← Back ExamScribe

ExamScribe Security & HIPAA Compliance

Last Updated: February 22, 2026

ExamScribe is a HIPAA-compliant AI clinical scribe built for medical professionals across every specialty. Every component — from voice transcription to note generation to data storage — is designed to protect patient data without compromise. This page details exactly how.

AI & Your Data

  • All AI processing uses HIPAA-compliant Azure OpenAI services with a signed Business Associate Agreement (BAA).
  • Your transcripts and clinical notes are never used to train AI models — ever.
  • No patient data is retained by AI services after processing is complete.
  • Proprietary specialty-specific prompts are stored server-side and never exposed to the browser or client.

Encryption & Data Protection

  • All data encrypted at rest using AES-256 and in transit using TLS 1.2+.
  • Voice transcription uses enterprise-grade, end-to-end encrypted Azure Speech Services.
  • Cryptographic modules conform to FIPS PUB 140-2 standards.
  • All processing occurs on US-based Azure data centers — your data never leaves the country.

Cloud Infrastructure & Availability

  • Hosted entirely on Microsoft Azure with a signed HIPAA Business Associate Agreement.
  • Continuous data replication across availability zones for point-in-time recovery.
  • Annual disaster recovery testing through tabletop and technical exercises.
  • Backups are encrypted and stored securely within the US.

Security Certifications & Compliance

  • SOC 2 Type I and Type II compliant.
  • HIPAA compliant with signed BAAs across all vendors who process patient information.
  • Aligns with OWASP secure coding standards.
  • Regular security audits, risk assessments, and third-party vulnerability assessments.

User Access & Management

  • Role-based access control with unique user IDs and strong password requirements (12+ characters, bcrypt hashed).
  • Two-factor authentication required for all internal personnel.
  • Immediate access revocation upon employment termination or policy violation.
  • Annual access reviews to verify proper authorization levels.

Network & Firewall Security

  • All connections terminate at a firewall; rules reviewed and updated quarterly.
  • Stateful packet inspection via Azure Network Security Groups.
  • Network segmentation separates databases from front-end systems.
  • Continuous 24/7 monitoring using Azure Monitor.

Incident Response & Monitoring

  • Documented incident response plan with notification and mitigation procedures.
  • 24/7 continuous monitoring via Azure Monitor.
  • Regular security audits and third-party assessments.
  • Prompt patch management based on vulnerability assessments.

Vendor Management

  • All vendors who process patient information are required to be HIPAA compliant and sign BAAs with ExamScribe.
  • Regular review of vendor security practices to ensure continued high standards.

Questions about our security practices? support@examscribe.ai