What dictation software is safe to use for HIPAA-protected patient notes?
HIPAA does not certify or list approved dictation tools. Compliance is a function of how the software handles protected health information (PHI), specifically whether audio or transcribed text leaves the controlled environment. Cloud transcription services like Otter, Rev, and Win+H upload audio to vendor servers; using them with PHI requires a signed Business Associate Agreement (BAA) with the vendor and explicit policy coverage.
A simpler architecture is local-only transcription, where audio stays on the doctor's workstation for transcription. StarWhisper is a Windows desktop app built around this design: OpenAI's Whisper model can run entirely on the local machine via whisper.cpp. In Local Mode there is no cloud audio upload for transcription and no telemetry of audio content, which can reduce vendor disclosure risk. Your organization should still verify the configuration against its own HIPAA policies.
Practical setup for clinical use:
- Install StarWhisper on the workstation. The free tier covers 500 words per day; for full clinical workloads the Pro tier at 10 USD per month removes word limits and unlocks the Large Whisper model, which handles medical terminology well.
- Disable the optional cloud Whisper fallback in settings. With this off, all transcription is local. The app also offers a Pro setting to disable any non-essential network calls.
- Use Auto-Paste to type into EMR or note-taking fields that accept clipboard input. Whisper Large can improve medical vocabulary handling, but clinical notes should still be reviewed before saving.
- Combine with standard endpoint protections: full-disk encryption, screen lock, and the rest of your HIPAA security baseline.
The same Local Mode architecture also supports offline use after setup: no internet dependency for transcription means no PHI is uploaded for transcription. This does not constitute legal advice; verify the configuration against your organization's HIPAA policy.
All FAQ topics