When you're evaluating AI scribes for your practice, security and compliance are some of the most important questions you can ask. Patient data protection is nonnegotiable.

This FAQ covers everything you need to know about HIPAA compliance, data security, patient privacy, and the technical details that matter most to healthcare organizations.

What does HIPAA compliance mean in the context of AI scribing?

HIPAA compliance for AI scribes means the technology meets all standards set by the Health Insurance Portability and Accountability Act for protecting patient health information (PHI). This includes:

• Encrypting data both at rest and in transit
• Restricting access to authorized users only
• Maintaining audit trail
• Signing Business Associate Agreements, 
• Ensuring that PHI  is never used for purposes outside of healthcare delivery and documentation.

For an AI scribe like Freed, HIPAA compliance also means the AI models don't train on identifiable patient data, recordings are handled securely and deleted after note generation, and every system component follows strict privacy and security protocols. Security is built into every layer of the technology.

What are the core HIPAA safeguards an AI scribe should have?

At a minimum, an AI scribe should support:

• Encryption of ePHI in transit and at rest
• Strong access controls and role‑based permissions
• Audit logs that track who accessed or changed what
• Data backup, recovery, and breach‑response processes
• Policies for workforce training and vendor oversight

What should providers verify before turning on an AI scribe?

Before using an AI scribe, providers should verify:

• A signed BAA that clearly describes permitted uses of PHI
• Where data is stored (cloud provider, region, backups)
• How long recordings and transcripts are retained
• Whether PHI is used to train models and how it is de‑identified
• Support for SSO, MFA, and role‑based access
• How to export and permanently delete data if they stop using the tool

What is "compliance theater" and how do I avoid it?

Compliance theater refers to organizations that create the appearance of security and compliance without implementing meaningful protections. This includes vendors who:

• Claim HIPAA compliance without meaningful third-party assessments. 
• Don't provide Business Associate Agreements
• Use vague language about "security measures" without specifics
• Can't explain where data is stored or how it's encrypted
• Don't undergo third-party audits
• Can’t explain where data is stored, how it’s protected, or whether it stays within the United States
• Use patient data for model training without explicit de-identification protocols

To avoid compliance theater, verify these specifics:

What to verify:

• Request the SOC 2 Type 2 report (not just Type 1)
• Confirm BAA coverage and review terms
• Ask exactly where data is stored geographically
• Verify encryption standards (should be TLS 1.2+ and AES-256)
• Confirm third-party audit frequency and results
• Ask about employee background checks and training
• Request specific retention and deletion policies
• Verify that AI training doesn't use identifiable patient data

Are AI scribes considered business associates?

Yes. Any AI scribe that records, transcribes, or processes encounters on behalf of a covered entity is acting as a business associate. That triggers the need for a BAA, a security risk analysis, and ongoing oversight of the vendor’s safeguards.

Do AI scribes need FDA approval?

Ambient or AI scribes like Freed that only assist with documentation and do not diagnose, treat, or make clinical decisions have generally not been treated as FDA-regulated medical devices. The clinician remains responsible for reviewing and signing the note, and Freed functions as a documentation support tool rather than a diagnostic system. 

Freed is not FDA-approved, because it isn’t intended to diagnose or treat patients or replace clinical judgment. It supports documentation; it doesn’t make medical decisions. 

How do I disclose AI use to patients?

You can disclose AI use by explaining that Freed is a secure, HIPAA-compliant tool that helps with documentation while you focus on patient care. It's important to be transparent about how technology supports your work.

Here's what patients should know:

• AI is used only to assist with note-taking during the visit
• All data remains confidential and HIPAA-protected
• Every record is still reviewed and finalized by you, the clinician
• The technology allows you to maintain better eye contact and engagement during the visit
• What happens to recordings after notes are generated

Many clinicians find that when they explain AI scribing this way, patients appreciate the increased attention and engagement during appointments.

How do I convince my clinic or employer to allow AI scribes?

To convince your clinic or employer to allow AI scribes, focus on three key areas: time savings, cost reduction, and compliance.

Time savings: AI scribes help providers cut documentation time, reducing burnout and freeing hours for more patients or personal time.

Cost reduction: AI scribes are often more affordable than human scribes, with no hiring, training, or turnover costs.

Compliance: Freed in particular is HIPAA-compliant, HITECH-aligned, and SOC 2 Type 2 certified, with encryption in transit and at rest and no long-term storage of audio recordings. It’s designed to slot into your existing EHR workflow without requiring major changes.

Proven results: Share pilot data or start a free trial to demonstrate real workflow improvements, accuracy, and measurable ROI.

Is Freed HIPAA-compliant?

Yes, Freed is HIPAA-compliant and HITECH-aligned. All data is encrypted both in transit and at rest, and access is strictly controlled to authorized users only. Freed follows HIPAA security and privacy standards to protect patient information and maintains Business Associate Agreements (BAAs) with all enterprise customers. This ensures your clinical data and patient notes are handled with the highest level of confidentiality and compliance.

Freed's systems exceed HIPAA and HITECH requirements and are SOC 2 Type 2 certified. Our cryptographic modules follow FIPS PUB 140-2 standards. In addition, all of Freed’s stored data is stored within the United States.

💡Learn more about how Freed maintains HIPAA compliance and security.

What security certifications does Freed have?

Freed holds several industry-leading security certifications and compliance standards:

• SOC 2 Type 1 and Type 2 certified: Demonstrates rigorous controls for data security and confidentiality through independent third-party audits
• HIPAA and HITECH compliant: Meets or exceeds all requirements for protecting patient health information
• OWASP standards: Enforces Open Worldwide Application Security Project secure coding standards with regular audits
• FIPS PUB 140-2: Cryptographic modules follow Federal Information Processing Standards

Freed’s ongoing commitment to security takes place through regular third-party reviews, vulnerability scanning via Azure Security Center and Drata, and continuous monitoring.

Where does Freed’s patient data live?

All patient data is stored securely in Microsoft Azure's encrypted cloud storage, exclusively within the United States. Freed has a HIPAA-compliant Business Associate Agreement with Microsoft and leverages Azure's high-availability infrastructure to ensure data is always accessible while remaining secure.

Protected Health Information is encrypted at rest using AES-256 encryption and encrypted in transit using TLS 1.2-1.3. This means your data is protected whether it's being stored, processed, or transferred between systems.

What are Freed's built-in privacy controls?

Freed is built on industry best practices with multiple layers of privacy protection:

• End-to-end encryption: Protected Health Information (PHI) is encrypted at rest and in transit using TLS 1.2-1.3
• Access controls: Strict authentication protocols ensure only authorized users can access patient data
• U.S.-based storage: All data is stored securely in United States-based servers
• No AI training on PHI: Our AI never trains on Protected Health Information, ensuring total privacy
• User control: Clinicians have complete control over note and recording deletion
• Automatic deletion: Patient recordings are automatically deleted upon successful note generation
• Optional retention policies: Users can manually delete notes or enable 30-day auto-deletion
• Multi-factor authentication: Optional MFA and Single Sign-On for additional security layers
• Role-based permissions: Customizable access management for organizations

What happens to Freed’s patient recordings?

Patient recordings are temporarily saved in a secure and HIPAA-compliant manner only until note summaries and quality checks are complete. Once the note is successfully generated, the audio recording is automatically deleted. Freed does not retain audio by default.

This approach minimizes PHI retention and exposure while still ensuring high-quality documentation. Clinicians never have to worry about old recordings sitting in the system.

What happens to the data in Freed after the note is generated?

Audio recordings are not stored and are immediately deleted upon successful note generation, which happens within 60 seconds of the encounter ending. Users can manually delete notes at any time or enable a 30-day retention policy to ensure their notes are deleted from Freed's system on a routine basis.

This gives you complete control over how long clinical documentation remains in Freed while maintaining the security and compliance standards your practice requires.

You can find more specifics in Freed’s Security Center.

How does Freed handle data encryption?

Freed uses industry-standard encryption protocols at multiple levels:

• Encryption in transit: All data moving between your device, Freed's servers, and your EHR is protected using TLS 1.2-1.3
• Encryption at rest: All stored data is encrypted using AES-256, the same standard used by banks and government agencies
• Encryption standards: Follows FIPS PUB 140-2 cryptographic module standards
• Secure infrastructure: All hosting services use Microsoft Azure's encrypted cloud storage with multizonal data replication

These multiple layers of encryption ensure that patient data is protected at every stage—from capture through storage to final deletion.

Who owns and controls the data that goes through Freed?

You do. Clinicians retain full ownership of their data. Users can delete or export data at any time—before or after the contract ends.

When it comes to AI training, Freed does not use identifiable data to train its models. We follow strict de-identification and privacy protocols, and we never share your clinic's data externally. Your practice's information stays yours.

Does Freed use patient data to train AI models?

No. Freed does not use Protected Health Information for AI training purposes. Our AI model is designed with HIPAA compliance at its core and is only trained on de-identified notes that have been stripped of all patient identifiers.

This means every conversation you have with patients is private. Our models are only trained on de-identified notes, and we don’t share your clinic’s data with external parties.

Is Freed FDA-approved? If not, why doesn't it need to be?

Freed is not FDA-approved, and it doesn't need to be. The FDA regulates software that functions as a medical device—tools that diagnose, treat, or directly affect patient health decisions.

Freed, on the other hand, is a clinical documentation platform that assists providers by transcribing and structuring notes from medical conversations. It doesn't make diagnostic suggestions, treatment recommendations, or clinical decisions. It falls outside the FDA's regulatory scope because it's a documentation tool, not a medical decision-making device.

How does Freed maintain HIPAA compliance and data security?

Freed maintains HIPAA compliance through comprehensive security measures across multiple domains:

Internal personnel security:

• All employees undergo background checks before being hired
• Complete annual security awareness training on HIPAA, privacy, and information classification
• Mandatory 2FA for all employees with encrypted hard drives
• Annual access reviews to ensure appropriate permissions

Compliance framework:

• Regular risk assessments to ensure policies remain current and relevant
• CTO is responsible for Privacy and Security
• Regular third-party security audits

Secure development:

• All software changes are reviewed for compliance
• Infrastructure-as-code practices with review before deployment
• All engineers complete secure development practices training
• Regular testing and scanning with ongoing security checks

Cloud infrastructure:

• Microsoft Azure secure data centers with HIPAA-compliant BAA
• High-availability infrastructure ensures data is always accessible
• Multizonal data replication for disaster recovery
• Annual disaster recovery tests

Network security:

• Firewall rules reviewed quarterly
• Azure NSGs and Kubernetes policies for packet inspection
• Database segregation through network segmentation

Monitoring and response:

• 24/7 monitoring via Azure Monitor
• Detailed incident response plan
• Vulnerability management via Azure Security Center and Drata
• Prompt patching with structured processes

What legal terms should I know about regarding Freed?

Freed's legal framework is designed to be fair and straightforward:

Mutual indemnification: You're covered if we cause legal issues (e.g., IP infringement); we're covered if Freed is misused or used without consent.

Standard liability cap: Set at 12 months of fees paid, with carveouts for gross negligence or breaches of confidentiality.

Termination and offboarding: We honor 30-day notice terms and support full data export or deletion upon request.

Business Associate Agreement: Our BAA is in use with hundreds of health systems and rarely requires edits. It covers your entire organization, ensuring HIPAA compliance for all users.

These terms protect both parties while ensuring you have the flexibility and control you need over your practice's data.

Does Freed have access controls and user management?

Yes. Freed provides robust access management capabilities:

• Multi-factor authentication (MFA): Available for additional security
• Single Sign-On (SSO): Simplifies login while maintaining security
• Role-based permissions: Customizable access settings for different user types
• User access reviews: Annual reviews ensure appropriate permissions
• Encrypted hard drives: All employee devices use encryption
• Verified access controls: Only authorized users can access accounts

For organizations, admins can centrally manage users, track adoption, and manage group settings such as SSO or MFA through built-in dashboards.

Can I export usage data to our BI tool? How does it work?

Yes, Freed provides detailed reporting for group admins to track usage, including visits, minutes, and provider activity. You can easily export this data for integration with your BI or analytics tools.

Reports can be downloaded in common formats like CSV, allowing you to combine Freed data with other business metrics for deeper insights into platform adoption, productivity, and documentation efficiency across your organization.

This transparency helps you measure ROI, track compliance, and identify opportunities for improving documentation workflows.

How can I track adoption or usage across providers?

Freed offers admin reporting dashboards that make it easy to track adoption and usage across providers. You can monitor key metrics such as total visits, minutes recorded, and active users over time.

Data can be filtered by provider or department to identify engagement trends and partnership opportunities. For deeper analysis, reports can also be exported to CSV or integrated with your organization's BI tools to measure ongoing adoption and impact.

Each organization is also assigned a dedicated group account manager who partners with you to review adoption trends, share insights, and support rollout or engagement efforts.

What vendor management practices does Freed follow?

Freed maintains strict vendor management protocols:

• All vendors who may process patient information are required to be HIPAA compliant
• Every vendor must sign Business Associate Agreements with Freed
• Freed regularly reviews vendor security practices to ensure continued high standards
• All third-party relationships include "no less restrictive" protection clauses
• Vendors are subject to the same security requirements as Freed's internal systems

This ensures that even when working with third-party services, patient data remains protected to the same high standards throughout the entire technology stack.

How does Freed handle security monitoring and incident response?

Freed maintains comprehensive security monitoring and incident response capabilities:

24/7 monitoring:

• Continuous monitoring via Azure Monitor
• Azure Security Center for vulnerability scanning
• Drata for ongoing compliance monitoring

Incident response:

• Detailed incident response plan with defined protocols
• Designated response team with clear roles
• Regular testing and updates to response procedures

Security audits:

• Regular third-party security audits
• Vulnerability assessments and penetration testing
• Prompt patching with structured processes

Proactive security:

• Quarterly firewall rule reviews
• Regular vulnerability scanning
• Continuous security improvements based on audit findings

This multi-layered approach ensures that potential security issues are identified and addressed quickly, minimizing any risk to your practice.

What makes Freed different from competitors on security?

Freed stands out in several ways:

Comprehensive certification: Freed is HIPAA-compliant, HITECH-aligned, and SOC 2 Type 2 certified, with cryptographic modules that follow FIPS PUB 140-2 standards. 

No audio retention by default: Patient recordings are saved only until the note is completed and quality checks are done, then automatically deleted. There’s no long-term audio storage by default. 

No training on PHI: Freed’s AI is only trained on de-identified notes. Protected health information is never used for AI training, helping protect patient privacy. 

Storage in the U.S.: All data is processed and stored in U.S.-based Microsoft Azure data centers under a HIPAA-compliant BAA.

Transparent practices: Freed publishes clear documentation on security, data handling, and legal terms so IT and compliance teams can review details up front.

Proven track record: In use by hundreds of health systems and thousands of clinicians who have thoroughly vetted security practices.

Dedicated support: Each organization gets a dedicated account manager who understands your specific security requirements.

What if I have more security or compliance questions?

We're happy to connect your team with a Freed specialist—whether it's sales, legal, or technical. Security and compliance are too important to leave unanswered.

Contact us:

• Website: https://www.getfreed.ai/contact-us
• Email: sales@getfreed.ai
• Help Center: Full documentation available with detailed security information

For organizations considering Freed, we can arrange calls with our security team, provide detailed documentation for your IT and compliance reviewers, and answer any technical questions your team has.

Your trust is our highest priority, and we're committed to providing complete transparency about how we protect patient data and maintain compliance.

Ready to see for yourself?

You shouldn't have to choose between staying secure and staying above water. With Freed, you get both.

Join the thousands of clinicians who are simplifying charting with Freed.

Start a free trial to learn more about how Freed protects your practice.