Compliance

HIPAA & Technical Safeguards

Last updated: March 25, 2026

This page explains how ScribeZero's on-device architecture is designed to support the technical safeguards described in the HIPAA Security Rule. It is a technical disclosure to help you assess the App for your own compliance program.

This is not a certification

HIPAA does not "certify" apps, and ScribeZero makes no claim of certification or government endorsement. Whether your specific use complies with HIPAA depends on your practices as a covered entity or business associate. Use this page as input to your own risk assessment, not as legal assurance.

01Why a Business Associate Agreement is not required

A Business Associate Agreement (BAA) is required when a vendor creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity. ScribeZero does none of these. All recording, transcription, and AI analysis happen entirely on your device, and we operate no servers that receive your content. Because ScribeZero (the developer) never accesses, receives, or stores your PHI, there is no PHI for a BAA to govern.

02How the architecture maps to HIPAA technical safeguards

HIPAA Security Rule safeguard	How ScribeZero supports it
Access control (§164.312(a))	Data is stored only on your device and protected by your device passcode / Face ID / Touch ID. The encryption key is bound to the unlocked device.
Encryption at rest (§164.312(a)(2)(iv))	All audio, transcripts, and notes are encrypted with AES-256. Keys are held in the iOS Keychain, device-bound and non-migratable.
Transmission security (§164.312(e))	PHI is not transmitted: there is no cloud upload of content and no third-party AI service in the path. Optional backup uses your own encrypted, private iCloud container.
Integrity (§164.312(c))	Content is stored locally in an encrypted database under your sole control; you review and correct AI output before relying on it.
Person / entity authentication (§164.312(d))	Access is gated by iOS device authentication.

03The on-device processing stack

For transparency, ScribeZero performs all intelligence locally using the following on-device models. No audio, transcript, or generated text is sent to any server during these steps:

Speech-to-text: WhisperKit, running OpenAI's Whisper (large-v3 turbo) accelerated on the Apple Neural Engine via Core ML.
Speaker separation: an on-device Pyannote-based diarization pipeline (Core ML).
Summaries & clinical notes: Google's Gemma 4 (E4B or E2B, selected automatically based on device memory), running on-device via Google's LiteRT runtime.

These models execute on your device's CPU, GPU, and Neural Engine. They do not call any external API and require no internet connection to function.

04What leaves the device — and what never does

PHI never leaves your device

Recordings, transcripts, speaker labels, and AI-generated notes are never uploaded. The only data processed off-device is limited, non-content operational data — anonymous diagnostics, crash reports, and subscription validation — none of which is designed to contain PHI. See our Privacy Policy for the full list of service providers.

05Your responsibilities as a clinician

ScribeZero is a documentation tool, not a substitute for professional judgment or your compliance program. You remain responsible for:

Obtaining any patient consent required to record sessions under applicable law and professional ethics.
Securing the physical device (passcode, biometric lock, auto-lock) on which PHI is stored.
Reviewing and correcting AI-generated notes before entering them into a medical record.
Managing retention, export, and deletion of records in line with your obligations.
Determining whether the App is appropriate for your specific regulatory context.

06Breach posture

Because no central server stores your content, there is no cloud database of patient information for ScribeZero to lose. The primary risk surface is the device itself — which is why device-level encryption, key protection, and your device passcode matter. If your device is lost or stolen, standard iOS protections (remote wipe, passcode, encryption) apply.

07Questions

For compliance or security questions, contact privacy@scribezero.app.