BAA Requirements When Using an AI Medical Scribe

What a BAA is and why you need one before day one

A Business Associate Agreement is a legal contract between a covered entity (your practice) and any vendor that handles Protected Health Information on your behalf. Under HIPAA, this isn't optional. It's the law.

The moment an AI medical scribe processes a patient encounter, it becomes a Business Associate. It receives, creates, and transmits PHI. Without a signed BAA in place before that first transcription, both you and the vendor are in violation of HIPAA - even if nothing goes wrong.

The OCR has settled cases for millions of dollars where the only violation was a missing BAA. No breach occurred. No data was exposed. The agreement simply didn't exist.

What your BAA must include

HIPAA specifies required elements for every Business Associate Agreement. A BAA for an AI medical scribe should cover all of them plus some AI-specific provisions:

Required by HIPAA (45 CFR 164.504(e)):

• Permitted and required uses of PHI by the Business Associate
• Agreement not to use or disclose PHI beyond what the contract allows
• Requirement to implement appropriate safeguards
• Obligation to report breaches and security incidents
• Agreement to make PHI available to patients who request it
• Requirement to return or destroy PHI when the contract ends
• Agreement that subcontractors must follow the same rules

AI-specific provisions you should add:

• Model training restrictions: Explicit prohibition on using patient data to train, fine-tune, or improve AI models
• Data processing locations: Where audio and text data is processed and stored, including specific cloud regions
• Third-party AI services: Disclosure of any sub-processors (cloud AI APIs, speech-to-text services) that touch PHI
• Automated decision-making: Clarity on whether the AI makes clinical decisions or only generates documentation
• Data minimization: Commitment to process only the minimum necessary PHI

The subcontractor problem with AI vendors

This is where many AI scribe BAAs fall short. Your vendor might have airtight security. But if they send patient audio to a third-party speech recognition API, that third party is a subcontractor - and they need their own BAA with your vendor.

Here's the chain of responsibility:

Entity	Role	BAA Required With
Your practice	Covered Entity	AI scribe vendor
AI scribe vendor	Business Associate	Your practice + all subcontractors
Cloud provider (AWS, GCP)	Subcontractor	AI scribe vendor
Third-party AI API	Subcontractor	AI scribe vendor

Ask your vendor directly: "Do you use any third-party services to process patient audio or generate transcriptions?" If yes, verify they have BAAs in place with every one of those services. Major cloud providers like AWS, Google Cloud, and Microsoft Azure all offer HIPAA BAAs - but the vendor must have activated them.

Some consumer AI APIs explicitly refuse to sign BAAs. If your vendor relies on one of those, your patient data is flowing through non-compliant infrastructure.

Common BAA mistakes that expose your practice

Mistake 1: Using a template BAA without customization. Generic templates miss AI-specific concerns like model training, data processing pipelines, and automated decision-making. Work with a healthcare attorney to add these provisions.

Mistake 2: Not verifying subcontractor BAAs. Your BAA with the vendor is worthless if they're sending PHI to a subcontractor without their own agreement. You need written confirmation that the entire chain is covered.

Mistake 3: Forgetting to update the BAA. AI products evolve fast. If your vendor adds a new AI model, switches cloud providers, or starts processing data in a different region, your BAA should be updated to reflect those changes.

Mistake 4: No termination clause for data destruction. What happens to your patient data when you cancel the service? The BAA should specify timelines for data destruction and provide certification that it's been completed.

Mistake 5: Accepting a BAA that allows de-identification for analytics. Some vendors include language allowing them to de-identify patient data and use it for their own analytics or research. Even if the de-identification meets HIPAA standards, this may not align with your patients expectations or your state's privacy laws.

How to evaluate a vendors BAA before signing

Before you sign, run through this checklist:

• Does the BAA explicitly name the AI scribe service and describe how PHI will be used?
• Is there a prohibition on using PHI for model training or product improvement?
• Are all subcontractors identified with their own BAA status confirmed?
• Does it specify breach notification timelines (72 hours or less)?
• Are data retention and destruction policies clearly defined?
• Does it address data residency - where PHI is stored and processed?
• Is there a right-to-audit clause allowing you to verify compliance?
• Does the termination section require certification of data destruction?

If any of these are missing, push back before signing. A vendor that's serious about compliance will welcome the scrutiny.

---

Transcribe Health provides a BAA covering HIPAA requirements and AI-specific provisions - including explicit prohibitions on using patient data for model training. Request yours today.

---

This article is for informational purposes only and does not constitute legal or compliance advice. BAA requirements may vary based on your specific circumstances and applicable state laws. Consult with a qualified healthcare attorney for guidance on your Business Associate Agreements.