This issue reads best with full editorial layout — read on encryptedchart.com →

A hospital compliance officer evaluating an AI scribe vendor sends back a 14-page security questionnaire before the legal department even reads the contract. A solo psychiatric NP evaluating the same vendor signs the order form on the demo call.

The product they're both buying is identical. The asymmetry is in what the buyer asks before signing.

This issue is about closing that gap — not by hiring a compliance officer (you don't have one, and you're not going to) but by running, in thirty minutes, the five-question vetting protocol that bridges institutional rigor and solo-practice reality.

Audio is Protected Health Information.

This isn't a debatable point. When you record yourself asking a patient about suicidal ideation, the audio is PHI under HIPAA's definition. The transcription is PHI. The summary the AI generates is PHI. The metadata — when the conversation happened, with whom, for how long — is PHI.

Once that audio leaves your laptop or your office network, it is in the hands of a vendor. Under HIPAA, that vendor must be either (a) a Business Associate of your practice, with a signed Business Associate Agreement, or (b) handling the data in a way that doesn't constitute a use or disclosure of PHI under the regulation. There is no third category. "HIPAA-aligned best practices" is marketing language, not a regulatory definition.

Documented incidents are accumulating. In a 2024 case reviewed by Ontario's privacy commissioner,¹ Otter.ai — an AI transcription tool with capabilities similar to medical scribes — inadvertently captured the personal health information of seven hospital patients during a virtual meeting it had not been authorized to record. The vendor wasn't acting maliciously. The tool was doing exactly what it was configured to do. The exposure happened because the data flow wasn't fully understood by the people authorizing it. The hospital subsequently banned AI scribe tools from the network entirely.

The backdoor risk no one is talking about.

When solo and small-group practitioners hear all of this, the question that comes back is almost always the same: is OCR really going to come after a practice my size? What are the odds?

This is the wrong question. The federal regulator is rarely the one who triggers an investigation against a solo practice directly. The pattern works in reverse.

The AI scribe vendors you're evaluating are running thousands of customer accounts on the same infrastructure. Each one of them is a far more attractive target than your individual practice will ever be. They have larger data stores, more developers, more integrations, more endpoints, and more sophisticated adversaries probing them. Their attack surface is orders of magnitude wider than yours. When one of them is breached — and the pattern across healthcare-adjacent SaaS suggests it's a question of when, not if — the regulatory investigation doesn't stop at the vendor. OCR's first move is to obtain the vendor's customer list to scope the incident. Every covered entity on that list now has a separate set of questions to answer.

The first question is the same for every downstream practice: did you have a Business Associate Agreement in place? If yes, the inquiry largely concludes for that practice. If no, the inquiry shifts from the vendor's negligence to your impermissible disclosure. The vendor's breach becomes your enforcement action.

This is exactly what happened to the Center for Children's Digestive Health.² OCR opened the investigation against a file storage vendor called FileFax. The vendor produced its customer list. CCDH was on it. The investigation expanded to CCDH. Neither party could produce a signed BAA. The result was a $31,000 settlement and a corrective action plan — for a vendor incident the practice had no role in causing.

The chance OCR randomly audits a solo practice this year is genuinely low. The chance OCR investigates a solo practice as part of a downstream review of a major vendor breach is much higher — and that risk scales directly with the size of the vendor pool you've joined.

This is not theoretical. In March 2020, OCR settled with a solo gastroenterology practitioner in Utah for $100,000³ after a breach investigation revealed a missing BAA with the practice's EHR vendor — another downstream case. The penalty floor on a small-practice BAA gap is in the tens of thousands. The ceiling, when the gap involves more records or longer durations,⁴ climbs into the six and seven figures.

How AI scribes actually work — six steps.

Strip the marketing language and an AI scribe is doing six things in roughly this order:

It captures audio — either through a smartphone or laptop microphone in the room, or through an integration with your telehealth platform that routes the audio stream from the call into the scribe vendor's pipeline.

It uploads that audio to the vendor's cloud. Encryption in transit is standard at this step; the better vendors use TLS 1.3 with mutual authentication.

It transcribes the audio — typically with a third-party speech-to-text model (Whisper-class, AWS Transcribe, Google Speech-to-Text, or a vendor-trained variant). At this point the audio has been processed by at least two parties: your scribe vendor and whichever speech model they license from. Each one is a potential data flow you need to track.

It generates a structured note from the transcript using a large language model — typically GPT-class, Claude, or a vendor-trained variant. This is the step where the audio becomes a clinical document.

It stores both the audio and the transcript on the vendor's servers — often hosted on AWS or Azure, often with retention defaults measured in months or years rather than days.

It may train future models on your conversations. This is the question most often dodged in the demo and most rarely answered cleanly in the BAA. "We do not use customer data for training" sounds clean in the marketing copy. The contract language often says "we may use de-identified data to improve our services," which is materially different.

That six-step pipeline is the operational reality. Each step is a place a hospital compliance officer would ask a question. The five questions below are the most important ones, in priority order.

Five questions to ask before you sign.

1. Will you sign a Business Associate Agreement before any patient audio is captured?

This is the threshold question. There is no second question if the answer is no.

If the response is "our paid tier includes a BAA," "we follow HIPAA best practices," or "let me check with our legal team" — put your pen down. A vendor that markets to clinicians without a BAA queued up before the demo isn't ready to handle PHI.

The follow-up that breaks the script: When can you send the BAA — today, this week, or after I sign? The answer tells you whether HIPAA is part of their go-to-market or an afterthought.

2. Is patient audio used to train your models?

The standard hedge is: "We may use de-identified data to improve our services." It sounds clean. It rarely is.

HIPAA's de-identification standard requires removing eighteen specific kinds of information — including dates, geography, and anything else that could re-identify the patient. Most vendor "de-identification" is closer to scrubbing the obvious fields and calling it a day.

Ask for the contract language. If they can't point to a clear no, assume yes.

3. Where does the data live, and for how long?

By default, AI scribe vendors store audio for months or years. That default is set by the vendor's product team — not by your privacy preferences.

The question isn't "is the data secure?" The question is: can I configure this to delete after thirty days, and is that configuration written into the BAA? If the answer is "the BAA is generic and we don't customize retention per customer," you've accepted their defaults — designed for the vendor's training pipeline, not your patients.

I have seen vendor BAAs that specify retention "as long as legally required." That language isn't retention. It's the absence of retention policy.

4. What happens to my data if I cancel?

Demos cover onboarding. Almost none cover offboarding. Read the BAA's exit clause before you sign the order form.

A clean answer: data is deleted within thirty days, a certificate of destruction is available on request, the deletion covers audio, transcripts, metadata, and any derived training artifacts.

A vague answer: "we retain data for legal and business purposes."

Translation: indefinitely.

This matters more than it seems. Cancelling the service does not foreclose your liability. If a vendor retains your patients' audio indefinitely and gets breached three years after you've moved on — your practice is still on the customer list when OCR pulls it. If the BAA was missing or weak, the dragnet still catches you. Years later. From a vendor whose name your front desk doesn't remember anymore.

The risk doesn't sunset when the contract does. It sunsets when the data deletes.

5. Have you had a security incident — and how did you handle it?

The point isn't to disqualify vendors that have had incidents. Most mature vendors have. The point is to see how they talk about it.

A mature answer: yes, in [year], we had a [type] incident, notified affected customers within [timeframe], documented it in our SOC 2 report. Calibrated. Specific. Owned.

An immature answer: "we don't comment on security publicly," or "we have no reportable incidents." Both can be true. Both can also mean the vendor hasn't been around long enough to be tested.

I've asked this question of three AI scribe vendors in the last six months. Two answered specifically. One redirected to a marketing brochure.

The follow-up worth asking: What's the BAA's notification window for a confirmed breach — 24 hours, 72 hours, or longer?

The takeaway is not that AI scribes are bad.

They're operationally good. They cut documentation burden by a meaningful margin. The clinical evidence on burnout reduction is real and accumulating. Nothing in this piece says don't use them.

The takeaway is that the questions a hospital compliance officer asks before signing — will you sign a BAA, what do you do with my audio, where does it live, what happens when I leave, and what happens when you're breached — are questions a solo practice can ask too. The protocol is portable. It requires thirty minutes and a willingness to break the demo's script.

If your practice already has a BAA in place and the answers above are documented, you're done. If not, the Vault includes a BAA review checklist and pre-drafted BAA language — the documents I use myself when running this conversation in an Operational Advisory Session.

Next issue: the morning your billing service tells you they were hacked. The contract you signed during onboarding is what stands between you and the federal investigation that follows.

Footnotes

1. Office of the Information and Privacy Commissioner of Ontario, File HR24-00691 (December 2024). Reported via incidentdatabase.ai.
2. HHS OCR Resolution Agreement with Center for Children's Digestive Health, S.C., April 2017.
3. HHS OCR Resolution Agreement with Steven A. Porter, M.D., March 2020. Reported via abyde.com.
4. HHS OCR Resolution Agreement with Raleigh Orthopaedic Clinic, P.A. ($750,000), May 2016.