HIPAA Compliance Checklist for AI Documentation Tools
Why HIPAA Compliance Matters for AI Tools
When AI tools process protected health information (PHI)—such as therapy session recordings and clinical notes—they must meet the same rigorous HIPAA standards as any other system handling patient data. Not all AI documentation tools are created equal. Use this checklist to evaluate any tool you are considering, and verify that it meets the security and privacy requirements your patients deserve.
The 10-Point HIPAA Compliance Checklist
1. Business Associate Agreement (BAA)
The vendor must be willing to sign a Business Associate Agreement, which legally obligates them to protect PHI in accordance with HIPAA. Without a BAA, using an AI tool to process patient data is a HIPAA violation. Verify that the BAA covers all aspects of data handling, including processing, storage, and deletion.
MH Scribe: Our BAA is embedded directly in our Terms of Service — accepting the ToS at signup automatically accepts the BAA. No separate paperwork required.
2. Data Encryption (In Transit and At Rest)
All patient data must be encrypted when transmitted between devices and servers (in transit) and when stored on servers (at rest). Look for TLS 1.3 for transit encryption and AES-256 for rest encryption. Weak or outdated encryption protocols are a red flag.
MH Scribe: TLS 1.3 encryption in transit, AES-256 encryption at rest, with AWS KMS key management.
3. Access Controls
The system must implement role-based access controls (RBAC) to ensure only authorized users can access PHI. Look for multi-factor authentication (MFA), unique user IDs, automatic session timeouts, and the principle of least privilege. Organization-level data isolation is also essential.
MH Scribe: MFA support, RBAC, organization isolation, and automatic session management via Clerk.
4. Audit Logging
HIPAA requires that all access to PHI be logged. The system should track who accessed what data, when, and what actions were performed. Logs must be tamper-proof and retained for at least six years. This is critical for compliance audits and breach investigations.
MH Scribe: Comprehensive audit logging with tamper-proof storage and six-year retention.
5. Data Retention and Deletion
The vendor should have clear policies on how long data is retained and how it is securely deleted. Audio recordings, transcripts, and notes should have configurable retention periods. When data is deleted, it must be permanently and irreversibly removed from all systems including backups.
MH Scribe: Configurable audio retention with automatic deletion after transcription. Secure data deletion procedures.
6. No Model Training on PHI
This is one of the most critical requirements for AI tools. Your patients' session data must never be used to train, fine-tune, or improve AI models. Many general-purpose AI platforms do use customer data for training. A HIPAA-compliant AI scribe must contractually guarantee that PHI is never used for model improvement.
MH Scribe: Patient data is never used to train AI models. This is contractually guaranteed in our Terms of Service (which includes the BAA).
7. Breach Notification Procedures
HIPAA requires that covered entities and business associates have documented breach notification procedures. The vendor must commit to notifying you of any breach within 60 days (sooner is better) and providing the information you need to notify affected patients and HHS.
MH Scribe: Documented breach notification procedures with prompt notification and full investigation support.
8. Staff Training
The vendor's employees who may have access to systems containing PHI should receive HIPAA training. Ask about their training program, frequency, and whether they conduct phishing simulations and security awareness exercises.
MH Scribe: All employees receive HIPAA training at hire and annually, with regular security awareness exercises.
9. Infrastructure Certifications (SOC 2, etc.)
The underlying infrastructure should have independent security certifications. SOC 2 Type II is the gold standard, verifying that the vendor has implemented and maintained security controls over time. Also look for the infrastructure provider's own certifications (e.g., AWS SOC 2, ISO 27001).
MH Scribe: Hosted on AWS SOC 2 Type II certified infrastructure with US-only data residency.
10. Patient Consent
While not strictly a HIPAA technical requirement, obtaining informed patient consent for AI-assisted documentation is an ethical best practice and may be required by state laws or licensing boards. The tool should support or facilitate the consent process.
MH Scribe: We provide a customizable patient consent form template and guidance for introducing AI documentation to patients.
MH Scribe Meets All 10 Requirements
MH Scribe was built from the ground up for HIPAA compliance in mental health settings. Every aspect of our platform—from encryption and access controls to our commitment to never training on patient data—is designed to protect your patients' most sensitive information.
For a deeper dive into our security practices, visit our Security page.