Healthcare Compliance

HIPAA Compliance

Scrivano is built for healthcare environments. Here is how we protect your patients' data and support your compliance obligations.

Effective April 1, 2024Last updated April 14, 2026
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
BAA
Available on request
Zero
Data sold to third parties

Important: Scrivano provides technical tools designed to support HIPAA compliance. However, achieving and maintaining HIPAA compliance is a shared responsibility. As a Covered Entity or Business Associate, your organization remains independently responsible for its own compliance obligations, staff training, and internal policies.

Our Commitment to HIPAA

Scrivano is designed with healthcare professionals in mind. We understand that medical practitioners — physicians, nurses, therapists, and other clinicians — may use our Service to document patient encounters. We are committed to implementing the technical and administrative safeguards required to support HIPAA compliance for our users who handle Protected Health Information (PHI). Users in covered entity roles are responsible for ensuring their use of Scrivano complies with all applicable HIPAA requirements.

What Constitutes PHI

Protected Health Information (PHI) under HIPAA includes any individually identifiable health information transmitted or maintained in any form. This may include:

  • Patient names, dates of birth, addresses, or other demographic identifiers.
  • Descriptions of medical conditions, diagnoses, medications, or treatments.
  • Audio recordings of patient-provider conversations.
  • Notes, summaries, or documents that identify an individual and relate to their health.
  • Any combination of identifiers that could reasonably identify a specific individual.
  • Users are advised to avoid including unnecessary PHI in recordings and to review all generated notes before storing or transmitting them.

Technical Safeguards

Scrivano implements technical controls to protect sensitive health information:

  • AES-256 encryption for all data stored at rest — including transcripts, notes, and API keys.
  • TLS 1.3 encryption for all data in transit between your device and our servers.
  • Per-user encryption keys ensure complete data isolation between accounts.
  • Access controls and authentication requirements for all data access.
  • Secure, isolated processing of audio — recordings are not permanently retained beyond what the user explicitly saves.
  • Regular security assessments and vulnerability monitoring.

Administrative Safeguards

Beyond technical controls, we maintain administrative practices to support HIPAA compliance:

  • Designated privacy and security oversight for the Scrivano platform.
  • Staff training on handling sensitive health data.
  • Vendor and sub-processor agreements covering data confidentiality.
  • Procedures for responding to data access requests and complaints.
  • Documentation of security policies and regular review of safeguard effectiveness.

Our BAA with OpenAI

Scrivano has executed a Business Associate Agreement (BAA) with OpenAI covering the processing of audio and text data through OpenAI's Whisper and GPT services. This means that Scrivano's own data processing pipeline — from audio upload through transcription and note generation — operates under a formally executed HIPAA-compliant agreement with its AI service provider. Scrivano does not currently offer individual BAAs to covered entities or their users. Healthcare professionals and organizations using Scrivano to process Protected Health Information remain independently responsible for their own HIPAA compliance obligations, including determining whether their specific use of the Service satisfies their internal policies and regulatory requirements. If you have compliance questions specific to your organization, we recommend consulting your HIPAA compliance officer or legal counsel.

Your Responsibilities as a Covered Entity

While Scrivano provides tools designed to support HIPAA-compliant workflows, users who qualify as Covered Entities bear independent compliance obligations:

  • Obtain patient authorization for recording and transcription where required.
  • Review and verify all AI-generated notes before including them in the official medical record.
  • Ensure your organization's HIPAA training and policies cover the use of AI transcription tools.
  • Notify Scrivano promptly if you suspect a breach involving PHI.
  • Configure your account to avoid storing PHI beyond your organization's retention policies.

Breach Notification

In the event of a security incident that affects your data, Scrivano will notify affected users in accordance with applicable breach notification requirements. We maintain an incident response plan that includes detection, containment, assessment, and notification procedures. If you become aware of any potential security issue involving your Scrivano account or PHI, please contact us immediately at support@scrivano.net.

Contact Our Privacy Team

For HIPAA-related questions or to report a privacy concern:

  • Email: support@scrivano.net
  • Include "HIPAA" in your subject line for expedited handling.
  • We respond to all compliance-related inquiries within 3–5 business days.

HIPAA compliance questions?

Contact us at support@scrivano.net with "HIPAA" in the subject line.