minutes

Resource

Is Otter.ai HIPAA compliant?

Short answer: yes, since July 2025 — but only on the Enterprise plan, and only with a signed Business Associate Agreement. Most answers you’ll find online are out of date in one direction or the other. Here is the current state, sourced from Otter’s own documentation, and the architectural question worth asking before you buy your way out of the problem.

Last reviewed: 2026-07-11Sourced answer

Quick answer

Otter.ai is HIPAA compliant only for Enterprise customers with a signed BAA. Otter announced HIPAA compliance in July 2025 following an independent assessment. Per its help center, the BAA is available exclusively on the Enterprise plan, arranged through sales.

On Basic, Pro, and Business plans, the answer is no. No BAA is available on those tiers, so recording conversations that contain protected health information on them is an impermissible disclosure to a vendor — regardless of how good Otter’s general security is.

What A BAA Does — And What It Doesn't

A Business Associate Agreement makes it lawful for a vendor to receive and process PHI on your behalf, and binds the vendor to HIPAA’s safeguards. It is a legal instrument, not an architectural one. With a signed BAA, your patient conversations still travel to Otter’s cloud, are still transcribed on Otter’s servers, and still live in Otter’s storage — the disclosure is permitted and governed, not eliminated.

That distinction matters when you think about breach surface. A BAA obligates the vendor to report breaches; it does not make the vendor unbreachable. Every cloud notetaker with a BAA is still a third party holding your patients’ conversations.

The Checklist If You Stay With Otter

Using Otter with PHI in a compliant way requires all of the following:

  • An Enterprise plan — not Basic, Pro, or Business.
  • A BAA actually signed with Otter before any PHI is recorded, not after.
  • Workspace policies that keep PHI recordings inside the covered workspace — a clinician’s personal Pro account doesn’t inherit the organization’s BAA.
  • Your own HIPAA obligations: consent workflows for recording, access controls, and minimum-necessary practices don’t transfer to the vendor.
The Question Under The Question

The reason a BAA is needed at all is that the audio leaves your machine. There is a second way to resolve the HIPAA question: use transcription that runs entirely on your own device, so no vendor ever receives the conversation. No third party, no business associate, no BAA to negotiate — the legal question dissolves because the disclosure never happens.

That’s the architecture Minutesis built on: audio is captured and transcribed on your device with whisper.cpp, and the record is markdown on your own disk with owner-only file permissions. It’s open source, so this claim is verifiable in code rather than asserted on a trust page. To be precise about the framing: no local tool is “HIPAA certified” — HIPAA governs covered entities and their vendors. On-device processing removes the vendor from the equation; securing the device (disk encryption, access control) remains your responsibility, as it already is for your EHR workstation.

If your compliance team’s core question is “where does the audio go?”, the on-device answer is one sentence long.

Which Fits Your Situation
Your situationReasonable path
Large org, already on Otter Enterprise, wants team featuresSign the BAA, lock recording to the covered workspace, audit regularly
Solo practitioner or small practice on a consumer/Pro planStop recording PHI with it today — no BAA is available at your tier. Consider on-device transcription instead
Any practice whose bar is “patient audio never touches a third party”On-device tools are the only architecture that meets it — a BAA governs disclosure, it doesn’t prevent it

Next step

Sources

This page is informational, not legal advice. Verify plan details and BAA terms with Otter and your compliance counsel before recording PHI with any tool.