Home / Docs / HIPAA Compliance

HIPAA Compliance

Understanding privacy, security, and your responsibilities when using KeisenVPA with protected health information (PHI)

On This Page

Overview

KeisenVPA is designed with privacy as a core principle. The software can be configured to support HIPAA-compliant workflows, but compliance depends on how you configure and use the software — particularly how you access the Anthropic API for AI-powered document generation.

⚠️
Important Disclaimer
This documentation is for informational purposes only and does not constitute legal advice. HIPAA compliance is complex and depends on your specific use case, organization, and implementation. Consult with a qualified healthcare compliance professional or attorney to ensure your workflow meets all applicable requirements.

Privacy Architecture

KeisenVPA is built with a privacy-first architecture that keeps sensitive data processing local whenever possible:

Local Processing (On Your Device)

  • Audio capture — All audio recording happens locally on your machine
  • Speech-to-text transcription — OpenAI Whisper runs entirely on your device; audio never leaves your computer
  • Data storage — Transcripts, notes, and generated documents are stored locally

Cloud Processing (Anthropic API)

  • AI document generation — When you generate clinical notes, the transcribed text is sent to Anthropic's Claude API
  • Image/screenshot processing — Screenshots and images are sent to the Anthropic API for analysis (e.g., extracting text from medical documents or images)
  • Generated documents are returned and stored locally
⚠️
What Gets Sent to the Cloud
While audio recordings never leave your device (Whisper transcription is local), transcribed text and images/screenshots are sent to the Anthropic API for AI processing. Ensure your API key configuration supports HIPAA compliance if processing PHI.

API Keys and HIPAA Compliance

HIPAA compliance for the AI document generation step depends entirely on which API key you use to access the Anthropic API:

API Key Type HIPAA Status Details
KeisenVPA License Key
(Purchased from us)		 HIPAA-Enabled License keys purchased from KeisenVPA integrate with Anthropic's API under our Business Associate Agreement (BAA) with Anthropic. This enables HIPAA-compliant workflows when used according to this documentation.
Your Own API Key
(Self-provided)		 Your Responsibility If you use your own Anthropic API key, you are solely responsible for determining whether your API usage is HIPAA-compliant. This may require you to execute your own BAA with Anthropic and configure your account appropriately.
🚨
Using Your Own API Key?
We make no representations or warranties regarding HIPAA compliance when you use your own API keys. It is your responsibility to ensure your entire workflow — including API usage, data storage, and transmission — meets HIPAA requirements for your specific use case. Contact Anthropic directly to inquire about BAA availability for your account.

What Our BAA Covers

When you use a KeisenVPA license key, your document generation requests are routed through our HIPAA-compliant integration with Anthropic. This means:

  • Data transmitted to Anthropic is covered under our BAA
  • Anthropic will not use your data for model training
  • Appropriate security controls are in place for PHI handling

Your Responsibilities

Even when using a KeisenVPA license key with our BAA coverage, you remain responsible for:

Access Controls

  • Securing access to the device running KeisenVPA
  • Using strong passwords and device encryption
  • Logging out when not in use
  • Not sharing your license key with unauthorized users

Data Management

  • Securing locally stored transcripts and documents
  • Implementing appropriate data retention policies
  • Securely deleting PHI when no longer needed
  • Backing up data according to your organization's policies

Clinical Responsibility

  • Reviewing all AI-generated content for accuracy before use
  • Ensuring documentation meets clinical and legal standards
  • Not relying on AI-generated content without verification

Organizational Requirements

  • Ensuring your use of KeisenVPA aligns with your organization's HIPAA policies
  • Obtaining necessary approvals from your compliance/IT department
  • Training staff on appropriate use of the software

Best Practices

Device Security

  • Enable full-disk encryption (FileVault on macOS, BitLocker on Windows)
  • Use a strong login password
  • Enable automatic screen lock after inactivity
  • Keep your operating system and KeisenVPA updated

Network Security

  • Use KeisenVPA on trusted, secure networks
  • Avoid public Wi-Fi when processing PHI
  • Consider using a VPN for additional security

Data Handling

  • Minimize the amount of PHI included in transcriptions when possible
  • Regularly review and delete old transcripts and documents
  • Don't store PHI longer than necessary

Limitations

KeisenVPA is a documentation assistance tool. It is important to understand what it does not provide:

  • Not an EHR — KeisenVPA is not an electronic health record system and should not be used as one
  • Not a covered entity — KeisenVPA (the software) is a tool; you (the healthcare provider) remain the covered entity responsible for HIPAA compliance
  • No audit logging — KeisenVPA does not provide HIPAA-compliant audit trails; implement your own logging if required
  • No access controls — The software does not include role-based access control; secure access at the device level
  • AI limitations — AI-generated content may contain errors and must be reviewed before use in patient care
💬
Questions?
If you have questions about HIPAA compliance or need documentation for your compliance team, contact us at keisenvpa@proton.me.
Previous
CLI Commands
Next
Troubleshooting