Important: ScribeZero is not a HIPAA-certified product and does not enter into Business Associate Agreements (BAAs). "HIPAA-aligned" means the application's technical architecture is designed to avoid the transmission or external storage of Protected Health Information (PHI), consistent with HIPAA's Technical Safeguard requirements (45 CFR § 164.312). Compliance with HIPAA is ultimately the responsibility of the Covered Entity or healthcare professional using this application. Consult your organization's Privacy Officer before using ScribeZero in a clinical setting.
ScribeZero processes all audio, transcription, and AI analysis entirely on-device. No PHI is ever transmitted to a server, stored in the cloud, or accessible to ScribeZero or any third party.
Under HIPAA (45 CFR § 160.103), Protected Health Information includes any individually identifiable health information created, received, maintained, or transmitted in connection with health care services. ScribeZero processes the following categories of potential PHI — all of which remain exclusively on the clinician's device:
HIPAA's Security Rule (45 CFR § 164.312) specifies Technical Safeguards that covered entities and business associates must implement to protect ePHI. The following table maps each standard to ScribeZero's implementation.
| HIPAA Standard | Requirement | ScribeZero Implementation | Status |
|---|---|---|---|
| § 164.312(a)(1) Access Control |
Unique user identification; emergency access; automatic log-off; encryption/decryption | App is secured by iOS device passcode and biometrics (Face ID / Touch ID). Database is AES-256 encrypted via SQLCipher. No shared accounts. | Aligned |
| § 164.312(b) Audit Controls |
Hardware, software, and/or procedural mechanisms to record and examine activity in systems containing ePHI | All data access is limited to the device owner. No remote audit log exists because no data leaves the device. iOS system logs apply at the OS level. | Aligned |
| § 164.312(c)(1) Integrity |
Protection of ePHI from improper alteration or destruction | Data is stored in an encrypted SQLite database (SQLCipher). Writes are transactional; no partial writes on crash. iCloud backup (opt-in) copies the encrypted file only — never decrypted content. | Aligned |
| § 164.312(d) Person Authentication |
Verify that a person seeking access is who they claim to be | Authentication is delegated to iOS device authentication (passcode, Face ID, Touch ID) — the industry standard for mobile PHI access control. | Aligned |
| § 164.312(e)(1) Transmission Security |
Guard against unauthorized access to ePHI transmitted over electronic communications | ScribeZero does not transmit audio, transcripts, or summaries over any network. There is no server endpoint that receives session data. This safeguard is satisfied by architectural design. | Aligned — No Transmission |
The most significant HIPAA breach vector is data in transit — audio uploads, API calls to cloud transcription services, and storage in third-party databases. ScribeZero eliminates this vector entirely by design.
Audio is transcribed by a quantized Whisper model selected automatically based on device RAM (Large-v3-Turbo Q5_0 on ≥6 GB devices, Small on lower-RAM devices), running entirely on the device's Neural Engine and CPU. No audio bytes are sent to any server.
Session summaries and SOAP notes are generated by a quantized open-weight LLM selected automatically based on device RAM (Llama 3.2 3B on ≥6 GB devices, Qwen 2.5 1.5B on lower-RAM devices), running entirely on-device. The transcript never leaves the device for analysis.
Speaker identification is performed locally using an ONNX Runtime speaker embedding model. No audio is shared externally for diarization.
All transcripts, summaries, and session metadata are stored in an AES-256-GCM encrypted SQLite database. Encryption keys are held in the iOS Keychain.
When enabled, only the encrypted database binary is synced to the user's private iCloud container. ScribeZero cannot access this file; it is decrypted only on the user's own device.
Firebase Crashlytics receives anonymous crash signals only. No session content, transcript text, audio, or user identifiers are included in crash reports.
Clinicians and healthcare organizations should be aware of the following limitations:
| Not a BAA Partner | ScribeZero does not sign Business Associate Agreements. As a software tool that does not access, store, or transmit PHI on its own infrastructure, it operates outside the BAA requirement under 45 CFR § 164.308(b). |
| Not a Medical Device | ScribeZero is a documentation tool. It does not diagnose, treat, or make clinical recommendations. Output must be reviewed and verified by a licensed clinician before being used in patient care decisions. |
| Device Security Is Your Responsibility | HIPAA compliance on mobile devices requires that the device itself be protected with a strong passcode, full-device encryption (enabled by default on modern iOS), and remote wipe capability. These are iOS device settings, not ScribeZero features. |
| Data Deletion | Clinicians are responsible for deleting session data in accordance with their organization's retention policies. Sessions can be permanently deleted from within the app. Deleting the app removes all local data. |
| Incidental Disclosure | If a clinician shares their device with another person or loses their device without a passcode, session data may be exposed. This is an organizational safeguard responsibility, not a technical one ScribeZero can enforce. |
For privacy-related inquiries, data handling questions, or to report a potential security issue, contact us at:
Email: privacy@scribezero.app
This document was last updated: March 25, 2026