
HIPAA-Compliant Transcription: What It Actually Requires (2026)
Summarize this article with:
If a transcription vendor won't sign a Business Associate Agreement (BAA), nothing else about them matters for protected health information. HIPAA compliance is a legal and contractual relationship, not a feature badge or an infrastructure claim. This guide covers the BAA requirement, what to verify in any vendor evaluation, which clinical tools sign BAAs as of 2026, and which content types don't require a HIPAA workflow at all. This is general information, not legal advice.
If a transcription vendor will not sign a Business Associate Agreement, they cannot legally handle your patients' protected health information, regardless of how their infrastructure is described. The BAA is the gate. Everything else in HIPAA compliance follows from it.
This is not a nuance or a technicality. It is the structure of the regulation. And it is the most commonly missed step by healthcare professionals adopting AI transcription tools.
Not legal advice. Consult qualified healthcare counsel for your organization's specific compliance program.
Why the BAA Is the Only Starting Question
When a covered entity (a healthcare provider, health plan, or clearinghouse) uses a vendor to create, receive, maintain, or transmit protected health information, that vendor is a Business Associate under HIPAA. The law requires a written agreement establishing the vendor's obligations before any PHI changes hands.
A vendor that handles PHI without a signed BAA is out of compliance, full stop. No amount of encryption, SOC 2 certification, or "HIPAA-friendly" marketing language substitutes for the contract. The Department of Health and Human Services has levied fines for exactly this gap: PHI flowing to a vendor that never signed a BAA.
So the only first question when evaluating any transcription tool for clinical use is: "Do you sign Business Associate Agreements?" If the answer is no, or is unclear, stop there. No further evaluation is needed.
What a BAA Must Cover
A valid BAA establishes the ground rules for every PHI interaction. The core elements required under the HIPAA Privacy and Security Rules:
Permitted uses and disclosures. The vendor may only use PHI to perform the contracted service. Secondary use for marketing, model training, or analytics requires explicit authorization, and 2026 BAA guidance from OCR specifically calls out AI training data policies as a required item.
Safeguards commitment. The vendor agrees to implement administrative, physical, and technical safeguards meeting the HIPAA Security Rule. This is where encryption, access controls, and audit logging become binding obligations rather than optional features.
Subcontractor chain. If the vendor uses subcontractors who touch PHI (for example, a cloud hosting provider, an AI model API, or a human review service), each subcontractor needs its own BAA. A broken subcontractor chain is a compliance gap even when the primary vendor has a signed BAA with you.
Breach notification. The vendor must notify you of any unauthorized PHI access within the time window your BAA specifies. Your own organization's 60-day breach notification clock to HHS depends on this upstream notification.
PHI at termination. The BAA must specify what happens to PHI when the relationship ends: return to you, secure destruction with written confirmation, or retention with continuing protections.
Audit rights. You should retain the right to verify the vendor's compliance practices. Some BAAs bury this in boilerplate that effectively grants no real audit capability; read it carefully.
The Full HIPAA Vendor Checklist
Beyond the BAA, the HIPAA Security Rule specifies what a compliant business associate must actually have in place. Use this checklist when evaluating transcription vendors for PHI:
- BAA offered and signed before PHI is transmitted
- Encryption in transit: TLS 1.2 or higher for all data in motion
- Encryption at rest: AES-256 or equivalent for stored PHI
- Unique user identification: no shared login credentials with access to PHI
- Role-based access controls: PHI accessible only to personnel with a documented business need
- Audit logs: records of who accessed which PHI, when, and from where
- Incident response: documented breach detection and notification procedures
- Workforce training: staff handling PHI trained on HIPAA requirements
- Subcontractor BAA chain: verified for every downstream vendor touching PHI
- Data residency: US-based storage for institutions requiring domestic data
- Deletion or return protocol: written policy for PHI at contract end
- AI training data policy: explicit statement on whether PHI is used to train models (OCR's 2026 guidance calls this out)
A vendor that cannot answer each of these in writing is not ready for PHI processing.
Why "Encrypted" Is Not Enough
The most common misunderstanding in healthcare AI adoption is treating technical security as a proxy for compliance. A tool can have excellent encryption, a clean SOC 2 Type II report, and modern infrastructure, and still be completely unusable for PHI because it does not sign BAAs.
Encryption protects data in transmission and storage. SOC 2 demonstrates operational security controls. Neither creates the contractual obligations that HIPAA requires. Without the BAA, the covered entity has no enforceable agreement governing what the vendor does with PHI, no guaranteed breach notification, and no audit rights. The legal relationship does not exist.
The same logic applies to consumer AI tools used for clinical dictation. A physician using a general-purpose AI transcription app to dictate a patient note is transmitting PHI to a system that almost certainly does not sign BAAs. That is a HIPAA violation regardless of whether the audio is ever actually mishandled.
Vendors That Sign BAAs for Transcription (2026)
The vendors below are established in BAA-backed clinical transcription or ambient AI documentation as of July 2026, per their own published documentation and marketing materials. Compliance is a property of your specific deployment and agreements with each vendor, not a blanket badge. Verify current BAA terms directly before any PHI processing.
| Vendor | BAA Available | Notable Certification | Type |
|---|---|---|---|
| Dragon Medical One (Microsoft/Nuance) | Yes (in EULA/enterprise agreement) | HITRUST CSF, Azure infrastructure | Clinical dictation, front-end EHR |
| Nuance DAX Copilot | Yes (enterprise contract) | Same Nuance/Microsoft infrastructure | Ambient AI, encounter documentation |
| Sonix (healthcare tier) | Yes (per vendor documentation) | SOC 2 Type II | AI transcription with medical vocabulary |
| Rev.ai (HIPAA tier) | Yes (requires MSA + BAA before PHI processing) | Enterprise security controls | AI speech recognition API |
| Suki AI | Yes (per vendor documentation) | SOC 2 Type 2 | Ambient AI, EHR integration |
| Abridge | Yes (enterprise) | Best in KLAS Ambient AI 2025-2026 | Ambient AI, encounter documentation |
| Heidi Health | Yes (US practices, per vendor) | SOC 2 | Ambient AI, clinical notes |
| DeepScribe | Yes (per vendor documentation) | KLAS-rated | Ambient AI, clinical documentation |
| Augmedix | Yes (standard) | HIPAA-compliant infrastructure | Hybrid AI and human scribing |
Dragon Medical One pricing runs roughly $79 to $99 per provider per month depending on contract length, plus a mandatory one-time implementation fee (approximately $525 per user, per vendor reseller data as of 2026). DAX Copilot does not publish public pricing; one Microsoft marketplace listing showed $369 per provider per month, but enterprise contracts are custom-quoted by sales teams. Per third-party review aggregators, Abridge is cited around $208/provider/month and Heidi Health's paid plan at $150/user/month billed annually; these figures come from comparison sites, not vendor-published pricing, so confirm directly.
For traditional human-reviewed or AI-assisted transcription billed per line, rates from established medical transcription services run roughly $0.07 to $0.16 per line (a standard 65-character line), per current vendor pricing pages.
Note: this table reflects vendor claims and publicly available documentation. No entry constitutes a compliance certification for your organization's specific use case.
The De-identification Question
Some practices assume they can strip identifying information from audio before using a non-HIPAA tool, avoiding the BAA requirement entirely. This is sometimes valid, but the bar for audio is very high.
HIPAA's Safe Harbor de-identification method requires removing 18 specific categories of identifiers. Voice characteristics appear explicitly on that list as biometric identifiers. Audio of a patient encounter is therefore extremely difficult to de-identify in a way that meets Safe Harbor, because the voice itself is potentially identifying even after names and dates are removed.
The Expert Determination method allows a qualified expert to certify de-identification based on a documented statistical analysis. This is a real path, but it requires documented methodology and a qualified assessor.
Practically: if you have any doubt about whether audio meets de-identification requirements, treat it as PHI and route it through a BAA-backed workflow. The audit exposure from misclassifying PHI as de-identified is substantial.
Beyond HIPAA: Other Protections That Stack
HIPAA sets a federal floor. Several other legal frameworks add requirements that transcription workflows must account for:
42 CFR Part 2. Substance use disorder treatment records carry federal protections that are stricter than HIPAA. As of February 16, 2026 (the compliance deadline for the 2024 final rule), Part 2 records require specific patient consent for most disclosures, even within a healthcare organization. Any transcription of SUD-related encounters must address Part 2, not just HIPAA.
State health privacy laws. California's CMIA, Texas Health and Safety Code chapter 181, and similar state laws add requirements beyond the federal baseline. State law may restrict certain disclosures or impose stricter security requirements even for covered entities otherwise HIPAA-compliant.
GDPR. For EU resident patients or international research, health data is special-category data under GDPR with its own processing requirements, DPA agreements, and data residency considerations that interact with HIPAA obligations. See the guidance at data residency for transcription.
Attorney-client privilege. Medical content in legal contexts (expert witness testimony, medical-legal evaluations) may carry additional confidentiality protections. See transcription and attorney-client privilege.
What Non-PHI Medical Content Looks Like
Not all healthcare audio contains PHI. A few categories where a BAA is not required because the content does not involve identified patients:
Continuing medical education (CME) recordings. Grand rounds, conference presentations, and lectures that discuss conditions or procedures without identifying specific patients.
Medical podcasts and educational content. Physician-facing or patient-facing educational material where no individual is identified.
Teaching materials with anonymized cases. "Patient A, a 64-year-old male" with no additional identifiers, where the treating team is not identifiable from context.
De-identified research audio. Audio that has been properly de-identified using Safe Harbor or Expert Determination (see above).
Administrative department meetings. Scheduling, operations, or policy meetings that do not involve patient discussion.
For this type of content, general AI transcription tools without HIPAA infrastructure are appropriate. If you need audio transcription for CME recordings, podcast episodes, or de-identified research interviews, ConvertAudioToText's audio-to-text tool handles these use cases. It does not offer BAAs and is not appropriate for PHI.

My take: the hardest thing to explain to busy clinicians is that "HIPAA compliant" is not a feature a vendor has or doesn't have in isolation. It is a legal relationship your organization enters into with that vendor. The BAA is what creates that relationship. A vendor with stellar security but no BAA is unusable for PHI. A vendor with a well-drafted BAA and average encryption is at least legally compliant. Start with the contract, not the feature sheet.
A Practical Vendor Review Process
If your practice or health system has not formally audited its transcription tools for HIPAA compliance, that audit is the right starting point. The review should cover:
- List every transcription tool in use, including individual physicians' personal AI tools
- For each tool: does it sign BAAs? If no, is it used for any PHI?
- For BAA tools: has the BAA been signed, and is it current?
- For subcontractors: is the BAA chain verified?
- For AI tools specifically: what is the policy on using PHI for model training?
Most practices find gaps at step 2. A physician using a general consumer AI app for dictation is a common and easily corrected issue. The fix is not punitive; it is routing that physician to an appropriate HIPAA-compliant tool.
For context on what to ask about AI training and data handling, see opt out of AI training with your audio and is AI transcription private. For a broader look at when not to use AI transcription at all, see when not to use AI transcription.
FAQ
What is the single most important thing to check in a HIPAA-compliant transcription vendor?
Whether they will sign a Business Associate Agreement (BAA). Without a signed BAA in place before any PHI is transmitted, the vendor is not a legally valid business associate under HIPAA, regardless of their technical security posture or marketing claims. Everything else, encryption, SOC 2, HITRUST, audit logs, follows from the BAA.
Can I de-identify patient audio before using a general AI transcription tool?
Sometimes, but the bar for audio is high. HIPAA's Safe Harbor method requires removing 18 categories of identifiers, and voice itself is listed as a biometric identifier. Audio of patient encounters is very difficult to de-identify cleanly because the speaker's voice characteristics may remain identifying even after names and dates are removed. If you have any doubt, treat the audio as PHI and use a BAA-backed tool.
Does "encrypted" or "SOC 2 certified" mean a vendor is HIPAA compliant?
No. Encryption and SOC 2 certification demonstrate good security practices, but they do not create the contractual obligations that HIPAA requires. A vendor without a BAA has not agreed to HIPAA's permitted uses and disclosures, breach notification timeline, audit rights, or subcontractor restrictions. The legal relationship that defines HIPAA compliance is created by the contract, not the technology.
What content types can I transcribe without a HIPAA-compliant tool?
Medical content that does not involve identified patients: CME recordings, medical podcasts, educational lectures using anonymized case examples, administrative department meetings without patient discussion, and audio that has been properly de-identified under HIPAA's Safe Harbor or Expert Determination standards. When in doubt, consult your compliance officer rather than self-classifying content.
Are there protections stronger than HIPAA for certain healthcare recordings?
Yes. Substance use disorder (SUD) treatment records are protected under 42 CFR Part 2, a federal law with stricter disclosure restrictions than HIPAA. The 2024 final rule's compliance deadline passed in February 2026. Some state health privacy laws (California, Texas) also impose requirements beyond the federal floor. And GDPR applies to health data of EU residents with its own set of obligations. A HIPAA BAA is necessary but may not be sufficient depending on the content and jurisdiction.
Sources
- HHS.gov: Business Associates guidance and BAA requirements: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
- Rev.ai HIPAA compliance documentation: https://docs.rev.ai/api/hipaa
- Sonix medical transcription and HIPAA page: https://sonix.ai/medical-transcription
- Dragon Medical One compliance overview via Microsoft Service Trust Portal: https://servicetrust.microsoft.com/ViewPage/HIPAA
- Dragon Medical One pricing data via VoiceAutomated: https://voiceautomated.com/blog/dragon-medical-one-cost/
- Nuance DAX Copilot pricing overview via PatientNotes.ai: https://patientnotes.ai/compare/nuance-dax
- Suki AI security and compliance: https://developer.suki.ai/documentation/faqs/security
- Abridge AI review and compliance data via DeepCura: https://www.deepcura.com/resources/abridge-ai-review
- Heidi Health HIPAA information via DeepCura: https://www.deepcura.com/resources/heidi-health-review
- HIPAA BAA requirements 2026 via HIPAA Journal: https://www.hipaajournal.com/hipaa-business-associate-agreement/
- HIPAA de-identification Safe Harbor method via HHS: https://www.hipaajournal.com/de-identification-protected-health-information/
- 42 CFR Part 2 compliance deadline and update via HIPAA Journal: https://www.hipaajournal.com/february-16-2026-compliance-deadline-part-2-final-rule/
- Medical transcription per-line rates via Ditto Transcripts: https://www.dittotranscripts.com/medical-transcription-pricing/
Try transcription free
Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.
Related Articles

Accessibility Captions and ADA Compliance: A 2026 Guide
How to caption video for ADA compliance: the real WCAG levels, the DOJ Title II deadlines after the 2026 extension, Section 508, the EU Accessibility Act, and the AI-plus-human workflow that actually

Accessibility Laws by Country: A 2026 International Reference
Verified breakdown of web accessibility laws across the US, EU, UK, Canada, and Australia in 2026. Laws, technical standards, deadlines, and what they mean for audio/video content.