HIPAA and AI scribes: what psychiatrists must verify
Before using any AI scribe with real patients, a psychiatrist must verify a signed Business Associate Agreement, encryption in transit and at rest, audio-retention policy, subprocessor list, and breach notification terms. All ten scribes we track satisfy these federal requirements as of July 2026; the differences that matter are audio retention defaults, subprocessor transparency, and readiness for state-level psychiatric-record protections.
The five HIPAA verifications every psychiatrist should run
1. Signed BAA on every tier you use
The BAA must cover every product tier, not just enterprise. If a free tier does not carry a BAA, do not use it on patient audio — even to test the UI.
2. Encryption in transit and at rest
TLS 1.2 or higher in transit; AES-256 at rest. Ask for the security whitepaper and confirm both.
3. Audio-retention policy
Audio should be discarded after note generation unless you explicitly opt in. Some vendors retain audio by default for model training — a compliance and clinical liability.
4. Subprocessor list
LLM providers (OpenAI, Anthropic, Google) and cloud infrastructure (AWS, GCP, Azure) should be disclosed and covered by downstream BAAs.
5. Breach notification within 60 days
Confirm the BAA obligates the vendor to notify you within 60 days of a discovered breach, per HIPAA.
Psychiatry-specific compliance concerns
Psychiatric records receive additional protection under many state laws — New York Mental Hygiene Law, California LPS Act, and equivalents elsewhere. Confirm the vendor is aware of and contractually accepts state-level constraints, not just federal HIPAA. Ask specifically whether their BAA disclaims state-law liability.
42 CFR Part 2 and substance-use records
If you treat substance use disorders and share those records with third parties, 42 CFR Part 2 applies on top of HIPAA. Verify with each vendor whether their platform supports the additional restrictions before enabling for SUD visits.
Vendor compliance quick scorecard
- Twofold, Freed, Heidi, Nabla, Abridge, Suki, DeepScribe, JotPsych, Commure, Augmedix — all federal-HIPAA compliant.
- Audio-retention defaults vary — always confirm.
- Subprocessor transparency varies — Nabla and Twofold publish full lists; others require asking.
- 42 CFR Part 2 readiness: confirm case-by-case.
Frequently asked
- Are AI scribes covered under 42 CFR Part 2?
- Only if you treat substance-use disorders and share those records. Verify with each vendor before enabling for SUD visits.
- Can I use an AI scribe for a minor?
- Yes, with the same BAA and consent conventions your practice already applies to minors' records. State law may impose additional consent requirements.
- Do I need patient consent to record?
- Consent requirements vary by state (one-party vs two-party consent). Most psychiatric practices already handle this via intake paperwork; confirm your language covers AI-assisted documentation.
Scribes referenced in this guide
Related guides
- The best AI scribes for psychiatrists in 2026
Vendor-neutral 2026 ranking of AI scribes for psychiatry, scored on MSE structure, medication management, risk assessment, HIPAA, EHR fit, and pricing.
- Best AI scribe for private-practice psychiatry
Which AI scribes fit private-practice and mid-size psychiatry groups, which are built for hospital systems, and how to evaluate cost, BAA, and template fit.