HIPAA-Compliant Meeting Notes for Healthcare Teams

Healthcare organisations hold meetings that discuss patients — care coordination, case conferences, treatment team discussions. When those meetings are recorded or transcribed, the resulting files may contain Protected Health Information (PHI) and trigger HIPAA obligations.

When does HIPAA apply to meeting recordings?

HIPAA applies when: the meeting involves a covered entity (hospital, clinic, health plan, healthcare clearinghouse) or their business associates, and the recording or transcript contains PHI — information that identifies a patient in connection with their health, treatment or payment. A purely administrative meeting about billing software does not implicate HIPAA. A care conference discussing a specific patient's diagnosis and treatment plan does.

The business associate issue

If you send meeting audio or transcripts to a third-party service (an AI notetaker, a cloud transcription vendor), that vendor may become a business associate under HIPAA and require a Business Associate Agreement (BAA). Most general-purpose AI notetakers (Otter.ai, Fireflies, etc.) are not healthcare-specific and do not offer BAAs as a standard offering. Some have enterprise tiers with BAAs — check the vendor's current terms.

The local processing advantage

On-device transcription tools that process audio locally — like ParleyNotes — do not transmit audio to a third-party server. Because no data is shared with an external entity, the business-associate question does not arise. The transcript lives on your device and is subject to the same access controls as any other clinical document you create locally. This simplifies the HIPAA analysis significantly.

Storage and access controls

Regardless of how you transcribe, any meeting notes that contain PHI must be stored with appropriate access controls, retained per your organisation's policy, and disposed of securely when no longer needed. This applies to the transcript, the audio file, and any AI-generated summary.

This post describes general HIPAA concepts. Consult your organisation's privacy officer and legal counsel for guidance on your specific workflows.