance is headed

Three regulatory developments in 2025-2026 will tighten the floor further. First, the HHS Notice of Proposed Rulemaking on the HIPAA Security Rule (December 2024) introduced explicit AI-system safeguards, audit-log retention timelines (six years minimum), and mandatory annual technical risk analyses. Second, several state laws (California's AI in Healthcare Act, Texas SB-815) layered on consent-disclosure requirements for AI-assisted documentation. Third, the AMA's 2026 policy on augmented intelligence formalized the expectation that AI scribe vendors disclose model-update cadence and validation procedures.

The practical implication: vendors that publish their attestations, BAA terms, and subprocessor lists openly will outpace those that hide behind enterprise NDAs. For a deeper buyer's framework, see our best AI medical scribes guide, which weighs compliance posture alongside EHR integration depth and pricing transparency.

Frequently asked questions

Is a vendor's trust page enough to confirm HIPAA compliance?

No. A trust page is marketing. A signed BAA, a current SOC 2 Type II report (the actual PDF, not the badge), and a published subprocessor list are the operative documents. Request all three before signing.

What's the difference between HIPAA, HITRUST, and SOC 2?

HIPAA is the US federal law. SOC 2 is an audit framework run by AICPA (Trust Services Criteria). HITRUST CSF is a healthcare-specific certifiable framework that maps to HIPAA plus other standards. SOC 2 Type II is the most common attestation for AI scribes; HITRUST is the rigorous tier preferred by health systems.

Do I need patient consent to use an AI scribe?

HIPAA itself does not require specific patient consent for AI documentation; the BAA between you and the vendor covers permitted uses. State laws differ. California, Texas, and a growing list of states require disclosure that AI is being used. The AMA recommends verbal disclosure as best practice regardless.