HIPAA for Medical Scribes

You are present at the most sensitive moment in a clinical encounter: the real-time documentation of a patient’s health status, history, and provider assessment. You hear and transcribe PHI continuously and have access to clinical systems containing patient records. Your HIPAA obligations are correspondingly direct.

Scenario: You are a remote scribe for a 3-provider internal medicine practice. Between encounters, you use your personal phone to photograph your laptop screen showing a patient’s medication list so you can finish the note later. That photograph is now PHI stored on your personal device, outside the clinic’s security controls, in a format that has no audit trail. Under 45 CFR § 164.312, this is a Security Rule violation - and if the phone is later lost or stolen, the clinic has a presumptive breach under 45 CFR § 164.402. The correct approach is to use only the clinic’s approved EHR system and complete documentation before closing out of the session.

Minimum Necessary Standard in Scribing

The minimum necessary standard at 45 CFR § 164.514(d) applies to you the same way it applies to any workforce member: access to PHI should be limited to what is needed to perform the assigned function.

Access is limited to active encounters. Access only the records needed to document the patients you are scribing for during your current shift. Do not review other patients’ records out of curiosity, access records from prior shifts without a specific documentation need, or browse clinical notes unrelated to your current assignments.

Background review is limited. Before entering an exam room, you may review the patient’s active problem list, current medications, or chief complaint to prepare for efficient documentation. Reviewing the patient’s complete chart history when the encounter does not require it exceeds minimum necessary.

Notes reflect what was clinically relevant. Document what the provider discussed, assessed, and directed - not personal observations, impressions, or supplementary information not stated by the provider. Anything added beyond the provider’s direction introduces unauthorized PHI handling.

Confidentiality of Transcribed Content

Everything you hear and document in a clinical encounter is confidential. This obligation continues after the encounter ends and after your shift ends. It is not limited to what ends up in the patient’s chart.

What you cannot do with transcribed content:

• Discuss patient cases with family, friends, or colleagues outside the clinical team
• Share clinical details from an encounter on social media - even without using the patient’s name, if the information is specific enough to identify the patient
• Reference a patient’s condition, diagnosis, or personal history in any context outside the scope of the clinical work
• Retain any notes, written or digital, from an encounter after documentation is finalized

What you must do:

• Complete documentation and submit it through the approved EHR workflow
• Destroy any working notes (paper or digital) after documentation is complete
• Report to the supervising provider or Privacy Officer if you realize a documentation error was made that involved incorrect or improperly attributed PHI

You frequently hear information that is not ultimately documented - a patient sharing personal history tangential to their chief complaint, for example. That information is PHI and is subject to the same confidentiality obligation as what does make it into the record.

Device Policies for Scribes

The HIPAA Security Rule’s physical safeguard requirements at 45 CFR § 164.310 and technical safeguard requirements at § 164.312 govern what devices you can use to access or capture ePHI.

Personal Devices Are Not Permitted

You may not use personal phones, tablets, or laptops to: record audio of encounters; photograph EHR screens, patient charts, or any document containing PHI; photograph patients; draft documentation saved to personal cloud storage; or access clinic systems through personal devices unless the clinic has a documented, approved BYOD policy with appropriate security controls.

The prohibition is not about intent. Personal devices do not have the clinic’s access controls, audit logging, or encryption standards. Even well-intentioned use of a personal device to capture PHI creates an uncontrolled copy of PHI outside the clinic’s security infrastructure.

Clinic-Issued Devices

When clinics provide you with devices - laptops, tablets, or smartphones - those devices must be: encrypted at rest per 45 CFR § 164.312(a)(2)(iv); protected by automatic logoff per § 164.312(a)(2)(iii); subject to the clinic’s workstation use policy per § 164.310(b); and not used for personal purposes that could compromise security (personal email, social media, personal cloud storage).

If a clinic-issued device is lost or stolen, report it immediately. A lost device containing ePHI is a presumptive breach under 45 CFR § 164.402 unless the device was encrypted and the encryption key was not compromised.

In-Person vs. Remote Scribe Differences

In-person and remote scribes have the same substantive HIPAA obligations. The implementation requirements differ.

In-Person Scribes

If you scribe in person, your physical safeguard obligations under 45 CFR § 164.310 include: using only the clinic-provided workstation for documentation; logging off or locking the screen when leaving the workstation, even briefly; not positioning screens where patients in adjacent areas could view other patients’ records; and not removing any paper from the exam room without proper disposal.

Remote Scribes

If you scribe remotely, additional requirements apply.

Encrypted connection required. Under 45 CFR § 164.312(e), transmission of ePHI over electronic networks must be protected. Connect via VPN or other encrypted tunnel - not through a plain web browser over a public or home network.

Approved software required. The video platform used for remote scribing sessions handles PHI. If you are working under the covered entity’s direction, the clinic must ensure the platform has a signed BAA. If you are employed by a remote scribing service, the service must ensure its platforms comply.

Private work environment required. Work in an environment where the audio and video of patient encounters cannot be overheard by household members, roommates, or anyone not authorized to access PHI. This is a workstation use requirement under § 164.310(b) applied to a remote setting.

Session recording is prohibited by default. Remote scribing platforms often have recording capabilities. Do not activate recording features unless the clinic has a specific policy authorizing session recording, the recordings are stored in a HIPAA-compliant environment, and patients have been informed.

Who Owns Your Compliance

The clinic is responsible for ensuring that scribes who work under its direction comply with HIPAA.

If you are a direct employee or unpaid trainee: You are a workforce member under 45 CFR § 160.103. The clinic’s HIPAA policies apply directly. The clinic must train you, define your access, and apply sanctions if you violate policies.

If you are contracted through a scribing service: The scribing service is likely a business associate. A BAA must be in place between the clinic and the scribing service before you begin working. The scribing service is then responsible for its own employees’ HIPAA compliance, but the clinic should verify this is occurring.

If you are an independent contractor: An independent contractor who creates, receives, maintains, or transmits PHI on the clinic’s behalf is a business associate regardless of employment classification. A BAA is required.

Scribes who operate without a BAA or without completing required training are a compliance gap that belongs to the covered entity. You may face sanctions under § 164.530(e), but the covered entity cannot transfer its compliance responsibility to you.

For role-specific onboarding requirements, see the new hire HIPAA onboarding checklist. For information on minimum necessary standard, see minimum necessary standard.

PHIGuard helps practice managers track compliance tasks across all workforce members - including scribes, contractors, and rotating staff - with current pricing. See how at PHIGuard HIPAA.