HIPAA-Compliant

Security & HIPAA at ezScribe

Patient privacy isn't a feature — it's the foundation. Here's exactly how we protect the clinical content you trust us with.

Last updated April 19, 2026

Our role: Business Associate

Under HIPAA, the provider who records a visit is the Covered Entity. ezScribe operates as a Business Associate processing Protected Health Information ("PHI") on the provider's behalf. We sign a Business Associate Agreement ("BAA") with every paid practice that needs one — at no additional charge — before we process any PHI.

Request a BAARead our Privacy Policy

Our safeguards

Administrative

  • Designated Security Officer & Privacy Officer
  • HIPAA training for all workforce members before PHI access
  • Role-based access control with documented access-review cycles
  • Documented incident-response and breach-notification program
  • Annual HIPAA risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A)

Physical

  • Production infrastructure hosted in SOC 2 / HIPAA-audited data centers
  • No PHI on employee laptops; remote-only access via VPN + MFA
  • Physical media disposed of per NIST SP 800-88 guidelines

Technical

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest for databases and object storage
  • Tenant isolation at the application and database layer
  • Full audit logging on every PHI access — stored immutably
  • Automatic 30-day deletion of Clinical Content and rolling backup purge
  • MFA required on all administrative and billing accounts

What we do — and don't do — with your Clinical Content

We DO

  • ✓ Encrypt all audio and text in transit (TLS 1.2+)
  • ✓ Encrypt storage at rest (AES-256)
  • ✓ Log every PHI access for audit
  • ✓ Auto-delete Clinical Content after 30 days
  • ✓ Use HIPAA-covered subprocessors under BAA
  • ✓ Notify you immediately of any breach

We do NOT

  • ✗ Sell, rent, or share PHI with anyone
  • ✗ Use PHI to train third-party AI models
  • ✗ Run advertising, profiling, or marketing on PHI
  • ✗ Retain data after you request deletion
  • ✗ Transmit PHI to any non-U.S. subprocessor without your consent
  • ✗ Grant vendor employees routine access to your data

Our subprocessors

We rely on a small number of industry-leading infrastructure partners. Each receives only the minimum data necessary and is under contract to match or exceed our security and HIPAA obligations.

PartnerPurposeHandles PHI?
OpenAI (Whisper, GPT API)Transcription & clinical summariesYes — under BAA & zero-retention policy
Cloud hosting providerApp & database hostingYes — under BAA
StripeSubscription billingNo (billing info only)
PostHogProduct analyticsNo (no PHI sent)

Breach notification

In the unlikely event of a breach of unsecured PHI, ezScribe will notify the affected Covered Entity without unreasonable delay and no later than 60 days after discovery, consistent with 45 C.F.R. § 164.410. The notice will include the nature of the breach, the PHI involved, the dates, and the steps we are taking to mitigate and prevent recurrence.

Reporting a security issue

If you believe you've found a security vulnerability, please email security@ezscribe.net. We triage responsibly within 1 business day and will credit good-faith researchers in our security-advisory log.

Ready to get your BAA signed?

Send a one-line email to our security team. Most BAAs are executed the same day.

Email security@ezscribe.net