Verified July 202610 min read

HIPAA and AI scribes: what psychiatrists must verify

Before using any AI scribe with real patients, a psychiatrist must verify a signed Business Associate Agreement, encryption in transit and at rest, audio-retention policy, subprocessor list, and breach notification terms. All ten scribes we track satisfy these federal requirements as of July 2026; the differences that matter are audio retention defaults, subprocessor transparency, and readiness for state-level psychiatric-record protections.

The five HIPAA verifications every psychiatrist should run

1. Signed BAA on every tier you use

The BAA must cover every product tier, not just enterprise. If a free tier does not carry a BAA, do not use it on patient audio — even to test the UI.

2. Encryption in transit and at rest

TLS 1.2 or higher in transit; AES-256 at rest. Ask for the security whitepaper and confirm both.

3. Audio-retention policy

Audio should be discarded after note generation unless you explicitly opt in. Some vendors retain audio by default for model training — a compliance and clinical liability.

4. Subprocessor list

LLM providers (OpenAI, Anthropic, Google) and cloud infrastructure (AWS, GCP, Azure) should be disclosed and covered by downstream BAAs.

5. Breach notification within 60 days

Confirm the BAA obligates the vendor to notify you within 60 days of a discovered breach, per HIPAA.

Psychiatry-specific compliance concerns

Psychiatric records receive additional protection under many state laws — New York Mental Hygiene Law, California LPS Act, and equivalents elsewhere. Confirm the vendor is aware of and contractually accepts state-level constraints, not just federal HIPAA. Ask specifically whether their BAA disclaims state-law liability.

42 CFR Part 2 and substance-use records

If you treat substance use disorders and share those records with third parties, 42 CFR Part 2 applies on top of HIPAA. Verify with each vendor whether their platform supports the additional restrictions before enabling for SUD visits.

Vendor compliance quick scorecard

  • Twofold, Freed, Heidi, Nabla, Abridge, Suki, DeepScribe, JotPsych, Commure, Augmedix — all federal-HIPAA compliant.
  • Audio-retention defaults vary — always confirm.
  • Subprocessor transparency varies — Nabla and Twofold publish full lists; others require asking.
  • 42 CFR Part 2 readiness: confirm case-by-case.

Frequently asked

Are AI scribes covered under 42 CFR Part 2?
Only if you treat substance-use disorders and share those records. Verify with each vendor before enabling for SUD visits.
Can I use an AI scribe for a minor?
Yes, with the same BAA and consent conventions your practice already applies to minors' records. State law may impose additional consent requirements.
Do I need patient consent to record?
Consent requirements vary by state (one-party vs two-party consent). Most psychiatric practices already handle this via intake paperwork; confirm your language covers AI-assisted documentation.

Scribes referenced in this guide

Related guides