minutes

Resource

HIPAA-compliant AI note takers: the actual state of play

Every vendor in this category now says something about HIPAA, and almost every summary you’ll find flattens the conditions that make the claims true or false. Here is the July 2026 state of play, one vendor at a time, each sourced to that vendor’s own documentation — including ours.

Last reviewed: 2026-07-11Sourced answer

Two rules before the list

Nothing is “HIPAA certified.” HHS certifies no product, ever. “Compliant” means the vendor attests its safeguards meet HIPAA’s requirements when used under a signed BAA — it is a self-attestation plus a contract, not a government stamp.

The plan tier is the whole ballgame. Every cloud vendor below gates its BAA to a top tier. A clinician on a free or Pro plan of any of them is making impermissible disclosures, no matter how good the vendor’s security page looks.

Vendor By Vendor

Otter.ai

Conditional

Enterprise plan + signed BAA (announced July 2025)

Cloud — audio processed and stored on Otter's servers

Basic, Pro, and Business tiers cannot obtain a BAA. Compliance is a plan-tier purchase, and the PHI still lives in Otter's cloud under contract. Full analysis →

Fireflies.ai

Conditional

Enterprise ($39/user/mo annual) + Private Storage + signed BAA — all three at once

Cloud — US AWS/GCP by default; AI via OpenAI and ASR vendors under zero-retention BAAs

Documented unusually precisely by Fireflies itself: if any one condition lapses, compliance is disabled. Free, Pro, and Business are not covered. Full analysis →

Fathom

Conditional

Publishes a blanket BAA; pricing lists 'HIPAA BAA' under Enterprise

Cloud — US-only storage, indefinite default retention; AI via Anthropic/OpenAI/Google

The published blanket BAA is unusually accessible. The plan gating is stated ambiguously across Fathom's own pages — confirm in writing which tier your BAA covers before recording PHI. Full analysis →

Krisp

Conditional

BAA available per its security page (which references a legacy 'Business tier'; pricing lists BAA under Enterprise)

Hybrid — noise cancellation on-device; AI notes via Azure; transcripts in Krisp Cloud once notes are enabled

The famous on-device processing applies to the audio-cleanup path, not the notes pipeline. On-device transcript storage is an Enterprise feature. Full analysis →

Granola

No

None — Granola states it cannot sign BAAs on any plan

Cloud — transcription via Deepgram/AssemblyAI, notes via OpenAI/Anthropic, storage on US AWS

Granola says it plainly in its own docs: not HIPAA compliant, don't use it for PHI. Respect the candor; ignore third-party posts claiming otherwise. Full analysis →

Minutes (ours)

No BAA needed

Open source, free — the vendor never receives the data

On-device — capture, transcription, diarization, and storage all on your own machine

Not 'HIPAA certified' (nothing is). On-device processing means no business associate exists; the compliance surface reduces to your own device controls and consent workflow. Full analysis →

How To Read This As A Buyer

Notice the pattern: for every cloud vendor, HIPAA is a pricing tier. That isn’t cynicism — BAAs carry real legal exposure, and vendors charge for it. But it means the compliance question and the procurement question are the same question, and downgrades, lapsed contracts, or a clinician’s personal account silently break compliance. If you go cloud, put the BAA condition in your renewal checklist.

The alternative is to change the architecture instead of buying the contract: with on-device processing, the vendor never receives PHI, so there is no business associate and nothing to lapse. That’s what Minutesis — open source, free, capture-to-storage on your own machine. The trade-offs are real (no hosted team features, macOS-first) and the remaining duties are yours (encrypted disk, access control, patient consent). But the vendor-risk column of your HIPAA analysis goes to zero, permanently, on every “plan.”

Next step

Sources

Informational, not legal advice. Vendor policies and plan gating change — verify against each vendor’s current documentation and your compliance counsel before recording PHI with any tool.