AI Note-Taking Tools and HIPAA: Are Your Meeting Notes Exposing PHI?
AI note-taking assistants have quietly become one of the most-used tools in healthcare offices. Someone joins a Zoom or Teams call, a bot slides in to “take notes,” and minutes later everyone has a tidy transcript and summary in their inbox. It feels harmless. Yet when the people on that call are discussing patients, a care-coordination huddle, a vendor call about a portal outage, a billing dispute that names a member, those transcripts can contain protected health information (PHI), and that turns a convenience tool into a HIPAA question. This guide explains where AI note-taking creates exposure, what HIPAA requires before you use one of these tools, and the practical steps to keep meeting notes from becoming your next compliance gap.
Why AI note-takers are a HIPAA problem, not just an IT preference
Tools like Otter.ai, Fireflies.ai, Fathom, and the note-taking features built into major meeting platforms work by capturing audio, sending it to a cloud service, transcribing it, and often generating an AI summary. In a healthcare setting, the moment that audio includes a patient name tied to a diagnosis, an appointment, a claim, or any other individually identifiable health detail, the transcript is PHI. Under HIPAA, a vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate, and you cannot lawfully share PHI with a business associate unless a Business Associate Agreement (BAA) is in place first. Most consumer-grade note-taking apps are not designed for that relationship and will not sign a BAA, which means routing patient conversations through them is a disclosure of PHI to an unauthorized recipient.
The risk is easy to underestimate because these tools are adopted from the bottom up. Staff sign up with a free account to make their own lives easier, and the practice never made a decision at all. That is the same “shadow AI” dynamic we cover in our guide to ungoverned AI in healthcare, the exposure comes not from a policy someone approved, but from a tool nobody realized was in use.
Where the exposure hides
Even organizations that think carefully about their EHR and clinical systems often miss note-taking tools because the PHI shows up in unexpected places:
- The transcript and summary themselves. A summary that says “reviewed Jane Doe’s lab results and updated her care plan” is PHI, full stop.
- Automatic distribution. Many tools email the notes to every attendee, and sometimes to everyone on the calendar invite, including people who should never have seen them.
- Vendor training data. Some consumer tools reserve the right to use uploaded content to improve their models unless you are on an enterprise plan that says otherwise.
- Long-term storage. Transcripts sit in the vendor’s cloud indefinitely, expanding the footprint of where your PHI lives and lengthening the list of systems a breach could touch.
- Integrations. Note-takers frequently push summaries into Slack, CRMs, or project tools, quietly copying PHI into yet another unvetted system.
What HIPAA requires before you use an AI note-taker
The HIPAA Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of electronic PHI, and the Privacy Rule limits disclosures to the minimum necessary. Applied to AI note-taking, that translates into a short list of non-negotiables:
- Get a signed BAA first. If any call could involve PHI, the note-taking vendor must sign a BAA before it processes that audio. No BAA means the tool is off-limits for those conversations.
- Turn off model training on your data. Confirm in writing that your content will not be used to train the vendor’s models, and that it is segregated from other customers.
- Control distribution and retention. Restrict who receives notes, disable auto-sharing to full invite lists, and set the shortest retention period the vendor allows.
- Account for it in your risk analysis. The tool is now a system that stores ePHI, so it belongs in your HIPAA Security Risk Analysis, inventoried, risk-rated, and documented like any other.
- Write a policy and train staff. Tell employees which tool is approved, when a bot may join a call, and what to do on calls that will discuss patients.
This is the same discipline we recommend for ambient AI clinical documentation and HIPAA-compliant AI dictation: the underlying technology can be used safely, but only inside a governed, documented process rather than by default.
A practical path to safe adoption
You do not have to ban AI note-taking to stay compliant, you have to make a deliberate choice instead of inheriting one. Start by finding out what is already in use: ask staff, and check which bots have been joining your meetings. Then pick one enterprise-grade tool that will sign a BAA, configure it for minimum-necessary sharing and no model training, and make it the only approved option. Add it to your risk analysis, write a one-page policy, and give staff a simple rule for patient-related calls. Finally, review it on the same cadence as the rest of your compliance program, because vendor terms and default settings change over time. Handled this way, an AI note-taker becomes a governed system you can defend in an audit rather than an invisible liability.
Not sure whether the AI tools already in your practice are creating exposure? Talk to Medcurity about building AI tool governance into your HIPAA Security Risk Analysis, healthcare-native and SRA-first, with pricing that starts at $499/year for small practices and scales with organization size.
Frequently asked questions
Is using Otter.ai or Fireflies in a healthcare meeting a HIPAA violation?
It can be. If the meeting discusses patients and the tool captures that as a transcript without a signed Business Associate Agreement in place, you have disclosed PHI to a vendor that is not authorized to receive it, which is a HIPAA violation. Whether a specific tool can be used compliantly depends on whether the vendor offers a BAA and an enterprise configuration; many consumer plans do not.
Do we need a BAA with an AI note-taking vendor?
Yes, if the tool could process PHI. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate under HIPAA, and a signed BAA is required before you share PHI with them. If a note-taking vendor will not sign a BAA, it should not be used on calls where patients may be discussed.
What if the AI note-taker only stores a summary, not the full recording?
A summary is still PHI if it contains individually identifiable health information, for example, a patient’s name connected to a treatment, diagnosis, or appointment. Reducing a recording to a summary does not de-identify it, so the same BAA, minimum-necessary, retention, and risk-analysis requirements apply.
How do we control AI note-takers that staff added on their own?
Inventory what is in use, standardize on one approved enterprise tool that will sign a BAA, and disable or block the rest. Then document the approved tool in your HIPAA Security Risk Analysis, publish a short acceptable-use policy, and train staff on when a note-taking bot may and may not join a call involving patient information.