HIPAA-Friendly Dictation for Therapists That Doesn't Need a BAA

A Business Associate Agreement (BAA) is a written contract required by the HIPAA Privacy Rule whenever a covered entity — a therapist, psychiatrist, or clinic that handles Protected Health Information (PHI) — shares that PHI with an outside vendor that creates, receives, maintains, or transmits the information on its behalf. The vendor becomes a “Business Associate” under 45 CFR § 160.103, and the BAA is the contract that legally binds them to safeguard the PHI to the same standard as the clinician.

Cloud AI scribes — tools like Heidi, Freed, Abridge, Nabla, Mentalyc, Supanote, and DeepScribe — record sessions, send the audio to remote servers, run speech recognition and large-language-model summarization in the cloud, and return notes to the clinician. Every step of that pipeline involves the vendor creating, receiving, maintaining, or transmitting PHI. That is the textbook definition of a Business Associate. The BAA is mandatory for these vendors, and a clinician who uses one without a signed BAA is in violation of HIPAA.

The BAA itself is fine — it is the standard mechanism by which the healthcare ecosystem extends HIPAA protections to downstream vendors. But it is also evidence that PHI is being handled by a third party. The BAA exists because risk has been delegated to someone else. Sapience Med is designed so that delegation never happens.

Sapience Med performs 100% of its speech recognition locally, on the clinician’s own Mac or Windows laptop. The audio of your session, the recognized text, and any clinical content you dictate never leave your device. There is no upload, no server-side processing, no audit trail of patient sessions stored anywhere Sapience Systems LLP can see.

Because Sapience Systems LLP does not create, receive, maintain, or transmit PHI on a clinician’s behalf, the conditions that trigger the “Business Associate” relationship under 45 CFR § 160.103are not met. No relationship, no BAA. This is not a loophole or a workaround — it is a different architectural choice. We chose to build a tool that types your own words into your own EHR rather than a tool that listens, summarizes, and stores.

A clinician who uses Sapience Med remains a covered entity with all the usual HIPAA obligations on their own device and EHR. What changes is that no outside vendor is sitting in the middle of the patient encounter. The PHI never goes anywhere it would not have gone if the clinician had simply typed the note by hand.

The full technical brief, including the six architectural conditions that preserve this posture, is published at sapience.systems/hipaa and is suitable to share with a compliance officer or auditor.

HIPAA compliance is not a checkbox on a vendor brochure — it is a property of how PHI is handled across the workflow. A vendor can be “HIPAA compliant” by signing a BAA and securing PHI on its servers. Alternatively, a vendor can be HIPAA-friendly by ensuring no PHI ever reaches it in the first place. Both postures are valid under the rule; they just place the responsibility in different places.

For the therapist using Sapience Med, the standard HIPAA obligations remain in force: secure their own device, use appropriate access controls, follow their clinic’s incident response policy, and so on. Sapience Med does not relieve a clinician of those duties — it simply does not add a vendor to the chain.

The Sapience Med codebase has been audited internally to confirm there is no network code path by which audio, transcripts, or dictated text can leave the device. This audit is referenced in the formal compliance brief and is available on request for procurement reviews.

The dividing line is whether the tool sends patient audio or generated text off the clinician’s device. Any tool that uploads session audio to a server, performs cloud speech recognition, or runs LLM summarization remotely needs a BAA. That includes virtually every “AI scribe” on the market today.

Apple Dictation is also on-device on Apple Silicon Macs and so does not implicate a BAA, but it lacks medical and psychiatric vocabulary and is not positioned as a clinical tool. Apple offers no formal compliance documentation for healthcare use.

If asked about Sapience Med during a HIPAA audit, malpractice renewal, or insurance questionnaire, the answer is short and factual: Sapience Med runs locally; no audio, transcript, or patient content leaves the device; Sapience Systems LLP is not a Business Associate and there is no BAA to produce. The clinician can point the auditor to the published architecture brief at sapience.systems/hipaa.

That brief is written for compliance review — not marketing — and includes the six architectural conditions Sapience Systems LLP commits to maintaining in order for the no-PHI-in- transit posture to remain valid. It is the document a covered entity would attach to its risk assessment.

For larger institutions that require vendor questionnaires (SIG, SOC 2 references, HECVAT), Sapience Systems can supply a short-form response noting that the application does not process PHI off device and that traditional vendor-risk frameworks do not apply in the usual way.

The difference is structural, not cosmetic. A cloud AI scribe records the entire session — the clinician’s voice and the patient’s voice — uploads it to a vendor server, runs automatic speech recognition, runs a language model to generate a structured note (SOAP, BIRP, DAP), and returns the finished note to the clinician for review. The clinician edits and signs it. The audio recording, the transcript, and the generated note all exist on the vendor’s infrastructure, subject to the vendor’s breach risk, subpoena exposure, and retention policies.

Sapience Med does none of that. It is a controlled push-to-talk dictation tool. The clinician presses a hotkey, speaks their own note in their own words, and releases. The spoken words are converted to text on the device and inserted into whatever text field has focus — SimplePractice, TherapyNotes, Sessions, Epic, Apple Notes, an email draft, anything. There is no recording of the patient. There is no LLM. There is no upload. The clinician is the author of the note in every sense.

For clinicians who want the convenience of voice but not the surveillance footprint of an ambient scribe, this is the entire point of the product.