HIPAA-Compliant Meeting Recording: The Complete Guide
Which tools sign BAAs, what needs to be encrypted, how to avoid the violations that actually get organizations fined, and ready-to-use stack recommendations for healthcare teams.
Why this matters now
Telehealth visits grew from 840,000 in 2019 to over 52 million in 2023 in the US alone (CDC data). That number has stayed elevated since the pandemic. At the same time, AI notetakers have exploded: Otter, Fireflies, Fathom, and dozens of others now join millions of meetings daily to record and transcribe.
The collision of these two trends creates a compliance problem. Clinicians who adopted AI notetakers for general meetings are now using them in patient-facing calls. IT teams that approved Zoom for telehealth haven't reviewed the third-party bots joining those calls. And many organizations don't have clear policies about which tools can touch Protected Health Information (PHI).
The result: HIPAA violations related to meeting recordings are increasing. OCR (Office for Civil Rights) enforcement actions involving electronic communication tools rose 34% between 2022 and 2025. The average fine for a meeting-recording-related breach: $1.2 million.
This guide covers what HIPAA requires for meeting recordings, which tools meet those requirements, and how to set up a compliant stack without overcomplicating your workflow.
What HIPAA requires for recordings
HIPAA applies when Protected Health Information (PHI) is involved. In the context of meeting recording, PHI includes:
- Patient names mentioned in a clinical discussion
- Diagnosis or treatment details spoken during a telehealth visit
- Any recording of a patient-provider interaction
- Meeting notes or transcripts that reference patient information
- Screen-shared medical records visible in a recording
The core HIPAA requirements for any system that touches meeting recordings containing PHI:
Any third-party tool that processes, stores, or transmits PHI must sign a BAA with your organization. No BAA = the tool cannot touch PHI. This is the single most common point of failure.
TLS 1.2+ for data in transit. AES-256 (or equivalent) for data at rest. This applies to video files, audio files, transcripts, and any derived data (summaries, action items).
Only authorized individuals can access recordings. Role-based access, SSO integration, audit trails showing who accessed what and when, and automatic session timeouts.
Defined retention policy with the ability to permanently delete recordings (not just soft-delete). Must ensure no residual copies in backups, CDN caches, or AI training datasets.
If a recording containing PHI is accessed by unauthorized parties, you must notify affected individuals within 60 days and report to OCR. Breaches affecting 500+ people are publicly listed on the OCR "Wall of Shame."
The BAA landscape
Not every tool in the meeting ecosystem offers a BAA. The landscape is split between enterprise tools built for regulated industries and consumer tools that were not designed with HIPAA in mind.
The pattern is clear: enterprise tiers and purpose-built compliance tools offer BAAs. Free tiers and consumer-focused notetakers do not. The risk comes from individuals in healthcare organizations using consumer tools without IT approval.
Compliance comparison matrix
For tools that do offer BAAs, the depth of compliance varies significantly:
| Tool | BAA | SOC 2 | ISO 27001 | US Data Residency | On-prem / VPC | Audit Logs | Auto Retention |
|---|---|---|---|---|---|---|---|
| Zoom Healthcare | Yes | Type II | Yes | Yes | No | Yes | Yes |
| Microsoft Teams | Yes | Type II | Yes | Yes | GCC High | Yes | Yes |
| Recall.ai | Yes | Type II | Yes | US + EU | No | Yes | Yes |
| Deepgram | Enterprise | Type II | No | Yes | Yes | Yes | Manual |
| AssemblyAI | Yes | Type II | No | Yes | No | Yes | Yes |
| Theta Lake | Yes | Type II | Yes | Yes | Yes | Yes | Yes |
| Otter.ai Business | Yes | Pending | No | Yes | No | Limited | Limited |
Theta Lake and Microsoft Teams (via GCC High) offer the most complete compliance posture. For healthcare SaaS companies building products that handle patient meetings, Recall.ai + Deepgram provides the best API-level control with full compliance.
Architecture for compliant recording
A HIPAA-compliant meeting recording pipeline has four stages. Every stage must be covered by a BAA, encrypted, and access-controlled.
The critical insight: every link in the chain needs its own BAA. If your video platform has a BAA but your transcription provider doesn't, the transcript is non-compliant. If your storage is HIPAA-ready but the AI notetaker that generated the summary isn't, the summary is non-compliant.
Setting up compliant recording
Step 1: Inventory your data flow. Map every tool that touches meeting data: the video platform, any bots or recording tools, transcription services, storage, and any downstream tools that receive transcripts or summaries. Each one is a potential compliance gap.
Step 2: Get BAAs signed. Before any recording happens, execute BAAs with every vendor in the chain. Most enterprise tools have a self-serve BAA (Zoom, Teams) or provide one upon request (Recall.ai, Deepgram, AssemblyAI). If a vendor won't sign a BAA, they cannot be used for PHI-containing meetings.
Step 3: Configure encryption. Verify TLS 1.2+ for all data in transit. Confirm AES-256 encryption at rest for stored recordings. Most HIPAA-ready vendors handle this by default, but verify in writing. Check that encryption keys are managed properly (ideally customer-managed keys).
Step 4: Set access controls. Limit who can access recordings. Use SSO for authentication. Enable audit logging so you can track who accessed which recording and when. Set automatic session timeouts. Implement role-based access: clinicians see their own recordings, administrators see usage reports, nobody else sees anything.
Step 5: Define retention policies. Common ranges: 6 years for medical records (per HIPAA), 7 years for some state requirements, 10 years for malpractice coverage. Configure automatic deletion after the retention period. Test that deletion is complete: check backups, CDN caches, and AI training pipelines.
Step 6: Train your team. Clinicians and staff need to know which meetings can be recorded, how to inform patients, where recordings are stored, and who to contact if they suspect a breach. Annual training is required by HIPAA. Make it practical, not a checkbox exercise.
Common violations
These are the violations that actually trigger OCR investigations and fines:
1. Consumer notetaker on clinical calls. A clinician signs up for Fathom or Otter's free tier and records patient visits. No BAA exists. If those recordings are ever breached, the organization is liable. This is the most common HIPAA violation in meeting recording. It happens because the tool is easy to install and nobody told the clinician not to use it.
2. Assuming the video platform covers third-party tools. Zoom Healthcare provides a BAA for Zoom's own recording. But if a third-party AI notetaker joins the call, that notetaker is a separate business associate that needs its own BAA. The Zoom BAA does not extend to other tools in the meeting.
3. Unprotected transcripts. The recording is encrypted and access-controlled, but the AI-generated transcript was emailed to five people and sits unencrypted in their inboxes. Or it was pasted into a Slack channel. Or it was exported to a Google Doc without access restrictions. Transcripts are PHI. They need the same protections as the recording itself.
4. No data disposal process. Recordings are kept indefinitely because nobody configured retention policies. Older recordings have weaker encryption. Former employees still have access to recordings from before they left. The longer data exists, the larger the breach surface.
5. Screen-shared PHI in recordings. A clinician shares their screen during a telehealth call, and the EHR (Electronic Health Record) is visible. The recording now contains visual PHI that wasn't in the audio. Most organizations don't account for this in their compliance policies.
Cost of non-compliance
OCR enforces HIPAA violations on a tiered penalty structure:
| Tier | Culpability | Per violation | Annual max |
|---|---|---|---|
| Tier 1 | Did not know | $137 - $68,928 | $2.07M |
| Tier 2 | Reasonable cause | $1,379 - $68,928 | $2.07M |
| Tier 3 | Willful neglect (corrected) | $13,785 - $68,928 | $2.07M |
| Tier 4 | Willful neglect (not corrected) | $68,928+ | $2.07M |
Beyond fines, breaches carry reputational cost, mandatory corrective action plans (which can last 2-3 years), and potential criminal charges for egregious cases. The average cost of a healthcare data breach in 2025 was $10.9 million (IBM Cost of a Data Breach Report), factoring in investigation, notification, remediation, and lost business.
Setting up compliant recording costs $5,000-20,000 in tool subscriptions and configuration time. The cost of a breach starts at $137,000 for the smallest Tier 1 violation. The math is not complicated.
Recommended stacks
Three stacks for three different scenarios:
Built-in compliance. Add Theta Lake if you need automated compliance review, keyword detection in recordings, or archiving beyond Zoom's native retention.
Recall handles multi-platform recording with BAA and SOC 2. Deepgram's on-premise option gives maximum control; AssemblyAI offers simpler integration with strong diarization. Both sign BAAs. Ensure US data residency is configured.
Microsoft's M365 agreement covers the BAA. Teams Premium adds AI features (intelligent recap, live translation). Smarsh handles archiving and compliance search across the Microsoft ecosystem. Simplifies procurement since IT already manages M365.
Audit checklist
Use this to verify your current setup or prepare for an audit:
If any box is unchecked, you have a compliance gap. Fix it before, not after, an audit finds it.