PodScribe Security & HIPAA Compliance
Last Updated: February 22, 2026
PodScribe is a HIPAA-compliant AI clinical scribe built exclusively for podiatric medicine. Every component — from voice transcription to note generation to data storage — is designed to protect patient data without compromise. This page details exactly how.
AI & Your Data
- All AI processing uses HIPAA-compliant Azure OpenAI services with a signed Business Associate Agreement (BAA).
- Your transcripts and clinical notes are never used to train AI models — ever.
- No patient data is retained by AI services after processing is complete.
- Proprietary podiatry-specific prompts are stored server-side and never exposed to the browser or client.
Encryption & Data Protection
- All data encrypted at rest using AES-256 and in transit using TLS 1.2+.
- Voice transcription uses enterprise-grade, end-to-end encrypted Azure Speech Services.
- Cryptographic modules conform to FIPS PUB 140-2 standards.
- All processing occurs on US-based Azure data centers (Arizona and Virginia) — your data never leaves the country.
Cloud Infrastructure & Availability
- Hosted entirely on Microsoft Azure with a signed HIPAA Business Associate Agreement.
- Continuous data replication across availability zones for point-in-time recovery.
- Azure's high-availability infrastructure ensures your data is always accessible.
- Annual disaster recovery testing through tabletop and technical exercises.
- Backups are encrypted and stored securely within the US.
Security Certifications & Compliance
- SOC 2 Type I and Type II compliant.
- HIPAA compliant with signed BAAs across all vendors who process patient information.
- Aligns with OWASP secure coding standards.
- Regular security audits, risk assessments, and third-party vulnerability assessments.
- Azure Security Center used for continuous monitoring and vulnerability scanning.
User Access & Management
- Role-based access control with unique user IDs and strong password requirements (12+ characters, bcrypt hashed).
- Two-factor authentication required for all internal personnel.
- Immediate access revocation upon employment termination or policy violation.
- Annual access reviews to verify proper authorization levels.
- All company workstations use encrypted hard drives and enforced access controls.
Network & Firewall Security
- All connections terminate at a firewall; rules reviewed and updated quarterly.
- Stateful packet inspection via Azure Network Security Groups.
- Network segmentation separates databases from front-end systems.
- Continuous 24/7 monitoring using Azure Monitor for events, traffic, and logs.
Secure Development Lifecycle
- Security integrated into every stage of the development pipeline (DevSecOps).
- Adherence to industry-standard secure coding guidelines.
- Static and dynamic application security testing throughout development.
- Automated security scans of codebase and infrastructure.
- All software changes reviewed for compliance before deployment.
- Infrastructure-as-code: all infrastructure changes reviewed before deployment.
Incident Response & Monitoring
- Documented incident response plan with notification and mitigation procedures.
- 24/7 continuous monitoring via Azure Monitor.
- Regular security audits and third-party assessments.
- Prompt patch management based on vulnerability assessments with structured approval process.
Internal Personnel Security
- Background checks required for all employees before hiring.
- Annual security awareness training covering HIPAA, privacy, and information classification.
- Role-specific incident response and contingency training.
- All employees acknowledge understanding of security policies and best practices.
Vendor Management
- All vendors who process patient information are required to be HIPAA compliant and sign BAAs with PodScribe.
- Regular review of vendor security practices to ensure continued high standards.
Questions about our security practices? support@podiatry-scribe.com