Resource
Every vendor in this category now says something about HIPAA, and almost every summary you’ll find flattens the conditions that make the claims true or false. Here is the July 2026 state of play, one vendor at a time, each sourced to that vendor’s own documentation — including ours.
Two rules before the list
Nothing is “HIPAA certified.” HHS certifies no product, ever. “Compliant” means the vendor attests its safeguards meet HIPAA’s requirements when used under a signed BAA — it is a self-attestation plus a contract, not a government stamp.
The plan tier is the whole ballgame. Every cloud vendor below gates its BAA to a top tier. A clinician on a free or Pro plan of any of them is making impermissible disclosures, no matter how good the vendor’s security page looks.
Enterprise plan + signed BAA (announced July 2025)
Cloud — audio processed and stored on Otter's servers
Basic, Pro, and Business tiers cannot obtain a BAA. Compliance is a plan-tier purchase, and the PHI still lives in Otter's cloud under contract. Full analysis →
Enterprise ($39/user/mo annual) + Private Storage + signed BAA — all three at once
Cloud — US AWS/GCP by default; AI via OpenAI and ASR vendors under zero-retention BAAs
Documented unusually precisely by Fireflies itself: if any one condition lapses, compliance is disabled. Free, Pro, and Business are not covered. Full analysis →
Publishes a blanket BAA; pricing lists 'HIPAA BAA' under Enterprise
Cloud — US-only storage, indefinite default retention; AI via Anthropic/OpenAI/Google
The published blanket BAA is unusually accessible. The plan gating is stated ambiguously across Fathom's own pages — confirm in writing which tier your BAA covers before recording PHI. Full analysis →
BAA available per its security page (which references a legacy 'Business tier'; pricing lists BAA under Enterprise)
Hybrid — noise cancellation on-device; AI notes via Azure; transcripts in Krisp Cloud once notes are enabled
The famous on-device processing applies to the audio-cleanup path, not the notes pipeline. On-device transcript storage is an Enterprise feature. Full analysis →
None — Granola states it cannot sign BAAs on any plan
Cloud — transcription via Deepgram/AssemblyAI, notes via OpenAI/Anthropic, storage on US AWS
Granola says it plainly in its own docs: not HIPAA compliant, don't use it for PHI. Respect the candor; ignore third-party posts claiming otherwise. Full analysis →
Open source, free — the vendor never receives the data
On-device — capture, transcription, diarization, and storage all on your own machine
Not 'HIPAA certified' (nothing is). On-device processing means no business associate exists; the compliance surface reduces to your own device controls and consent workflow. Full analysis →
Notice the pattern: for every cloud vendor, HIPAA is a pricing tier. That isn’t cynicism — BAAs carry real legal exposure, and vendors charge for it. But it means the compliance question and the procurement question are the same question, and downgrades, lapsed contracts, or a clinician’s personal account silently break compliance. If you go cloud, put the BAA condition in your renewal checklist.
The alternative is to change the architecture instead of buying the contract: with on-device processing, the vendor never receives PHI, so there is no business associate and nothing to lapse. That’s what Minutesis — open source, free, capture-to-storage on your own machine. The trade-offs are real (no hosted team features, macOS-first) and the remaining duties are yours (encrypted disk, access control, patient consent). But the vendor-risk column of your HIPAA analysis goes to zero, permanently, on every “plan.”
Next step
Informational, not legal advice. Vendor policies and plan gating change — verify against each vendor’s current documentation and your compliance counsel before recording PHI with any tool.