HIPAA-Friendly Architecture

HIPAA-Friendly Dictation on Windows:
Local Whisper, No Cloud Upload

Clinical and behavioral health workflows cannot risk PHI in third-party transcription clouds. StarWhisper runs Whisper locally on Windows. In Local Mode, audio and transcripts never leave the device. Free to start, $10/mo unlimited.

Download for Windows
Microsoft Store
  • Trusted by Windows
  • Quick 30-second setup
"Local Mode active. Audio is processed on this device only."

An honest take on "HIPAA dictation"

No software is HIPAA-certified, because HIPAA does not certify software. What matters is the architecture and how you configure it.

What StarWhisper does

Local-only architecture

The Whisper model runs on your device. In Local Mode, audio and transcripts are processed entirely on your CPU or NVIDIA GPU. Nothing is uploaded. The app works offline.

  • No cloud transmission of PHI in Local Mode
  • Works in Epic, Cerner, Allscripts, SimplePractice, TherapyNotes
  • No BAA required for the local-only flow
  • Free plan up to 500 words/day, Pro $10/mo unlimited
  • IT can lock Cloud Mode off at install time
What StarWhisper does NOT claim

HIPAA certification (no such thing)

No vendor honestly claims HIPAA certification for software, because the certification does not exist. HIPAA is workflow-level compliance. Your practice's compliance program decides whether a tool fits.

  • Not a substitute for compliance program review
  • Cloud Mode (opt-in) is not appropriate for PHI
  • Encryption at rest is up to your Windows configuration
  • Access controls and audit logs come from your EHR
  • Staff training and BAA management remain your responsibility

Why local Whisper fits HIPAA-sensitive workflows

Six architectural properties that map to common HIPAA risk concerns

No cloud transmission in Local Mode

The single biggest source of HIPAA risk in dictation is uploading patient audio to a vendor's cloud. Local Mode eliminates that path entirely. The audio is captured, processed by Whisper on your machine, and discarded. No upload, no retention.

Works offline, including air-gapped networks

Some practices run on segmented or air-gapped clinical networks. Cloud dictation tools cannot operate there. StarWhisper does not need network access to transcribe, so it works in environments where outbound traffic is restricted.

Open-source Whisper model

The underlying transcription engine is OpenAI's Whisper, released as open source. IT can inspect what is running. Researchers have independently benchmarked Whisper's accuracy on medical and clinical content.

Auto-pastes into any EHR text field

Works in Epic, Cerner, Allscripts, athenahealth, NextGen, eClinicalWorks, SimplePractice, TherapyNotes, and any web-based EHR. No integration required because the dictation layer sits at the OS level.

Administrator-controlled Cloud Mode

Cloud Mode is opt-in and disabled by default. IT administrators can ship the app with Cloud Mode locked off so end users cannot accidentally enable it. The configuration is documented for fleet deployments.

No subscription per seat for the free tier

Solo practitioners and small practices can evaluate the architecture and the workflow fit on the free tier (500 words/day) before any purchasing decision. Pro is $10 per month per user, flat.

The HIPAA dictation problem, stated plainly

Clinical documentation eats clinician time. Voice dictation cuts that time in half or more. The catch is that nearly every modern dictation tool is cloud-based, which means patient audio (and therefore protected health information, or PHI) is uploaded to a vendor's servers, processed there, and retained for some period. For HIPAA-regulated workflows, that creates a chain of obligations: data flow review, Business Associate Agreement, breach notification policy, vendor audit, and ongoing risk assessment. Most cloud dictation tools can be made to fit, but the paperwork load is real and the risk surface is non-trivial.

The cleaner solution is to never let PHI leave the device. If the audio never crosses the wire, the cloud-transmission category of risk does not apply, and most of the compliance overhead that comes with it does not apply either. This is the architectural angle StarWhisper is built around: a local-first Windows dictation app powered by Whisper, where the transcription engine runs on your CPU or NVIDIA GPU and the audio never touches a server.

This page lays out what local-only means in practice, what the application can and cannot claim, and what your compliance team will want to verify. The goal is not to talk you into a decision; it is to give you accurate information to bring back to the people in your practice who are responsible for that decision.

What "HIPAA-friendly" honestly means (and does not mean)

The phrase "HIPAA-compliant software" is often used loosely. To be precise: HIPAA is a US federal regulation that applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. It applies to organizations and the workflows they operate, not to applications in isolation. There is no HIPAA certification body that certifies software products. Anyone who tells you their product is "HIPAA-certified" is either using shorthand for "has been deployed in HIPAA workflows" or is being imprecise.

What software can be is HIPAA-friendly: architected and configured so that it fits naturally into a HIPAA-compliant workflow. Some properties make this easier:

  • Local-only data flow, so PHI never leaves the covered entity's controlled environment
  • Encryption support at rest (delegated to Windows BitLocker or equivalent)
  • Audit logging at the application or OS level
  • Configurable access controls
  • Clear documentation of any optional cloud features and how to disable them

StarWhisper's local-only architecture covers the first point directly. The remaining points are workflow-level concerns that combine your OS configuration, your EHR, your endpoint policy, and your practice's compliance program. StarWhisper is one piece of the picture, not the whole picture.

How the audio flow works, step by step

For Local Mode, which is the only mode appropriate for PHI workflows:

  • You press the configured push-to-talk hotkey.
  • Windows captures audio from your microphone driver and sends it directly to the StarWhisper process running on your local machine.
  • The Whisper model, which lives in your StarWhisper installation directory, processes the audio buffer in memory on your CPU or NVIDIA GPU.
  • The model produces text, which is typed into whatever Windows text field has focus (your EHR, your notes app, your chart).
  • The audio buffer is discarded.

At no point in this flow does audio or text touch a network socket bound to a remote address. The StarWhisper process does not contact any StarWhisper server, OpenAI server, or any third-party transcription service during transcription. The application does make occasional outbound calls for license verification and update checks, both of which can be reviewed in your network logs and do not contain PHI.

Cloud Mode, when enabled, changes step three: instead of running Whisper locally, the audio is sent to the OpenAI Whisper API. This is not appropriate for PHI workflows and is disabled by default. For HIPAA-regulated deployments, leave it disabled and consider using the administrator configuration to lock it off entirely (see Setup, below).

EHR and clinical software compatibility

Because StarWhisper types at the OS level rather than through an EHR-specific integration, compatibility is broad. The application has been used with:

Software category Examples Works as keyboard input
Hospital EHRsEpic Hyperspace, Cerner PowerChart, MeditechYes
Ambulatory EHRsAllscripts, athenahealth, NextGen, eClinicalWorksYes
Behavioral healthSimplePractice, TherapyNotes, TheraNest, ValantYes
Dental practice managementDentrix, Eaglesoft, Open DentalYes
Web-based portals and dashboardsAny browser-based EHR or admin portalYes
Office and notesWord, Notepad, OneNote, Outlook draftsYes

"Works as keyboard input" means that pressing the hotkey, dictating, and releasing pastes the transcribed text wherever your cursor is at that moment. There is no separate EHR plugin or configuration. This is similar to how built-in Windows speech recognition behaves, except the engine is Whisper and the audio stays local.

For more focused vertical guides, see voice to text for doctors and voice to text for therapists, which cover specialty-specific workflows in more depth.

Why local Whisper compares well against Dragon Medical and cloud alternatives

The traditional clinical dictation market is dominated by Dragon Medical (Nuance / Microsoft), which moved to a cloud-first product (Dragon Medical One) several years ago. Cloud-based clinical dictation has real advantages for institutional buyers (centralized management, voice-profile sync), but it also creates the same PHI-flow concerns described above and carries enterprise pricing.

  • Dragon Medical One: cloud, subscription, typically several hundred dollars per user per year, with BAA support and enterprise integrations.
  • 3M M*Modal: cloud, enterprise pricing, EHR-integrated.
  • Various AI scribe products (Abridge, Suki, DeepScribe, Nuance DAX): cloud, enterprise pricing, in some cases including LLM-based note generation from ambient audio.
  • Generic cloud dictation (Otter, Rev, Notta): not specifically clinical, but used by some smaller practices.

StarWhisper does not try to compete with these on enterprise integration. It competes on architecture: a local-first tool that costs $10 per month, works in any application that accepts keyboard input, and keeps audio on your device. For a solo practitioner, a small therapy practice, or a clinician who wants a private dictation tool for their own notes, the architectural fit and the price point matter. For a hospital-scale deployment with centralized voice profile management and ambient scribe needs, the institutional products are still the better fit.

Setup for a HIPAA-sensitive deployment

For individual clinicians:

  • Install StarWhisper from the download page or the Microsoft Store.
  • On first run, confirm the transcription mode is Local Mode (Settings -> Transcription mode). Local Mode is the default.
  • Verify that Cloud Mode is disabled.
  • Configure a push-to-talk hotkey that does not collide with your EHR shortcuts.
  • Confirm with your practice's compliance program before dictating PHI.

For practice IT or compliance administrators managing fleet deployments:

  • Use the administrator configuration to disable Cloud Mode at install time and hide the toggle from end users.
  • Verify that your Windows endpoint configuration includes BitLocker disk encryption, screen-lock policy, and audit logging consistent with your security policy.
  • Review the application's outbound network connections (license check, update check) to confirm they do not carry PHI and that they fit your egress policy.
  • Document the dictation workflow in your HIPAA risk assessment, including the local-only data flow.
  • Train staff that Cloud Mode must remain disabled for any workflow involving PHI.

For practice-specific guidance, your compliance counsel is the right authority. The information on this page is descriptive, not legal advice.

Related reading on private clinical dictation

For broader context on HIPAA-compliant dictation software and how to evaluate vendors, see the HIPAA-compliant dictation software FAQ. For specialty workflows, the voice to text for doctors and voice to text for therapists pages cover physician and behavioral health flows respectively. For an operational reference on medical scribing, see voice to text for medical scribes.

Frequently Asked Questions

Is StarWhisper HIPAA-certified?
No, and to be precise about it, no software is. HIPAA is a regulation that applies to covered entities and business associates, not a certification awarded to applications. What software can do is be architected to support HIPAA-compliant workflows. StarWhisper's local-only design (audio and transcripts stay on your device, no cloud transmission in Local Mode) removes the most common cloud-PHI risk that drives HIPAA concerns about dictation software. Each practice should evaluate the architecture against its own compliance program.
Does the audio leave my device?
In Local Mode, no. The Whisper model runs on your CPU or NVIDIA GPU. Audio is captured by your microphone, processed locally, converted to text on your machine, and discarded. Nothing is uploaded. The app works offline. Local Mode is the default for HIPAA-sensitive use. Cloud Mode, which sends audio to the OpenAI Whisper API for faster processing, is an opt-in feature that should be disabled for any workflow involving PHI.
Can my IT department audit the application?
Yes. StarWhisper is a standard Windows desktop application that you install from an installer or the Microsoft Store. IT can inspect the installation directory, review the bundled Whisper model files, monitor network connections (Local Mode makes none for transcription), and apply standard endpoint policies. The codebase uses the open-source Whisper model from OpenAI, which has been independently reviewed by the research community. For specific audit needs your compliance team should contact support directly.
Do I need a Business Associate Agreement?
A BAA is required when a vendor handles PHI on your behalf. In Local Mode, no vendor handles PHI: your audio and transcripts stay on your device and are never transmitted to StarWhisper or any third party. There is no PHI flow that would trigger the BAA requirement. If you enable Cloud Mode, audio is transmitted to the OpenAI Whisper API, which does have its own data handling terms; that path is not appropriate for PHI workflows and should be disabled. Always confirm interpretation with your own compliance counsel.
Does it work in Epic, Cerner, or other EHRs?
Yes. StarWhisper types text into any Windows text field that accepts keyboard input. Epic Hyperspace, Cerner PowerChart, Allscripts, athenahealth, NextGen, eClinicalWorks, and web-based EHRs all qualify. Press the hotkey, dictate the note, release, and the transcribed text is pasted wherever your cursor is. There is no EHR-specific integration to install or configure. The dictation layer sits at the operating system level, below the EHR application.
What is Cloud Mode and how is it different?
Cloud Mode sends audio to the OpenAI Whisper API for transcription, which is faster on lower-end hardware but transmits audio off-device. This is the wrong mode for PHI and is disabled by default. For HIPAA-sensitive workflows, keep Cloud Mode disabled and use Local Mode only. The setting is in Settings -> Transcription mode and can be locked off if your IT team manages the installation. Local Mode produces equivalent accuracy at slightly higher latency on CPU-only setups, and is faster than Cloud Mode on a modern NVIDIA GPU.
Can I disable Cloud Mode entirely so it cannot be enabled accidentally?
Yes. The application supports a configuration that disables Cloud Mode at the install level. IT administrators managing fleet deployments can ship the app with Cloud Mode disabled and the setting hidden from end users. This eliminates the risk of a clinician accidentally toggling Cloud Mode and routing PHI through a third-party API. Contact support for the administrator configuration guide and the relevant registry or config-file flag.
Windows itself is not HIPAA-certified, so what does that mean?
Correct, and the same point applies: Windows is an operating system, not a HIPAA-certified product, because HIPAA does not certify products. Microsoft documents how Windows can be configured to support HIPAA-compliant workflows (BitLocker disk encryption, Windows Hello for sign-in, audit logging, EMM policies, and so on). HIPAA compliance is always at the workflow level, combining the OS, the EHR, the dictation tool, the storage policy, the access controls, and staff training. StarWhisper's local-only architecture is one piece of that picture.

Try StarWhisper Free in Local Mode

500 words per day on the free tier. No credit card. Audio never leaves your device.

Download StarWhisper

Related guides for clinical and behavioral health

Voice to text for doctors

Clinical dictation workflows for physicians, with Epic and Cerner notes.

Voice to text for therapists

Behavioral health notes for SimplePractice, TherapyNotes, and similar EHRs.

Voice to text for medical scribes

Documentation workflows for scribes and medical assistants supporting providers.

HIPAA-compliant dictation software FAQ

Vendor evaluation criteria, BAA questions, and architectural considerations.