The AI Scribe Security Checklist Every Buyer Should Run

By Patient Square Team · May 5, 2026 · 8 min read

Vet an AI scribe's security the same way you'd vet anything that holds your patients' words: by what it does with the audio, what it encrypts, who can see the notes, and what it will put in writing. Run the ten checks below in order. The first one that gets a vague answer tells you most of what you need to know.

That's the whole method. The rest of this page is the checklist itself, what a good answer sounds like, and where the honest weak spots are, including ours. We sell a scribe, so read this with appropriate suspicion and test every claim during a trial.

Key takeaways

The audio question decides more than any other. A scribe that keeps no recording has nothing to breach or subpoena.

Encryption is non-negotiable: TLS 1.2 or newer in transit, AES-256 at rest. Demand both in plain words.

"SOC 2 certified" is not a real claim. SOC 2 produces a CPA report, not a certificate.

In the US the BAA is the legal floor. In India, DPDP's consent-first, purpose-limited frame is.

Of the ten checks, three are about audio, encryption, and access. Those three filter out most weak vendors.

10checks

In this buyer-run security checklist, ordered by how fast each one disqualifies a vendor

0archive

The target audio policy: processed in memory, discarded at note draft, nothing retained

May 2027

When DPDP general security and breach obligations phase in for India (Rules 2025)

The 10-point AI scribe security checklist

Run these in order, with the vendor on the call. Write down the answers. The point isn't to collect a perfect score, it's to catch the one bad answer that ends the evaluation.

#	Check	A good answer	A weak answer
1	What happens to the visit audio, and when is it deleted?	Processed in memory, discarded at note draft. No archive.	"We retain it for model improvement" with no deletion timeline.
2	Is traffic encrypted in transit?	TLS 1.2 or newer, every connection.	"Bank-grade security," no version named.
3	Are notes encrypted at rest?	AES-256 on notes and account data.	Hand-waving, or "in our cloud provider."
4	Is access role-scoped and logged?	Yes, every access logged, logs reviewable.	"Our team accesses data as needed."
5	Will you sign a BAA (US) for a practice my size?	Yes, every customer, before any real visit.	Tier-gated, or "enterprise only."
6	How do you map to DPDP (India)?	Consent-first, purpose-limited, deletable on request.	"We're fully compliant," no specifics.
7	What's your SOC 2 status, honestly?	Type II underway / report on request, stated plainly.	"SOC 2 certified" (no such thing).
8	Is my audio or note text used to train models?	A written answer, separate for audio and text.	"We follow applicable law."
9	Can I export and delete any visit myself?	Yes, anytime, and you can test it in a trial.	Export by support request, delete unclear.
10	What happens to my data if I cancel?	Return or destruction, with a timeline, in the contract.	Buried in a ToS, or silence.

Notice what's missing: accuracy percentages, "military-grade" anything, per-specialty templates, certification logos. Those decorate a slide and decide nothing about whether your patients' data is safe. Checks 1 through 4 do most of the filtering.

Why the audio question comes first

A visit recording is the most revealing artifact an AI scribe ever touches. It holds the digressions, the names, the thing the patient immediately walked back, everything that never made it into the structured note you signed. The note is the curated record. The audio is everything else.

So the retention answer is the whole ballgame. If a vendor stores audio, that recording is protected health information, and PHI is reachable in litigation and exposed in a breach. A vendor that processes audio in memory and discards it the moment the note is drafted has nothing to hand over and nothing to lose. There's no clever encryption story that beats simply not keeping the file.

Our position, stated as ours: visit audio is processed in memory and discarded once the note is drafted. There is no audio archive, not for us, not for the practice, not for anyone. If you want the cross-vendor version of this question, what happens to your visit audio across major scribes walks through how different products answer it. Ask every vendor for a one-sentence answer with a timeline, and book a demo where the audio question goes first.

What encryption and access logging should actually look like

Checks 2 through 4 are where "trust us" meets the facts. Three things, none of them optional.

In transit. Every connection between the capture device, the service, and your browser should run TLS 1.2 or newer. This is table stakes in 2026, and a vendor that won't name the version is hiding something or doesn't know.

At rest. Notes and account data stored on disk should be encrypted with a strong, current standard. AES-256 is the common one. Ours uses AES-256 at rest; for low-connectivity clinics, offline capture is encrypted on the device with AES-256-GCM before anything syncs.

Access, scoped and logged. Encryption stops outsiders. Access controls stop the wrong insiders. Every read of a note should be role-scoped, every access logged, and the logs should be reviewable. "Our team has access as needed" is the answer you don't want.

Illustrative pattern from running the checklist, not a measured survey: the audio-retention and access-logging questions catch more weak vendors than the encryption questions, because most products encrypt but fewer can give a clean retention and access answer. Use it as a reminder of where to push, not as a statistic.

The full version of our answer, what's encrypted, who can access what, what's logged, lives on the security page, written to be read with this checklist in hand.

How to read a vendor's compliance claims without getting played

Check 7 is where marketing language gets loosest, so be precise.

SOC 2 is a report, not a certificate. SOC 2 is a voluntary framework from the American Institute of CPAs. The output is a report from an independent CPA firm, not a badge. A Type II report covers how controls operated over a period, typically 3 to 12 months. So "SOC 2 certified" is a phrase the framework doesn't support. The honest claims are "Type II underway" (the audit is in progress) or "Type II report available on request" (it's done). Ours is underway with an independent assessor; we'll say that plainly and not a word more.

HIPAA isn't a certification either. No software is "HIPAA certified," because no such certificate exists. What's real: the vendor maps its safeguards to the HIPAA Security Rule, signs a BAA, encrypts PHI, and limits access. We map our safeguards to the Security Rule and offer a BAA to every US customer. US buyers who want the BAA and consent mechanics in depth can read our HIPAA and AI scribes guide on the US site.

DPDP, in India, is a posture not a stamp. The DPDP Act 2023 sets a consent-first, purpose-limited frame, and the DPDP Rules 2025 (notified 13 November 2025) phase in general security and breach obligations by 13 May 2027. "ABDM integration" is a separate thing, and a vendor that conflates "DPDP-aligned" with "ABDM-compliant" is muddying two different claims. Ours is handled to DPDP standards; ABDM integration is on our roadmap, not live. India buyers who want the where-does-data-live version of this question can read our data-residency guide for India on the India site.

A vendor that says "we're fully compliant" and stops there has told you nothing. The vendors worth trusting name the standard, name the status, and put it in writing.

Who owns the data, and can you actually leave?

The last three checks are about exit, and they matter more than buyers expect. A scribe holds your clinical record. If leaving is hard, the security story is incomplete, because lock-in is its own risk.

Three plain questions. Can you export any visit yourself, anytime? Can you delete any visit yourself, anytime? And on cancellation, does the contract spell out return or destruction with a timeline? "Your notes belong to your practice" should be a sentence the vendor will sign, not a vibe. We hold that notes belong to the practice, exportable and deletable any time, and we never sell or share clinical data. The full version of the exit question, with the lock-in red flags to watch, is in who owns your AI scribe notes.

The checklist splits roughly into three concerns: what happens to your data while the vendor holds it, what they'll commit to legally, and whether you can leave cleanly. Weight your evaluation toward the first and last; the middle is the part most vendors get right.

Where we'd tell you to look elsewhere

Honesty cuts both ways, so here's the part of the security story we don't cover. If your security model depends on the scribe writing directly into your EHR through a certified integration, on a vendor-managed audit trail living inside that EHR, or on enterprise features like SSO and SCIM provisioning across a large health system, a deeply EHR-embedded enterprise platform will fit that requirement better than we will. We don't integrate with EHRs, and we don't manage identity at health-system scale. That's a real gap for some buyers, and you should weigh it against the audio-retention advantage rather than pretend it away.

For a solo clinician or a small-to-mid practice, the calculus is simpler: the controls that actually protect your patients are the ones on this list, and the audio policy at the top of it is the one most vendors get wrong.

How to run the checklist in practice

It's an afternoon of work and it's worth doing precisely.

Send the ten questions before the demo. A vendor who answers in writing, in advance, is a vendor with answers. One who needs a call to "walk you through it" is buying time.
Make the audio answer a single sentence with a timeline. Everything else is secondary to this one.
Get the encryption versions in writing, TLS 1.2 or newer, AES-256 at rest, not a slogan.
Pin the training-data policy separately for audio and note text. Two different questions, two different answers.
Test export and delete yourself during the trial. A function you can't exercise in a week is a function to doubt.

Our canonical line, so you know exactly what you're vetting: AI Scribe by Patient Square is an ambient AI medical scribe that listens during the visit and hands back a structured SOAP note, ICD-10 suggestions, and a prescription draft, ready to review and sign about two minutes after the visit. The security posture behind that is on the security page, and the cleanest way to test all ten checks is a quiet week of real visits. Book a demo, put the audio question first, then run the 7-day trial and exercise every claim on this list yourself.

FAQ

Common questions

What is the single most important security question for an AI scribe?

What happens to the visit audio, and when is it deleted. The recording is more sensitive than the note, because it holds everything the patient said before you filtered it into documentation. A vendor that processes audio in memory and discards it at note draft keeps no archive to breach or subpoena. A vendor that retains it for days or weeks keeps that surface open.

Should an AI scribe be encrypted in transit and at rest?

Yes, both, with no exceptions. In transit means TLS 1.2 or newer on every connection. At rest means strong encryption on stored notes and account data, AES-256 being the common standard. A scribe that cannot state both plainly is not ready to hold patient data. Ask for the specifics in writing, not a "bank-grade security" slogan.

Is "SOC 2 certified" a real thing to look for?

No. There is no SOC 2 "certificate." SOC 2 is a voluntary AICPA framework, and the output is a report from an independent CPA firm, not a certification badge. A Type II report covers how controls operated over a period, usually 3 to 12 months. Any vendor claiming to be "SOC 2 certified" is using language the framework does not support.

Does an AI scribe need a BAA in the US?

Yes. In the US a Business Associate Agreement is the legal floor for any vendor that touches protected health information, and an AI scribe always does. The BAA should be available to every customer, not gated behind an enterprise tier, and signed before you feed it a single real visit. No BAA, no deal.

How does AI scribe security work under India's DPDP Act?

The DPDP Act 2023 frames it as consent-first and purpose-limited: you collect data for a stated purpose, use it only for that, and erase it when the purpose ends or consent is withdrawn. The DPDP Rules 2025 phase in general security and breach obligations by 13 May 2027. A scribe handled to those standards keeps audio out of storage and lets you delete any visit.

Can I verify a scribe's security claims, or do I just trust the sales deck?

You can verify most of it. Ask for the encryption specifics, the audio retention policy with a deletion timeline, the BAA, the access-logging answer, and the SOC 2 status in writing. Then test the export and delete functions yourself during a trial. A claim you cannot test on a real clinic day is a claim to discount.