When we started building Patien, we made a decision early on: security and compliance wouldn't be features we'd add later. They'd be the foundation everything else is built on.
This might seem obvious for a product that handles medical audio. But in practice, a lot of healthcare software treats compliance as a checkbox — something to pass an audit rather than something that shapes architectural decisions. We wanted to do it differently.
Here's how we actually think about it.
HIPAA is a floor, not a ceiling
The Health Insurance Portability and Accountability Act sets minimum standards for handling Protected Health Information (PHI). Meeting those standards is non-negotiable for any product operating in US healthcare. But we don't think of HIPAA as the target — we think of it as the minimum.
For example, HIPAA doesn't require deleting audio files within any specific timeframe. We delete them within 24 hours of note generation anyway, because storing medical audio longer than necessary creates risk with no benefit. The question we ask is always: what's the right thing to do for the patient? HIPAA compliance usually follows from that.
The architecture of trust
When a clinician records a visit with Patien, the audio travels from their device to our servers over TLS 1.3 — the same encryption standard used by banks. Once on our servers, it's encrypted at rest with AES-256.
The audio is processed by our transcription pipeline, which converts speech to text. The transcript is then passed to our note generation model. At no point does raw audio touch a third-party consumer AI service. We don't send it to OpenAI, Google, or any other provider.
After the note is generated, the audio file is permanently deleted. Not archived, not moved to cold storage — deleted.
Business Associate Agreements
Under HIPAA, any vendor that handles PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). This is a legally binding contract that specifies how we can use the data, what safeguards we maintain, and what we do in the event of a breach.
We sign BAAs with all Patien customers who qualify as covered entities. If you're a clinician in the US, you should have a BAA in place with any vendor that touches patient information — including AI scribes. We make this easy: contact us and we'll have a signed BAA back to you within two business days.
Patient consent
This is the piece that trips up a lot of clinicians. Recording a patient visit without consent is not just an ethical issue — it's a legal one that varies significantly by jurisdiction.
In the US, most states operate under "one-party consent" rules, meaning you can record a conversation you're a participant in without telling the other party. But many states — California, Florida, Illinois, and others — require all parties to consent. Outside the US, the rules are often stricter.
We provide sample consent language that clinicians can adapt and use. We also build an in-app consent flow that lets clinicians document patient consent before starting a recording. But ultimately, you know your jurisdiction and your patient relationship — we give you the tools, and you make the call.
We don't train on your data
One of the most common questions we get is: does Patien use my patient recordings to train its AI?
The answer is no. We do not use visit audio, transcripts, or generated notes to train or fine-tune our models without explicit written consent from the customer. Your patient interactions are yours. We process them to deliver the service, and then we delete them.
This is not just a policy — it's written into our Business Associate Agreement and our Terms of Service.
What happens if there's a breach?
We hope it never happens. We invest heavily in preventing it — access to production data requires MFA, is logged, and is restricted to a small number of authorized engineers. We run regular penetration tests and security audits.
But we've also planned for the possibility. If a breach involving PHI occurs, we follow HIPAA's Breach Notification Rule: affected covered entities are notified within 60 days of discovery, with a full account of what happened, what data was involved, and what we've done to remediate it.
Full details are in our HIPAA Notice.
The bigger picture
Healthcare AI is moving fast. The tools being built today will shape how clinicians work for the next decade. We think it's important to prove that useful and safe aren't in tension — that you can build AI that genuinely helps clinicians while treating patient data with the seriousness it deserves.
Questions about our security practices? Reach us at privacy@usepatien.com.