May 16, 2026
Is Cloud Dictation HIPAA-Compliant? What Doctors, Therapists, and Lawyers Should Know
You are a doctor dictating patient notes. A therapist recording session summaries. A lawyer drafting privileged documents. You want the speed of dictation, but you also have legal obligations that consumer software was never designed to meet. This post explains what HIPAA compliance actually requires from a dictation tool, what the major services offer, and what your options are.
Disclaimer
I am not a lawyer, and this is not legal advice. HIPAA compliance depends on your specific circumstances, your organization, and your agreements. Consult your compliance officer or healthcare attorney before making decisions about dictation tools in regulated environments.
What HIPAA actually requires (the short version)
HIPAA is not a certification. There is no “HIPAA-approved” badge that a vendor earns. HIPAA is a set of requirements that covered entities (healthcare providers, health plans, and healthcare clearinghouses) must meet. When you use a third-party service that handles protected health information (PHI), that service becomes a business associate — and you need a Business Associate Agreement (BAA) with them.
For a dictation tool handling PHI, the relevant requirements are:
- Business Associate Agreement (BAA). The vendor must sign a BAA that contractually binds them to HIPAA requirements. Without a signed BAA, the vendor is not your business associate — and you are transmitting PHI to a third party without the required safeguards. This is the single most common compliance gap.
- Encryption in transit and at rest. PHI must be encrypted when transmitted (TLS 1.2+) and when stored (AES-256 or equivalent). This is table stakes — if a service does not encrypt your data, it cannot be part of a HIPAA-compliant workflow.
- Access controls and audit logs. The vendor must maintain controls over who can access PHI and keep logs of access events. You need to know who viewed what and when.
- Data retention and disposal. PHI must be disposed of securely when no longer needed. The vendor must have documented retention policies and secure deletion procedures.
- Breach notification. The vendor must notify you within 60 days of discovering a breach of unsecured PHI. If they cannot do this, they cannot be your business associate.
The BAA problem: what cloud dictation services actually offer
Here is the uncomfortable reality: as of May 2026, the major consumer cloud dictation services do not prominently offer BAAs.
Wispr Flow
Wispr Flow's terms and privacy policy do not mention HIPAA, BAAs, or healthcare compliance. Their infrastructure is standard cloud SaaS, which means audio is transmitted and processed on servers that are not part of a documented HIPAA-compliant architecture. They encrypt data in transit (TLS), but there is no public documentation of a HIPAA compliance program, no mention of BAAs, and no healthcare-specific data handling commitments.
This does not mean Wispr Flow is doing anything wrong — they are a consumer product, and HIPAA compliance is expensive to build and maintain. They simply have not built for that market.
Aqua Voice
Aqua Voice is in the same position. Their privacy policy is thorough by consumer standards, but it does not address HIPAA, does not offer a BAA, and does not describe a HIPAA-compliant infrastructure. For the same reasons as Wispr Flow, this is not a criticism — it is a statement of what the product was designed for.
What about enterprise tiers?
Some cloud services offer HIPAA compliance at enterprise pricing tiers not listed on their public websites. If you work for a large healthcare organization, your procurement team can inquire directly. But for independent practitioners — the solo therapist, the small practice doctor, the freelance medical writer — enterprise tiers are typically inaccessible. The sales process alone filters out anyone below a certain contract size.
The on-device alternative: compliance through architecture
On-device dictation tools change the compliance analysis entirely. If your dictation software processes audio locally on your Mac and never transmits it anywhere, then the software is not handling PHI in a way that triggers the business associate relationship. The PHI stays on your machine, which you already control under your existing compliance framework.
Rewisper
Rewisper runs entirely on-device. The Whisper-based model, the formatting pipeline, and all processing happens on your Mac's CPU and Neural Engine. No audio is transmitted. No text is sent to a server. Because the software never receives your PHI — it never leaves your machine — Rewisper is not a business associate under HIPAA, and no BAA is required.
This is a structural guarantee, not a contractual one. It does not depend on a vendor's promises, their infrastructure, or their willingness to sign a BAA. It depends on the laws of physics: data that never leaves your device cannot be breached at a server you do not control.
MacWhisper
MacWhisper also processes audio locally. The same architectural analysis applies: no data leaves your Mac, so the software does not become a business associate. If your primary need is transcribing recorded patient sessions or dictated notes from audio files, MacWhisper is a strong option.
Important nuance
Your compliance obligations do not end with the dictation tool. You still need to secure the device itself (encrypted disk, screen lock, access controls), manage the resulting text documents according to your policies, and ensure your overall workflow meets HIPAA requirements. On-device dictation removes one vector of risk — third-party data handling — but it does not remove your other obligations.
What about non-HIPAA regulated professions?
Lawyers and attorney-client privilege
Attorney-client privilege is not HIPAA. But the analysis is similar: if your dictation audio passes through a third-party server, and that third party has not explicitly agreed to preserve privilege, you may have weakened the protection. Some state bar associations have issued guidance on cloud services and privilege; check your jurisdiction. On-device dictation avoids the question entirely, because no third party ever possesses the communication.
Therapists and counselors
Mental health professionals face some of the strictest privacy requirements. Session notes, treatment plans, and patient communications are highly sensitive. HIPAA applies if you bill electronically. Even if you do not, state licensing boards and professional ethics codes typically impose confidentiality obligations that are functionally similar. On-device dictation is the path of least resistance here — it eliminates the need to evaluate a vendor's privacy posture because there is no vendor in the data path.
Journalists and confidential sources
Journalists working with confidential sources or sensitive material face a different kind of risk. Dictating notes through a cloud service means those notes exist, even briefly, on a server somewhere — potentially in a jurisdiction with press-unfriendly laws. Shield laws vary by country and state. On-device dictation keeps the material within the journalist's control and avoids creating server-side records that could be subpoenaed.
Practical recommendations by profession
| Profession | Cloud dictation | On-device dictation | Recommendation |
|---|---|---|---|
| Physician (solo practice) | Avoid | Use | On-device |
| Physician (hospital) | Check IT | Check IT | Ask IT dept |
| Therapist / Counselor | Avoid | Use | On-device |
| Lawyer (solo / small firm) | Avoid | Use | On-device |
| Lawyer (large firm) | Check firm | Check firm | Ask IT / GC |
| Journalist | Depends | Use | On-device for sensitive |
| General consumer | Fine | Fine | Either |
The bottom line
Consumer cloud dictation services — Wispr Flow, Aqua Voice — are excellent products but were not built for regulated environments. They do not offer BAAs, do not document HIPAA-compliant infrastructure, and should not be used for work involving PHI or privileged communications without explicit confirmation from the vendor and your compliance team.
On-device dictation tools — Rewisper, MacWhisper — process everything locally. They eliminate the third-party data handling problem because there is no third party in the data path. For independent practitioners in healthcare, law, and journalism, this is the simplest way to use dictation without creating compliance exposure.
If you are in a regulated profession, check with your compliance officer or attorney. But know that on-device dictation exists, and it changes the analysis. The technology is ready. The question is whether your workflow can adopt it.
Read: Where Does Your Voice Go When You Use Wispr Flow or Aqua Voice? →
Read: What Your Dictation App Knows About You →