Compliance & security
HIPAA
US federal law protecting health information; the minimum compliance bar for US deployments.
HIPAA โ the Health Insurance Portability and Accountability Act โ sets the US baseline for protected-health-information handling. "HIPAA compliant" by itself is not a certificate; what protects you is the signed *Business Associate Agreement* (BAA) between you and the vendor.
Every credible US-facing scribe states HIPAA compliance and will sign a BAA. The right question isn't whether they say "HIPAA compliant" on a marketing page โ it's whether the BAA in your contract covers the use you're making.
See also
- BAA (Business Associate Agreement) โ Contract that makes a vendor legally responsible for HIPAA-protected data they touch.
- PHI / ePHI โ Protected (electronic) Health Information โ the data HIPAA covers.
- SOC 2 Type II โ Independent audit of a vendor's security controls over a period of time.