← Blog

AI Medical Scribes and HIPAA: The PHI Leaves With the Prompt

An AI medical scribe listens to a patient encounter and drafts the clinical note, which means protected health information flows into an LLM on every visit. HIPAA compliance for that workflow turns on three things a policy gateway can enforce on the AI request path: a Business Associate Agreement covering the model endpoint, minimum-necessary control over what PHI is sent, and an audit record of every call.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Industry Verticalshealthcare-aihipaaphiai-audit-trailai-egress

An AI medical scribe works by sending protected health information to a language model. It listens to the encounter, transcribes the conversation, and asks a model to draft the SOAP note. On every visit, the patient's spoken history, symptoms, and the clinician's assessment travel from the exam room to an LLM endpoint. That is the workflow, and it is also the compliance surface. HIPAA does not care that the tool is convenient; it cares which entity received the PHI, whether a Business Associate Agreement covers that entity, whether only the minimum necessary information was disclosed, and whether there is a record. Those questions get answered, or not, on the AI request path. For the foundational framework, see AI and HIPAA compliance.

The disclosure happens at the API call

A HIPAA disclosure is a moment: PHI moves from the covered entity to another party. For an AI scribe, that moment is the API call to the model. Everything upstream, the microphone and the transcription, stays inside the practice. The disclosure is the request that carries the encounter content to the model endpoint. This matters because it locates the control. You govern an AI scribe's HIPAA posture by governing that request, not by writing a policy document about it. Cloud Radix reported that 57% of healthcare professionals use unauthorized AI to process PHI such as SOAP notes and diagnostic plans without a Business Associate Agreement in place, which means the disclosure is already happening at many organizations with no coverage and no record.

Business Associate Agreement scope

A model provider that processes PHI on your behalf is a business associate, and the endpoint your scribe calls must be covered by a signed BAA. The failure mode is subtle: a practice signs a BAA with one vendor, then a clinician routes encounters through a different consumer AI tool that has no agreement. The PHI has now been disclosed to an uncovered party. Enforcing BAA scope means enforcing which model endpoints are allowed to receive PHI, which is a policy decision on the destination of each AI call. A control on the request path can permit calls to the covered endpoint and block calls to uncovered ones.

Minimum necessary

HIPAA's minimum-necessary standard says you disclose only the PHI required for the purpose. A scribe drafting a note for a knee injury does not need the patient's unrelated psychiatric history read aloud earlier in the visit. Applying minimum necessary to an AI scribe means controlling what content reaches the model: redacting identifiers that the drafting task does not require, and holding back categories of PHI that are not relevant to the note. That control lives on the request, where the content is visible before it leaves for the model. Redaction and field-level policy on the prompt is the mechanism. For the redaction pattern specifically, see HIPAA PHI redaction in AI prompts.

The audit obligation

HIPAA requires that covered entities be able to account for disclosures of PHI. If a patient or a regulator asks what happened to a patient's information, "we use an AI scribe" is not an answer. The answer is a record: which encounter, which identity, which model endpoint, what was disclosed, and when. That record has to be written at the moment of the call, because it cannot be reconstructed afterward from a transcription tool that never logged the identity and policy context. A per-decision audit trail at the AI request boundary is what turns an AI scribe from an unaccountable disclosure into a documented one.

Autonomous scribes raise the identity question

Newer scribes act more like agents, pulling prior notes and populating the EHR without a clinician approving each step. That raises the attribution problem covered in healthcare AI agents and HIPAA: when the scribe acts on its own, the record has to name which identity authorized each disclosure and each write. Minimum necessary and accounting of disclosures both depend on per-action identity, which is a property you get by binding every model call to a verified identity on the request path.

DeepInspect

This is exactly what DeepInspect does. DeepInspect sits inline between your AI scribe and the model endpoints it calls. For every request it checks the destination endpoint against your BAA-covered allowlist, applies redaction and minimum-necessary policy to the PHI in the prompt, and makes a pass or block decision before the content reaches the model. Calls to uncovered endpoints get blocked; calls to the covered model carry only the information the drafting task requires.

The same decision point writes the disclosure record. Every call becomes a logged event naming the identity, the endpoint, the policy applied, and the outcome, which is the accounting of disclosures HIPAA expects. The gateway does not replace your BAA or your EHR access controls. It enforces PHI policy and produces the record on the one path where the disclosure actually happens.

Book a demo today.

Frequently asked questions

Is an AI medical scribe HIPAA compliant?

It can be, if the model endpoint is covered by a Business Associate Agreement, the PHI sent is limited to the minimum necessary for the note, and every disclosure is recorded. Those controls apply to the API call that carries the encounter content to the model. A scribe that routes PHI to an uncovered consumer AI tool with no record is not compliant, regardless of how the note reads.

Where does the PHI actually go?

To the model endpoint the scribe calls. The transcription may happen locally, but the drafting step sends the encounter content to an LLM. That API call is the HIPAA disclosure, which is why the controls that matter, BAA scope, minimum necessary, and audit, all apply to the request rather than to the recording device.

How do you apply minimum necessary to an AI scribe?

By controlling the content of the prompt before it leaves for the model. Redact identifiers the drafting task does not need, and hold back PHI categories unrelated to the note. This is a policy decision on the request, where the content is still visible. It limits the disclosure to what the note actually requires.

What record does HIPAA expect for AI scribe use?

An accounting of disclosures: which encounter, which identity, which endpoint, what was sent, and when. That record must be written at the moment of the call. A transcription tool that never captured the identity and policy context cannot produce it later, which is why the audit belongs at the AI request boundary where the disclosure occurs.