HIPAA, SOC 2 and GDPR for AI Scribes: A Buyer's Compliance Checklist

An AI scribe records and processes protected health information. Before it touches a single patient encounter, its compliance posture matters more than its feature list. This guide explains what the common claims mean and gives you a checklist to take into a vendor conversation. Every tool's stated compliance is listed — with a source and a last-verified date — on its review page; this is how to interpret it.

What each claim actually means

HIPAA "compliant" + a BAA (US)

HIPAA compliance is not a certificate — it's an obligation. The thing that actually protects you is a signed Business Associate Agreement (BAA). A vendor "being HIPAA compliant" without a BAA in your contract is meaningless for your liability. Always ask: "Will you sign a BAA, and can I see it before purchase?"

SOC 2 Type II

SOC 2 Type II is an independent audit of how a vendor's security controls operated over a period of time (not a point in time, which is Type I). It's the strongest routine signal that a vendor's security program is real. Ask for the report under NDA, and check the report date — an old report is a yellow flag.

GDPR & EU data residency

If you practise in the EU/EEA/UK, GDPR is law, not a badge. What matters: where data is processed and stored, the legal basis, and the sub-processor list. EU-built tools such as Stenoly, Nabla, Tandem Health and Corti tend to lead here, several with EU-only processing and EU MDR medical-device status. US-only tools may not be a fit regardless of features — see the best scribes by country pages.

ISO 27001 / EU MDR / HITRUST

These are additional, harder-to-fake signals: ISO 27001 (information-security management), HITRUST (healthcare-specific control framework), and EU MDR (the scribe is regulated as a medical device). They cost real money and audit effort, so their presence is meaningful — but confirm scope and certificate validity, not just a logo.

The question that's bigger than any badge: do they train on your data?

The single most consequential question is often the least advertised: does the vendor use your patients' data to train its AI models? Some vendors explicitly state they do not (for example Nabla, Tali AI, Lyrebird Health and Mentalyc publicly state this). Many simply don't say. On this site, a vendor that doesn't publicly disclose this is shown as "not disclosed" — never as a "no". Get the answer in writing.

Read claims, don't trust logos

A wall of compliance logos on a marketing page is not evidence. For every claim that matters to you, ask for:

• the certificate or audit report (under NDA if needed) and its date;
• the scope — which product and which environment it covers;
• the sub-processor list and where data is processed;
• the data-retention and training terms, in the contract.

This is also why our scoring separates sourced compliance facts from hands-on tested note quality — see the methodology. We record what a vendor publicly states, with a source and date, and explicitly mark anything undisclosed rather than assume.

Your pre-signature checklist

1. Signed BAA available before purchase (US)? Get a copy.
2. SOC 2 Type II report — request it, check the date and scope.
3. Data residency — where is audio/transcript/note stored and processed?
4. Training on your data — explicit written "no", or a documented opt-out.
5. Audio retention — is raw audio deleted after transcription?
6. Sub-processors — who else touches the data (LLM provider, cloud)?
7. EU/UK? GDPR legal basis + EU MDR status if marketed as a device.
8. Incident terms — breach notification timelines in the contract.

Bottom line

Compliance is the first filter, not the last. Shortlist on the badges that legally matter for your jurisdiction, then verify each one with a document — not a logo. Start from the source-cited compliance data on the rankings and each tool's review page, then take this checklist into the sales call.