HIPAA Compliance & Healthcare Use

Last updated: April 28, 2026

Available on: Mac, Windows, iOS, Android. BAA signing is supported on Mac, Windows, and iOS. Full enterprise HIPAA controls require an Enterprise plan on desktop.

If you dictate clinical notes, patient records, or other PHI, Wispr Flow supports HIPAA-compliant workflows — including Business Associate Agreements, Privacy Mode for zero data retention, and enterprise data controls.

What it is

Wispr Flow's HIPAA program covers three areas: infrastructure safeguards that protect PHI at the system level, Business Associate Agreements (BAAs) that formalize data handling obligations, and Privacy Mode plus enterprise controls that give organizations direct control over data retention. Together these meet HIPAA's administrative, physical, and technical safeguard requirements.

When to use it

Use HIPAA compliance features when you want to:

  • Dictate clinical notes, patient records, or other PHI using voice.

  • Ensure zero data retention for sensitive healthcare dictation.

  • Formalize data handling obligations with a signed Business Associate Agreement.

  • Enforce organization-wide privacy and data policies for your healthcare team.

How it works

Overview

Wispr Flow combines system-level safeguards, signed BAAs, and Privacy Mode to keep PHI protected throughout dictation and transcription. Enterprise administrators get additional controls to enforce these protections across their organization.

Key safeguards

  • Encryption: PHI is encrypted in transit and at rest.

  • Access controls: PHI access is limited to authorized personnel only.

  • Audit logging: PHI access and system activities are logged.

  • Incident response: Breach notification procedures are in place.

  • Security assessments: Regular security reviews and updates are performed.

  • Network security: Content Security Policy enforcement restricts all connections to approved HTTPS domains, prevents navigation to unapproved origins, and blocks permission requests from non-HTTPS sources.

  • Offline enforcement: Enterprise settings (including ZDR and data policies) are cached locally and remain enforced during network connectivity issues.

Business Associate Agreements (BAAs)

Wispr Flow enters into BAAs with covered entities and other business associates. Each BAA covers permitted uses and disclosures of PHI, safeguarding requirements, breach notification obligations, subcontractor management, individual and covered entity rights, and termination and data return provisions.

Privacy Mode for PHI protection

Enable Privacy Mode for any account that handles PHI. With Privacy Mode on:

  • Zero data retention: No dictation data is stored or used for model training by Wispr or any third party.

  • No PHI persistence: No PHI remains on Wispr Flow systems after transcription.

  • Subprocessor compliance: Subprocessors are contractually bound to the same zero-retention requirements.

  • Server-side enforcement: Wispr's servers independently verify Privacy Mode, ZDR, and HIPAA BAA status on every upload, providing protection even if a client-side issue occurs.

Note: After a HIPAA BAA is signed (individually or at the organization level), Privacy Mode is permanently locked on and the toggle is disabled. On iOS, the description changes to indicate Privacy Mode is enforced. Privacy Mode is also permanently locked on when your organization's administrator enables Zero Data Retention (ZDR).

Warning: Submitting a feedback report through the app automatically includes app preferences and log files (on desktop). If you report a specific transcription from your history, that report may also include the transcript text and audio recording. Avoid submitting reports that may contain PHI. On Android, feedback submissions only include your typed message and an optional image attachment.

Notes (Scratchpad) behavior with a BAA

When a HIPAA BAA is signed or Privacy Mode is enabled, Notes behavior changes by platform:

  • Mac and Windows: Notes remain available in the sidebar and are stored locally on your device. Cross-device cloud syncing is disabled, manual sync buttons are hidden, and a notice on the Notes page explains that notes won't sync across devices.

  • iOS — AI summary button: The AI summary option on note cells is hidden.

  • iOS — Spotlight indexing: Note content is not indexed in iOS Spotlight search, so notes cannot be found from the system search screen.

Note: The iOS restrictions apply to any user with Privacy Mode enabled, not only HIPAA BAA signers. They are managed server-side and may be adjusted by Wispr — contact your account representative for questions.

Enterprise data controls

Enterprise administrators have additional data controls for HIPAA compliance:

  • Zero Data Retention (ZDR): Enforces Privacy Mode for all organization members. ZDR cannot be disabled after a BAA is signed. Wispr may also lock ZDR on for your organization — contact support to modify if needed.

  • Local Data Policy: Choose between normal storage, automatic deletion after 24 hours, or never storing data locally. This applies to locally stored AI polish/rewrite data in addition to transcription history. When an enterprise sets a Local Data Policy, individual users can only choose options at the same or more restrictive level.

  • Hide Improve Model: Silently prevents data sharing for model improvement at the system level, regardless of individual user toggle state. This setting is managed by Wispr support and is not configurable from the admin portal.

  • SSO / SAML: Enterprise single sign-on is available. SCIM-provisioned users authenticate via SSO through your identity provider. SSO enforcement requires an active enterprise subscription — if the subscription lapses, SSO enforcement is automatically disabled.

  • SCIM provisioning: Manage team membership entirely through your identity provider. SCIM provisioning respects your enterprise seat cap — if the limit is reached, new users are not provisioned until capacity is available. When SCIM directory sync is active, manual member management through the admin portal is disabled.

Note: ZDR and Local Data Policy settings are only available on the Enterprise plan and can only be modified by organization administrators (Admin or SuperAdmin role).

How to sign a BAA

Individual users sign the BAA directly within the Wispr Flow app. Enterprise administrators sign through the admin portal.

Note: The BAA document is loaded from Wispr's servers and requires an internet connection to view.

Individual users (Mac and Windows)

Sign the BAA from in-app settings:

  1. Open Wispr Flow and go to Settings → Data & Privacy.

  2. Click "View and accept" next to the HIPAA BAA option.

  3. Review the BAA document, enter your legal name, and click "I Agree."

The "I Agree" button is disabled until you enter your name. Once signed, the button changes to "View" and opens the BAA document directly.

Enterprise administrators

Sign on behalf of your organization through the admin portal:

  1. Open Wispr Flow and go to Settings → Data & Privacy.

  2. Click "Open admin portal" to manage the BAA for your organization.

iOS

Sign the BAA directly on your device:

  1. Open Wispr Flow and go to Settings.

  2. Tap the HIPAA BAA option in the Data & Privacy section.

  3. Review the PDF, enter your legal name, and tap "I Agree."

Warning: Signing the BAA is irreversible and permanently enforces Privacy Mode (zero data retention). Once signed, you can view the BAA document but cannot re-sign or revoke it.

Tip: Contact your account representative for assistance with BAA signing.

How to enable Privacy Mode

Note: Privacy Mode is also offered as a choice during initial app setup. Enterprise users will have Privacy Mode pre-selected and locked during onboarding.

Mac and Windows

Turn on Privacy Mode from Settings:

  1. Open Wispr Flow and go to Settings → Data & Privacy.

  2. Enable the Privacy Mode toggle. None of your dictation data will be stored or used for model training.

iOS

Turn on Privacy Mode from Settings:

  1. Open Wispr Flow and go to Settings.

  2. Enable the Privacy Mode toggle. None of your dictation data will be stored or used for model training.

Android

Turn on Privacy Mode from Settings:

  1. Open Wispr Flow and go to Settings.

  2. Enable the Privacy Mode toggle in the Data & Privacy section.

Note: Android supports Privacy Mode but does not enforce enterprise privacy policies — the toggle remains user-controllable regardless of organization settings. Android does not support BAA signing or enterprise data controls.

FAQs

How does Wispr Flow handle subprocessors?

All subprocessors that may access PHI execute appropriate Business Associate Agreements, maintain HIPAA-compliant security controls, and adhere to zero data retention when Privacy Mode is enabled. For a current list of subprocessors, see the Subprocessors & Third-Party Security article.

What happens if there's a data breach?

Wispr Flow follows HIPAA-aligned breach notification procedures. Covered entities are notified without unreasonable delay, and no later than 60 days after breach discovery. Notification includes identities of affected individuals and details needed for covered entity notifications.

Does Wispr Flow support individual rights under HIPAA?

Yes. Wispr Flow supports covered entities in fulfilling individual rights under HIPAA, including the right to access PHI, request amendments, receive an accounting of disclosures, and request restrictions.

How does Wispr Flow handle the minimum necessary standard?

Wispr Flow limits PHI use, disclosure, and access to the minimum necessary to accomplish the intended purpose, consistent with HIPAA requirements and BAA obligations.

What training do Wispr Flow employees receive?

All Wispr Flow employees undergo security and privacy training upon hire, annual refresher training on HIPAA requirements, and role-specific training for personnel with PHI access.

Limitations and notes

  • BAA signing is available on Mac, Windows, and iOS. Android does not support BAA signing.

  • Privacy Mode is available on Mac, Windows, iOS, and Android. On Android, the toggle is user-controllable and is not subject to enterprise enforcement.

  • Full enterprise HIPAA features (ZDR enforcement, Local Data Policy, BAA management) require an Enterprise plan and are administered from the desktop app.

  • Organizations using SCIM directory sync have user management controlled entirely through their identity provider.

  • Notes are stored locally on your device for BAA-signed users on Mac and Windows. Cloud syncing across devices is not available for HIPAA BAA accounts.

Still need help?

Reach out if you have questions about Wispr Flow's HIPAA compliance program:

  • Contact your account representative for BAA or compliance questions — include your organization name and plan.

  • Request HIPAA compliance documentation under NDA.

  • Review the Data Processing Addendum for data handling details.