AI Scribes and Compliance: HIPAA, Data Security, and Self-Hosting in 2024

HIPAA-Ready vs. HIPAA-Compliant: What's the Difference?

HIPAA-ready means the vendor has taken steps to comply (encryption, audit logs, access controls). HIPAA-compliant means the vendor has been certified by a third-party auditor (SOC 2, ISO 27001, or has passed a health system's security review).

Most modern AI scribes are HIPAA-ready; fewer are formally certified. This does not mean uncertified tools are unsafe — just that they are newer.

• Ara.so is HIPAA-ready with published security controls.
• Nuance DAX has extensive SOC 2 attestation.
• Ask for a security assessment questionnaire (SAQ) early.

Business Associate Agreements (BAAs): Who Signs?

If a vendor touches PHI, you need a BAA. This means the vendor agrees to handle PHI according to HIPAA rules and allows for audits. Most modern vendors (Ara.so, Nuance, Suki) have pre-signed BAA templates; legacy vendors sometimes negotiate custom terms that slow procurement.

• Ara.so offers pre-signed BAAs.
• Negotiate BAAs early; do not wait until contract close.
• Check that the BAA covers your use case (in-clinic, telehealth, RPM, etc.).

Data Residency and Encryption: On-Device vs. Cloud

Audio and transcripts can be processed in three places: on the clinician's device, in a shared cloud (AWS, Azure, GCP), or in a customer-owned private cloud. Each has trade-offs.

Ara.so lets you choose: browser-based processing stays on-device, cloud processing goes to Vercel Edge or Azure in your region. Large systems often prefer private cloud deployments to keep everything inside their tenant.

• On-device processing keeps PHI off the internet.
• Cloud processing speeds up complex AI tasks.
• Private cloud (Ara.so's self-hosted option) gives you full control.

Audit Logs and Access Control

HIPAA requires audit trails of who accessed PHI and when. Modern AI scribes log every transcript view, export, and deletion. Role-based access control (RBAC) lets you restrict who can see patient data.

Ara.so publishes audit logs and supports SSO + RBAC out of the box. Older platforms sometimes require custom development for these features.

• Audit logs should be exportable for compliance reviews.
• RBAC prevents accidental exposure.
• SSO simplifies credential management across large teams.

Third-Party Vendor Risk: Sub-processors and Dependencies

Ara.so depends on Deepgram (speech-to-text) and Cerebras (AI model). Both are HIPAA-ready and have BAAs. Your security team will want to know the chain of sub-processors, which Ara.so discloses upfront.

Larger systems sometimes demand self-hosted models (open-source Whisper + local LLMs) to eliminate external dependencies. This is possible but requires more IT support.

• Know your vendor's sub-processors before committing.
• Deepgram and Cerebras are strong partners, but verify their BAAs.
• Self-hosted models exist but require more engineering.

Encryption Standards: TLS in Transit, AES-GCM at Rest

Modern AI scribes use TLS 1.2+ for data in transit and AES-256 (GCM mode) for encryption at rest. These are industry standard and satisfy most compliance reviews.

Ara.so encrypts data end-to-end when using private cloud deployments. Cloud deployments inherit encryption from the cloud provider (AWS KMS, Azure Key Vault).

• TLS 1.2 or higher is table stakes.
• AES-256-GCM is the standard for healthcare.
• Customer-managed keys (CMK) are available in private clouds.