HIPAA-Compliant AI Note Taking: What to Verify Before Trusting an AI Scribe With Patient Conversations

What You Need to Know

• Not all HIPAA-compliant AI note-taking tools are equal in practice. HIPAA requires a Business Associate Agreement where applicable and reasonable technical, administrative, and physical safeguards. A vendor homepage that says "HIPAA compliant" does not satisfy those requirements on its own.
• Many AI scribe vendors do not answer the most important compliance questions on their pricing page. Verify the BAA, audio-retention policy, and encryption standard before choosing any tool.
• Before using any AI tool for patient documentation, confirm the vendor's data practices in writing, not just on a marketing page.

Most clinicians evaluating AI note-taking tools run into the same wall. The product looks good. The demo is fast. Then comes the question that stops everything: "Is this actually HIPAA compliant, or is that just marketing language?" 

It is a good question. The answer depends on what you verify. HIPAA-compliant AI note taking requires a vendor to meet specific, contractual, and technical requirements that they either satisfy or do not. This article explains what those requirements are, how to evaluate them, and what a compliant workflow looks like for independent and group practices without a compliance officer on staff.

Why does documentation still take this long, even for experienced clinicians?

The documentation problem is not a skill problem. A clinician who has been practicing for fifteen years knows how to write a note. The problem is structural: the note happens after the visit, on a keyboard, with the patient already gone and the next one waiting. A NEJM Catalyst analysis for The Permanente Medical Group found ambient AI scribes reduced documentation time by the equivalent of 1,794 eight-hour workdays in one year.¹ That study was conducted at a large integrated health system. The efficiency gains at a smaller practice will look different. But the structural cause is the same: documentation runs as a second job after the clinical one ends. The clinician finishing notes at 9pm is not working slowly. She is working after hours because the visit workflow does not leave room for the note to close before the next patient walks in. That is the specific problem AI-assisted note-taking is designed to address.

Why can't independent and group practices just use a general AI tool or a dictation app?

General AI tools like ChatGPT are not built for PHI. They do not sign Business Associate Agreements, do not have defined data-retention policies for patient conversation data, and are not designed to handle the data lifecycle HIPAA requires.² Using a consumer AI tool to draft a clinical note from a patient conversation creates a compliance exposure that no disclaimer resolves. Traditional dictation apps focus on voice-to-text and typically require the clinician to provide structure and codes explicitly. The output is a transcript. Writing the note still falls to the clinician. AI scribing is a different category. The tool listens to the encounter and produces a structured clinical document, organized by section, with suggested diagnostic and procedure codes where applicable. In many AI scribe workflows, the clinician does not need to narrate structure. The clinician reviews and approves the draft before anything enters the chart.

What does a genuinely HIPAA-compliant AI note-taking workflow look like in practice?

A compliant AI note-taking workflow has three phases, and compliance obligations run through all three: recording the visit, reviewing and editing the draft, and finalizing before the note enters any record. At the recording stage, the tool captures and transcribes the conversation. What happens to the audio after processing is the most important compliance question many vendors do not answer clearly on their pricing page. At the review and finalize stages, the clinician approves the draft before anything goes to the chart. The AI produces the note. The clinician decides whether it is accurate and complete. This review step should never be skipped. Recent work shows LLM scribes can reach high medical transcription and note quality while introducing different risks, including hallucinations and critical omissions, that make a final human check essential.⁴ The practical benefit is that the clinician can stay present during the visit rather than splitting attention between the patient and a keyboard. The note gets written. The clinician was in the room when it did.

What should you verify before choosing a HIPAA-compliant AI note-taking tool?

Start with the BAA. A Business Associate Agreement is a legal contract under HIPAA that makes the vendor responsible for how they handle your patients' PHI. If a vendor will not sign one, stop the evaluation there. The questions to ask any vendor before signing:

• Does audio get stored, and for how long? HIPAA requires covered entities to retain compliance documentation for a minimum of six years, and state law often extends that. Audio recordings made during clinical encounters may fall within that retention obligation depending on how your practice classifies them. Ask the vendor for their written retention policy: how long audio is held, whether it is archived or actively accessible, who can access it, and under what circumstances. A vendor without a published retention policy is a compliance gap, not just a privacy concern.
• Where is data hosted? US-only data centers reduce regulatory complexity. Offshore storage introduces jurisdictional questions HIPAA does not automatically resolve.
• Does the vendor use patient data to improve their models? Ask for a written statement on how de-identification is handled and whether any patient conversation data feeds model training.
• What encryption standard applies in transit and at rest? Strong encryption in transit and at rest is a best-practice baseline for any vendor handling PHI, even where HIPAA does not prescribe specific protocols.
• Is there an audit log? HIPAA requires covered entities to track who accessed PHI and when. The tool should support that, not obstruct it.
• What certifications does the vendor hold? SOC 2 Type II means an independent auditor has validated security controls. It is not a HIPAA requirement, but it signals a maturity of practice that a self-attestation does not.

Patient consent is a separate requirement. HIPAA governs data handling by covered entities and their business associates. State law and professional ethics boards govern recording consent. In two-party-consent states, you need explicit patient agreement before recording a clinical encounter. Verbal disclosure at the start of the visit is common practice. Two lawsuits filed in 2025, one against a dental group and one against a health system, allege that patients were not adequately informed of AI recording and that erroneous AI-generated entries appeared in medical records.³ The cases have not been adjudicated, but they establish that consent is a clinical and legal requirement, not a courtesy.

How does Commure Scribe handle HIPAA-compliant AI note taking for independent and group practices?

Commure Scribe is HIPAA compliant, SOC 2 certified, and stores all data onshore. A BAA is available on all paid plans. All patient data, including audio recordings, is encrypted in transit and at rest using industry-standard protocols.

Workflow

The workflow follows the standard AI scribe model: record, review, finalize. The clinician records the visit, in-person or telehealth, for up to two hours per session. A structured SOAP note is generated. The clinician reviews, edits if needed, and approves before anything enters the chart. When the session ends, a structured SOAP note appears within seconds, with ICD-10 and CPT codes suggested in a separate tab. The note is not sent anywhere until the clinician approves it.

Accuracy and Languages

Commure Scribe reaches 99.4% transcription accuracy across 90 languages with automatic detection. No manual language selection is required. Notes are produced in English regardless of the language of the visit.

EHR Compatibility

Commure Scribe can one-click sync with 60+ EHRs, including athenahealth, eClinicalWorks, Elation, Practice Fusion, SimplePractice, Tebra, AdvancedMD, WebPT, Cerbo, and Kipu, among others. Confirm your specific EHR directly before purchasing.

Data and Compliance

Audio recordings are stored and encrypted. They are not used for AI training, product improvement, or any purpose other than generating the clinical note. Default retention is one year active, after which recordings are archived. The minimum archive period is six years, consistent with HIPAA's compliance documentation requirement. Longer retention applies where state law requires it. An expedited archive option is available with a 14-day minimum. Archived audio is not freely accessible. Access is limited to HIPAA-trained employees and is available only upon customer request for legal or compliance purposes. Transcripts and notes can be permanently deleted by the user at any time. No patient data is shared with third parties.

Specialties

Commure Scribe supports documentation across multiple specialties, including Family Medicine, Internal Medicine, Psychiatry, Pediatrics, Behavioral Health, Dentistry, and Physical Therapy. Specialty-specific templates and a custom template builder are available.

What steps should your practice take in the first 30 days after adopting an AI scribe?

Many practices that stall on AI scribe adoption do so at the rollout stage, not the evaluation stage. The tool is approved, the subscription is purchased, and then nothing changes because no one ran the first session. A first-30-days checklist for independent and group practices:

• Week 1: Verify compliance before first use. Confirm the BAA is signed. Confirm your consent disclosure language covers AI-assisted documentation. Start with routine follow-up visits before moving to complex or sensitive visit types.
• Week 1: Run a session the same day you set up. The note quality is what converts skeptics. Read the first draft before deciding anything about the tool.
• Weeks 1–2: Review every draft before finalizing. Note what the AI captures well and what needs correction consistently. That pattern informs template customization.
• Week 2: Customize templates. Adjust for your note style, specialty phrasing, and documentation requirements.
• Weeks 3–4: Evaluate note quality against your standard. Compare AI-assisted notes to your manual notes from the same visit type. Check clinical completeness, plan detail, and ICD-10 accuracy.
• Week 4: Decision checkpoint. If chart close time has moved and note quality is holding, you have your answer. If not, identify the specific failure point before canceling. Most issues at this stage are template or workflow, not tool.