Available on: Mac, Windows, iOS, Android (BAA signing on Mac, Windows, and iOS; full enterprise HIPAA features require Enterprise plan on desktop)
If you dictate clinical notes, patient information, or other PHI, Wispr Flow supports HIPAA-compliant workflows — including Business Associate Agreements, Privacy Mode for zero data retention, and enterprise data controls.
Wispr Flow provides HIPAA-compliant infrastructure for healthcare organizations using voice dictation with Protected Health Information (PHI). This includes Business Associate Agreements (BAAs), zero data retention through Privacy Mode, and enterprise-level data controls — all designed to meet HIPAA's administrative, physical, and technical safeguard requirements.
Wispr Flow's HIPAA compliance program covers three areas: infrastructure safeguards that protect PHI at the system level, BAAs that formalize data handling obligations, and Privacy Mode plus enterprise controls that give organizations direct control over data retention.
Encryption: PHI is encrypted in transit and at rest.
Access controls: PHI access is limited to authorized personnel only.
Audit logging: PHI access and system activities are logged.
Incident response: Breach notification procedures are in place.
Security assessments: Regular security reviews and updates are performed.
Network security: Content Security Policy enforcement restricts all connections to approved HTTPS domains, prevents navigation to unapproved origins, and blocks permission requests from non-HTTPS sources.
Offline enforcement: Enterprise settings (including ZDR and data policies) are cached locally and remain enforced even during network connectivity issues.
Wispr Flow enters into Business Associate Agreements with covered entities and other business associates. The BAA includes:
Permitted uses and disclosures of PHI
Safeguarding requirements
Breach notification obligations
Subcontractor management requirements
Rights of individuals and covered entities
Termination and data return provisions
Healthcare customers should enable Privacy Mode to ensure zero data retention for dictation containing PHI. With Privacy Mode enabled:
Zero data retention: No dictation data is stored or used for model training by Wispr or any third party.
No PHI persistence: No PHI remains on Wispr Flow systems after transcription.
Subprocessor compliance: Subprocessors are contractually bound to the same zero-retention requirements.
Warning: Submitting a feedback or bug report through the app may transmit transcript text, audio recordings, and app preferences to Wispr's internal support systems regardless of Privacy Mode. Healthcare users handling PHI should avoid submitting reports that may contain sensitive information. On Android, feedback submissions only include your typed message and an optional image attachment — transcript text, audio, and app preferences are not automatically attached. On desktop, feedback submissions automatically include app preferences and log files.
Note: After a HIPAA BAA is signed (individually or at the organization level), Privacy Mode is permanently locked on and the toggle is disabled. On iOS, the description changes to indicate that Privacy Mode is enforced. Privacy Mode is also permanently locked on when your organization's administrator enables Zero Data Retention (ZDR).
On iOS, Wispr Flow includes several Notes features that are restricted for HIPAA users to protect patient data. For accounts subject to HIPAA data restrictions, the following are disabled by default:
Note syncing: Notes are not synced to Wispr's servers.
AI summary button: The AI summary option on note cells is hidden.
Spotlight indexing: Note content is not indexed in iOS Spotlight search, so notes cannot be found from the system search screen.
Siri suggestions: Notes are not surfaced through Siri.
Note: These restrictions can be lifted by your organization's administrator by enabling the note sync setting at the enterprise level. Contact your account representative or IT administrator to adjust this configuration.
Enterprise administrators have additional data controls for HIPAA compliance:
Zero Data Retention (ZDR): Enforces Privacy Mode for all organization members. ZDR cannot be disabled after a BAA is signed. Wispr may also lock ZDR on for your organization — contact support to modify if needed.
Local Data Policy: Choose between normal storage, automatic deletion after 24 hours, or never storing data locally. This also affects locally stored AI polish/rewrite data in addition to transcription history.
Hide Improve Model: Silently prevents data sharing for model improvement at the system level, regardless of individual user toggle state. This setting is managed by Wispr support and is not configurable from the admin portal.
SSO / SAML: Enterprise single sign-on is available. SCIM-provisioned users authenticate via SSO through your identity provider. SSO enforcement requires an active enterprise subscription — if the subscription lapses, SSO enforcement is automatically disabled.
SCIM Provisioning: Manage team membership entirely through your identity provider. SCIM provisioning respects your enterprise seat cap — if the limit is reached, new users are not provisioned until capacity is available.
Note: ZDR and Local Data Policy settings are only available on the Enterprise plan and can only be modified by organization administrators (Admin or SuperAdmin role).
Individual users sign the BAA directly within the Wispr Flow app. Enterprise administrators sign through the admin portal.
Note: The BAA document is loaded from Wispr's servers and requires an internet connection to view.
Individual users (Mac and Windows)
Open Wispr Flow and go to Settings → Data & Privacy.
Click "View and accept" next to the HIPAA BAA option.
Review the BAA document, enter your legal name, and click "I Agree."
The "I Agree" button is disabled until you enter your name.
Enterprise administrators
Open Wispr Flow and go to Settings → Data & Privacy.
Click "Open admin portal" to manage the BAA for your organization.
After signing, the button changes to "View" and opens the BAA document directly.
iOS
Open Wispr Flow and go to Settings.
Tap the HIPAA BAA option in the Data & Privacy section.
Review the PDF, enter your legal name, and tap "I Agree."
Warning: Signing the BAA is irreversible and permanently enforces Privacy Mode (zero data retention). Once signed, you can view the BAA document but cannot re-sign or revoke it.
Tip: You can also contact your account representative for assistance with BAA signing.
Note: Privacy Mode is also offered as a choice during initial app setup. Enterprise users will have Privacy Mode pre-selected and locked during onboarding.
Mac and Windows
Open Wispr Flow and go to Settings → Data & Privacy.
Enable the Privacy Mode toggle so that none of your dictation data is stored or used for model training.
iOS
Open Wispr Flow and go to Settings.
Enable the Privacy Mode toggle so that none of your dictation data is stored or used for model training.
Android
Open Wispr Flow and go to Settings.
Enable the Privacy Mode toggle in the Data & Privacy section.
Note: Android does not support BAA signing or enterprise data controls.
How does Wispr Flow handle subprocessors?
All subprocessors that may access PHI execute appropriate Business Associate Agreements, maintain HIPAA-compliant security controls, and adhere to zero data retention when Privacy Mode is enabled. For a current list of subprocessors, see the Subprocessors & Third-Party Security article.
What happens if there's a data breach?
Wispr Flow follows HIPAA-aligned breach notification procedures. Covered entities are notified without unreasonable delay, and no later than 60 days after breach discovery. Notification includes identities of affected individuals and details needed for covered entity notifications.
Does Wispr Flow support individual rights under HIPAA?
Yes. Wispr Flow supports covered entities in fulfilling individual rights under HIPAA, including the right to access PHI, request amendments, receive an accounting of disclosures, and request restrictions.
How does Wispr Flow handle the minimum necessary standard?
Wispr Flow limits PHI use, disclosure, and access to the minimum necessary to accomplish the intended purpose, consistent with HIPAA requirements and BAA obligations.
What training do Wispr Flow employees receive?
All Wispr Flow employees undergo security and privacy training upon hire, annual refresher training on HIPAA requirements, and role-specific training for personnel with PHI access.
BAA signing is available on Mac, Windows, and iOS. Individual users sign directly in-app; enterprise administrators sign through the admin portal.
Privacy Mode (zero data retention) is available on Mac, Windows, iOS, and Android. Android supports Privacy Mode but does not support BAA signing or enterprise admin controls.
Full enterprise HIPAA compliance features (ZDR enforcement, local data policies, BAA management) require an Enterprise plan and are administered from the desktop app.
Organizations using SCIM directory sync have user management controlled entirely through their identity provider.
On iOS, note syncing, AI summaries, Spotlight indexing, and Siri suggestions are disabled by default for HIPAA-restricted accounts. An administrator can enable note syncing at the enterprise level if permitted by your compliance program.
Reach out if you have questions about Wispr Flow's HIPAA compliance program:
Contact your account representative for BAA or compliance questions
Request HIPAA compliance documentation under NDA
Review the Data Processing Addendum for data handling details