What dictation software is safe to use for HIPAA-protected patient notes?
HIPAA does not certify or list approved dictation tools. Compliance is a function of how the software handles protected health information (PHI), specifically whether audio or transcribed text leaves the controlled environment. Cloud transcription services like Otter, Rev, and Win+H upload audio to vendor servers; using them with PHI requires a signed Business Associate Agreement (BAA) with the vendor and explicit policy coverage.
A simpler architecture is local-only transcription, where audio never leaves the doctor's workstation. StarWhisper is a Windows desktop app built around this design: OpenAI's Whisper model runs entirely on the local machine via whisper.cpp. In default mode there is no cloud upload, no telemetry of audio content, and no third-party processor handling PHI, so no BAA is needed because no covered third party touches the data.
Practical setup for clinical use:
- Install StarWhisper on the workstation. The free tier covers 500 words per day; for full clinical workloads the Pro tier at 10 USD per month removes word limits and unlocks the Medium and Large Whisper models. For typical live dictation the Small model on Auto handles medical terminology well; Medium is worth trying on long-form notes or non-Latin script languages.
- Disable the optional cloud Whisper fallback in settings. With this off, all transcription is local. The app also offers a Pro setting to disable any non-essential network calls.
- Use Auto-Paste to type directly into your EMR or note-taking app. Whisper handles common medical vocabulary including drug names, anatomy, and procedure names; for highly specialized sub-disciplines a brief proofread is recommended.
- Combine with standard endpoint protections: full-disk encryption, screen lock, and the rest of your HIPAA security baseline.
Several clinics already use StarWhisper this way, including a German GP cited in a public testimonial. The architecture is the same one that lets it run offline on planes: no internet dependency means no PHI in transit. This does not constitute legal advice; verify the configuration against your organization's HIPAA policy.
All FAQ topics