Security, Compliance, and HIPAA for Voice to Chart Notes

ChiroUp’s Voice to Chart is built with security, privacy, and HIPAA compliance at its core. This guide outlines how recordings, transcripts, and AI-generated summaries are handled to protect patient data and what you need to know when using this feature.


1. Data Security: Encryption & Storage

All audio recordings, transcripts, and AI-generated summaries are processed through encrypted, HIPAA-compliant systems:

  • Data is encrypted in transit and at rest using industry-standard protocols.
  • No offshore processing. All data remains within the U.S.
  • ChiroUp maintains executed Business Associate Agreements (BAAs) with all third-party services involved in transcription and AI processing.
  • AI-generated summaries become part of the permanent medical record only after the provider reviews, saves, and signs the note.
  • Recordings and transcripts are temporary translational tools used solely to create the AI-generated summary.
  • Providers must obtain verbal consent before the first recording. The system logs this in the patient's Chart tab when the provider indicates consent was obtained.
  • Written consent is optional but encouraged. ChiroUp offers a sample informed consent form, which is automatically uploaded to the patient’s chart when delivered via the ChiroUp consents and authorizations process.  
  • Recording preferences are managed through the opt-in/opt-out toggle.

For details, see: Managing Patient Consent to Recording 


3. Access Controls & Audit Trails

  • Access to recordings, transcripts, and AI-generated summaries follows the same permissions as the patient’s Encounter tab and SOAP notes.
  • All access is logged, including who viewed the data and when.
  • Providers can view their own access logs.


4. AI Processing & Provider Responsibility

  • No data is used for AI training or shared beyond processing needs.
  • Providers are responsible for reviewing and editing AI-generated summaries. AI supports documentation but does not replace clinical judgment.
  • Our software configuration uses the voice recording and its associated transcript solely as translational tools to generate a text output for your review. While the output text may be saved within your clinical note, the recording and transcript are deleted upon signature of the note. It is your responsibility to determine whether this configuration satisfies your professional and legal obligations, including compliance with all applicable local, state, and federal regulations.


5. Best Practices for Minimizing PHI Exposure

  • Limit unnecessary PHI in recordings. Avoid using patient names, emails, or other identifiers when not clinically relevant.
  • ChiroUp only processes PHI contained within the voice recording.

 

Was this article helpful?

Have more questions? Contact us