What the New HIPAA Guidance on AI Scribes Actually Means for Your Practice

Over the past year, HHS has clarified how HIPAA applies to AI tools that listen to clinical encounters and draft notes. For physicians and practice managers weighing a purchase, the cost of choosing the wrong vendor is rising fast.

The biggest HIPAA update in two decades

On Jan. 6, 2025, the HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking that would overhaul the HIPAA Security Rule for the first time since 2013. The proposal would require:

OCR has confirmed the rule is on track for finalization despite industry pushback. Attorneys are calling it the most significant rewrite of HIPAA's technical safeguards in 20 years.

Enforcement has shifted to AI

OCR isn't waiting for finalization. The third phase of HIPAA compliance audits is already underway, with risk analysis as the central focus (HIPAA Journal). Privacy attorneys flag “shadow AI” — ambient scribes and revenue-cycle tools ingesting PHI without a properly scoped Business Associate Agreement — as the top exposure for established practices (Docuhealth, 2026).

The rule is simple: if an AI tool processes PHI on your patients' behalf, the vendor is your business associate. Full stop. A signed BAA determines whether a vendor breach becomes your reportable breach.

Six questions to ask before you buy

1. Get a signed BAA before any audio is recorded.
Not a click-through. A countersigned agreement defining permitted uses of PHI and breach notification timelines.

2. Confirm encryption at rest and in transit.
AES-256 at rest, TLS 1.2 or higher in transit. Ask where the keys live and who can access them.

3. Verify the data-retention policy in writing.
Some vendors retain audio indefinitely to train models; others delete in hours. Know which applies — and whether you can opt out of model training.

4. Confirm patient consent procedures for your state.
Federal HIPAA covers treatment, payment and operations. State recording laws are stricter. Eleven states require all-party consent. Your vendor should supply template language and a capture workflow.

5. Demand a third-party security attestation.
SOC 2 Type II is table stakes. HITRUST is stronger. There is no federal HIPAA certification — be skeptical of “HIPAA-compliant” badges.

6. Walk through the breach notification chain.
HIPAA gives 60 days from discovery to notify patients. A vendor that takes 45 days to tell you has consumed three-quarters of your clock.

How MyMediScribe handles each one

• BAA signed before first encounter. Every customer. No exceptions.
• Encryption everywhere. TLS 1.3 in transit, AES-256 at rest, keys in AWS KMS.
• MFA available on every account via Amazon Cognito.
• HIPAA-eligible AWS infrastructure under a signed AWS BAA (confirmed via AWS Artifact).
• Configurable audio retention. Recordings are not used to train third-party models without explicit written consent.
• State consent templates included in onboarding for all-party-consent states.
• Breach notification commitments written into the BAA — not assumed.

The bottom line

The AI scribe market is crowded, and the marketing copy looks identical from booth to booth.

The 2025 Security Rule proposal, active OCR audits and the “shadow AI” enforcement wave all push the same direction: the gap between vendors who treat compliance as a feature and vendors who treat it as a checkbox is about to become a financial one.

Ask the six questions before you sign. The right vendor will welcome them. The wrong one will deflect.

That is the standard MyMediScribe was built to meet — and the standard every practice should hold its tools to before the next OCR audit letter arrives.