Is Freed AI HIPAA Compliant? The BAA Gap Explained

TL;DR: Freed AI claims HIPAA compliance and mentions BAAs for "enterprise customers," but their public documentation never confirms whether individual practitioners or small practices can obtain a BAA before PHI is captured, which plans include BAA access, or how to actually execute one. This gap matters because HIPAA compliance without a signed BAA in place before the first patient encounter exposes your practice to regulatory liability. Scribing.io provides a self-serve BAA at signup—before any audio is recorded—on every plan, including free trials.

If you're a practice manager or clinic owner evaluating AI scribes to solve charting burnout and documentation lag, the compliance question isn't whether a vendor encrypts data—it's whether you have a signed Business Associate Agreement in hand before your first clinician hits "record." Without that executed contract, every ambient recording you capture generates immediate HIPAA liability, regardless of the vendor's security posture. This is the BAA gap, and it's the single most overlooked risk in AI scribe procurement.

Scribing.io was built to eliminate this gap entirely: our BAA is presented and digitally executed during account creation, before the recording function is even enabled, on every plan tier including the free trial. No sales call. No waiting period. No "enterprise-only" qualification. This article explains why that distinction matters legally, how to assess Freed AI's actual BAA availability based on publicly documented information, and what practice managers must verify before purchasing any AI documentation tool.

• What Freed Claims About HIPAA Compliance—And Where the BAA Gap Begins

• What a Business Associate Agreement Actually Is—And Why Timing Is Non-Negotiable

• Can You Actually Get a BAA from Freed? A Plan-by-Plan Analysis

• Compliance Theater vs. Operational Compliance: What Practice Managers Must Verify

• Why Your Specialty Changes Your BAA Requirements

• The Practice Manager's BAA Evaluation Framework (Before You Buy)

• How Scribing.io Eliminates the BAA Gap Entirely

• Frequently Asked Questions

• Get Started Today

What Freed Claims About HIPAA Compliance—And Where the BAA Gap Begins

"HIPAA compliant" is not a binary state you achieve by encrypting data at rest. Under 45 CFR § 164.502, HIPAA compliance requires three interlocking components: administrative safeguards, technical safeguards, and executed legal agreements between covered entities and any business associate that creates, receives, maintains, or transmits protected health information on their behalf. An AI scribe that records patient encounters, transcribes audio, and generates clinical notes is unambiguously a business associate—and it must have a BAA in place with your practice before any PHI changes hands.

Freed's public security documentation states that the platform "maintains Business Associate Agreements (BAAs) with all enterprise customers." This is the critical phrase. It raises three unanswered questions for the majority of prospective buyers:

• What qualifies as "enterprise"? Does a 3-physician family medicine group qualify? A solo psychiatrist? A 12-provider urgent care network?

• What happens on non-enterprise plans? If BAAs are reserved for enterprise tiers, providers on standard or professional plans who record patient encounters are generating PHI without a legal agreement in place.

• When is the BAA executed? If execution requires contacting sales, scheduling a call, and waiting for legal review, there is a temporal gap between signup and BAA execution during which PHI may already be captured.

The regulatory exposure is not theoretical. Under HHS Office for Civil Rights (OCR) enforcement guidance, a covered entity that shares PHI with a business associate without an executed BAA faces civil monetary penalties of $141 to $71,162 per violation (adjusted for inflation as of 2026), with an annual cap of $2,134,831 per identical-provision category. The "I didn't know I needed one" defense does not reduce culpability—it merely shifts you to a lower penalty tier.

The concept that matters here is pre-PHI BAA availability: a BAA must be legally binding before the first audio recording is captured in a clinical environment. Not after onboarding. Not after a sales conversation. Before the first syllable of patient speech enters the platform.

See how Scribing.io handles compliance for every plan →

What a Business Associate Agreement Actually Is—And Why Timing Is Non-Negotiable

A Business Associate Agreement, defined under 45 CFR § 164.308(b) and § 164.502(e), is a legally binding contract that accomplishes four things:

1. Assigns liability: It establishes which party is responsible for what in the event of a breach, and limits the business associate's permitted uses of PHI to treatment, payment, and healthcare operations (or more restrictive purposes).

2. Defines breach notification obligations: Under the HITECH Act, the business associate must notify the covered entity within 60 days of discovering a breach—but the BAA can contractually shorten this window.

3. Establishes subcontractor requirements: The business associate must ensure its own downstream vendors (cloud providers, sub-processors) also maintain BAAs.

4. Specifies data disposition: What happens to PHI upon contract termination—destruction, return, or certified de-identification.

The "First-PHI Problem"

The moment a provider launches an AI scribe and begins recording a patient encounter, PHI is created. Not "may be" created—is created. Audio containing a patient's voice describing symptoms, combined with the provider's clinical responses, constitutes individually identifiable health information under 45 CFR § 160.103. If no BAA exists at that exact moment, both the practice (as covered entity) and the vendor (as business associate) are in violation of the HIPAA Privacy Rule.

This is not a theoretical edge case. Clinical evidence suggests that the majority of AI scribe evaluations involve real patient encounters during trial periods. Practice managers often test tools in live clinical workflows to assess accuracy—meaning PHI is generated from day one of any meaningful evaluation.

The BAA Chain of Custody

Here's the compliance concept most practice managers miss: your liability doesn't end at your BAA with the AI scribe vendor. Under HIPAA's subcontractor rules (finalized in the 2013 Omnibus Rule), a business associate must execute BAAs with every entity that handles PHI on its behalf. For an AI scribe, this chain typically includes:

• Cloud infrastructure provider (e.g., Microsoft Azure, AWS, Google Cloud)

• Speech-to-text processing service (if outsourced)

• Large language model provider (if the AI model is hosted by a third party)

• Data backup and disaster recovery services

A BAA between Freed and Microsoft Azure protects Freed in its relationship with Microsoft. It does not protect your practice. Your practice needs its own BAA with Freed—and that BAA must contractually obligate Freed to maintain downstream agreements with all sub-processors. If any link in this chain is unsigned, the entire custody framework is legally deficient, and your practice bears the enforcement risk.

Compliance deep-dive for California practices →

Can You Actually Get a BAA from Freed? A Plan-by-Plan Analysis

To answer this question, we reviewed Freed's publicly accessible documentation as of Q1 2026: their pricing page, terms of service, security center, and published help articles. Here's what we found—and what remains undocumented.

What Freed's Public Materials Disclose

Freed's security page confirms SOC 2 Type 2 certification, AES-256 encryption at rest, TLS 1.2+ in transit, and role-based access controls. These are strong technical safeguards. However, the BAA-specific language is limited to references to "enterprise customers" and does not address:

• Whether providers on individual or small-practice plans receive BAA access

• Whether the free trial includes BAA coverage

• Whether BAA execution is self-serve or requires sales engagement

• The specific services and data types covered by the BAA

• Whether the BAA is a standard template or requires negotiation

The Evaluation-Period Liability Window

This is the operational risk most practice managers don't anticipate: when you test an AI scribe during a free trial using real patient encounters, you've created PHI on a platform where—absent documentation to the contrary—no BAA may exist. OCR's 2024 guidance on cloud computing and mobile health applications explicitly states that HIPAA obligations attach the moment electronic PHI is created or received by a business associate, regardless of whether the service is in a "trial" or "evaluation" phase. There is no trial-period exemption under HIPAA.

This means that a practice manager who tests Freed during a free trial—recording real patient encounters to evaluate transcription quality—may be generating HIPAA violations with each session if no BAA is in place.

Comparison: BAA Availability Factors

Clinician Insight: If a vendor cannot produce a BAA template upon your first request—before any sales conversation—treat this as a procurement red flag. Compliance-first vendors make BAAs accessible because they understand the legal sequence: agreement first, PHI second. Never the reverse.

Compare features across all Scribing.io plans →

Compliance Theater vs. Operational Compliance: What Practice Managers Must Verify

The term "compliance theater" refers to the display of security credentials (encryption badges, SOC 2 logos, "HIPAA compliant" banners) without the operational substance that actually protects your practice. To be clear: encryption, access controls, and audit logs are necessary. But they are not sufficient. A vendor can have perfect technical safeguards and still leave your practice legally exposed if no BAA exists.

Here's why: The American Medical Association's HIPAA enforcement guidance distinguishes between security incidents (technical failures) and privacy violations (legal failures). A data breach with a signed BAA triggers the BAA's contractual remedies—notification timelines, liability allocation, breach response coordination. A data breach without a signed BAA triggers direct OCR enforcement against your practice for failing to obtain the required agreement in the first place.

BAA Due Diligence Checklist for Practice Managers

Before purchasing any AI scribe, verify the following:

1. Can you download or execute the BAA without speaking to sales? If not, ask why. A self-serve BAA indicates the vendor has standardized their compliance workflow. A gated BAA may indicate it's still being customized—or doesn't exist for your plan tier.

2. Does the BAA specify the exact services covered? Look for explicit language covering: ambient audio recording, transcription processing, AI-generated clinical note drafts, temporary audio storage, and any EHR integration data transfers. Vague language like "services as described on the website" is insufficient.

3. Does the BAA name your entity, or is it a generic click-through? Both formats can be legally valid, but a click-through must still clearly identify the parties and the effective date. Confirm that your organization's legal name is associated with the executed agreement.

4. Does the BAA address subcontractor/sub-processor obligations? Under 45 CFR § 164.502(e)(1)(ii), the business associate must ensure equivalent protections flow downstream. The BAA should either list sub-processors or include a clause requiring the vendor to maintain downstream BAAs.

5. Does the BAA include breach notification timelines? HITECH requires notification within 60 days, but best-practice BAAs specify shorter windows (24–72 hours for initial notification to the covered entity).

6. Does the BAA survive termination? What happens to your PHI after you cancel? Look for certified destruction within a defined timeframe (30 days is standard) or documented return of data.

7. Does the BAA explicitly prohibit using PHI for model training? Marketing pages may state "we don't train on your data," but unless this prohibition appears in the BAA, it is not a legally enforceable commitment.

Pro-Tip: SOC 2 Type 2 certification demonstrates that security controls have been tested over a period of time (typically 6–12 months). It is an operational audit, not a legal agreement. A vendor can be SOC 2 certified and still fail to provide a BAA. These are complementary requirements, not substitutes.

How Scribing.io integrates with Epic under full BAA coverage →

Why Your Specialty Changes Your BAA Requirements

Not all PHI carries the same regulatory weight. Certain specialties generate data that triggers additional HIPAA provisions, intersects with other federal statutes, or creates unique liability when processed by AI systems. A generic BAA may not cover your specialty's specific requirements.

Psychiatry and Behavioral Health: The Psychotherapy Notes Exclusion Problem

Under 45 CFR § 164.508(a)(2), psychotherapy notes receive heightened protection—they cannot be disclosed for treatment, payment, or healthcare operations without specific patient authorization. Here's the problem: when a psychiatrist uses an ambient AI scribe during a therapy session, does the recorded audio constitute psychotherapy notes?

The answer depends on how the data is stored and categorized. If the AI system retains raw session audio or detailed session transcripts separately from the medical record, this likely qualifies as psychotherapy notes under HIPAA's definition. A BAA that uses boilerplate language permitting PHI use for "treatment, payment, and healthcare operations" would authorize disclosures that the psychotherapy notes provision specifically prohibits.

What this means for psychiatrists evaluating Freed or any AI scribe: Your BAA must explicitly address whether ambient recordings of therapy sessions are classified as psychotherapy notes, how they're stored relative to the medical record, and what additional authorization requirements apply. A generic BAA that fails to address this creates a compliance violation even if it's properly signed.

Scribing.io's BAA includes a behavioral health addendum that defines the treatment of session recordings, distinguishes between psychotherapy notes and standard clinical documentation, and contractually limits data use to note generation only—with audio deletion within 24 hours of processing.

AI scribe for psychiatry →

Pediatrics: COPPA Intersection

For practices treating patients under 13, the Children's Online Privacy Protection Act (COPPA) intersects with HIPAA. While HIPAA generally preempts COPPA for covered entities, the FTC has maintained that commercial data practices targeting children remain subject to COPPA enforcement. A BAA should address parental consent workflows and data minimization specific to minor patients. AI scribe for pediatrics →

Cardiology and Chronic Care

Longitudinal cardiology encounters—serial echocardiogram discussions, medication titration conversations, ongoing heart failure management—create cumulative PHI patterns. If the AI scribe retains historical encounter context to improve note generation, the BAA must address data retention policies and the distinction between active processing and long-term storage. AI scribe for cardiology →

Family Medicine: Volume and Surface Area

High-volume family medicine practices generate diverse PHI across conditions, demographics, and visit types in every session. Each encounter may reference medications, lab results, social history, and family history—expanding the PHI surface area per recording. BAA terms around data minimization and purpose limitation become particularly important at scale. AI scribe for family medicine →

The Practice Manager's BAA Evaluation Framework (Before You Buy)

Use this workflow when evaluating any AI scribe vendor's BAA readiness. The goal is to confirm BAA availability and adequacy before any PHI is generated.

Step 1: Request the BAA Template Before the Demo

Email the vendor's compliance or legal contact and request their standard BAA template. Note: you're not asking them to execute it yet—you're asking to review it. If they cannot produce a template within 48 hours, or if they respond with "that's handled during onboarding," this indicates the BAA is gated behind a sales process and may not be available before PHI capture.

Step 2: Read the Permitted Uses Clause

The BAA should limit PHI use to the minimum necessary for providing the contracted services. Be alert to language like "product improvement," "service enhancement," or "aggregate analytics"—these phrases may authorize the vendor to use your patients' health information for purposes beyond clinical documentation. The 2026 CMS interoperability rules reinforce that patient data should be used for its stated clinical purpose.

Step 3: Check the De-Identification Clause

Even if the vendor's marketing page states "we never train on your data," confirm that this prohibition exists in the BAA as a contractual obligation. Marketing claims are not enforceable. BAA language is. Look for explicit prohibitions on using PHI—or derivatives of PHI—for machine learning model training, even in de-identified form, unless the covered entity provides written authorization.

Step 4: Verify Termination and Data Destruction Rights

What happens to your PHI when you cancel? The BAA should specify:

• A destruction timeline (30 days is industry standard)

• A certification of destruction (written confirmation that PHI has been permanently deleted)

• Whether any data survives in backups, and if so, the retention period for backup destruction

Step 5: Confirm Multi-User Coverage

If your practice adds clinicians after initial signup, does the BAA automatically cover them, or does each provider need a separate agreement? This is operationally critical for growing practices and locum tenens arrangements.

Step 6: Check Governing Law and Dispute Resolution

If a breach occurs, where will disputes be resolved? A vendor headquartered in a different state may specify arbitration in their jurisdiction. Understand this before signing.

Pro-Tip: Document your BAA evaluation process. If OCR ever audits your practice, demonstrating that you performed due diligence on your business associates—and that you obtained a BAA before PHI was shared—is your primary defense against penalties under the "reasonable cause" tier.

See Scribing.io's transparent pricing and instant BAA →

How Scribing.io Eliminates the BAA Gap Entirely

Scribing.io's compliance architecture was designed around a single principle: no PHI should ever be created on our platform without a legally binding BAA already in effect. Here's how that works operationally:

BAA Execution at Account Creation

During the signup process—before any recording capability is activated—providers are presented with our standard BAA for digital acceptance. The account cannot proceed to the recording interface until the BAA is executed. This is not optional, not gated behind a plan tier, and not dependent on contacting sales. It applies identically to:

• Solo practitioners on a free trial

• Small group practices on standard plans

• Health systems on enterprise agreements

• FQHCs and academic medical centers

What the BAA Covers

Scribing.io's BAA explicitly addresses:

• Ambient audio recording during clinical encounters

• Transcription processing (speech-to-text conversion)

• AI-generated clinical note drafts (the output of our documentation engine)

• Temporary audio storage during processing (with defined deletion timelines)

• EHR integration data transfer (for platforms including Epic, Athenahealth, eClinicalWorks)

• Sub-processor obligations (our BAA contractually requires downstream BAAs with all infrastructure providers)

Specialty-Specific Addenda

For behavioral health providers, our BAA includes an addendum addressing:

• Classification of session recordings relative to psychotherapy notes

• Audio deletion within 24 hours of note generation

• Explicit prohibition on retaining raw session transcripts beyond the note creation workflow

For pediatric practices, the addendum addresses minor data handling, parental consent documentation, and COPPA-intersecting obligations.

Termination and Data Disposition

Upon account cancellation, Scribing.io guarantees certified destruction of all PHI within 30 calendar days. A written certification of destruction is provided to the practice. Backup systems purge PHI within an additional 30-day cycle. No data survives beyond 60 days post-termination under any circumstance.

Public Accessibility

Our BAA template is published on our legal page and can be reviewed by any prospective buyer—or their compliance attorney—before creating an account. This eliminates the "trust us" dynamic entirely. You can have your healthcare attorney review our BAA, confirm its adequacy, and then sign up knowing exactly what you're executing.

Explore all Scribing.io features →

Frequently Asked Questions

Q: Is Freed AI HIPAA compliant for solo practitioners, or only enterprise customers?

A: Freed's public documentation states BAAs are maintained with "enterprise customers." It is unclear from publicly available information whether solo practitioners or small practices on standard plans receive a BAA before first use. We recommend directly asking Freed's sales team to confirm BAA availability for your specific plan tier before recording any patient encounter. Under HIPAA, the absence of a signed BAA—regardless of the vendor's security infrastructure—constitutes a privacy rule violation the moment PHI is created.

Q: Can I use an AI scribe during a free trial without a BAA?

A: No. OCR's guidance on cloud computing is explicit: HIPAA obligations attach the moment ePHI is created or received, regardless of whether the service is in a trial phase. There is no trial-period exemption. If you're recording real patient encounters during an evaluation, you need a signed BAA for that period. Scribing.io includes BAA coverage from the first moment of the free trial.

Q: Does SOC 2 Type 2 certification mean a vendor is HIPAA compliant?

A: No. SOC 2 Type 2 demonstrates that security controls have been independently audited over a period of time. It does not create any legal obligation between the vendor and your practice. It does not assign breach notification responsibilities. It does not limit the vendor's use of your data. Only a BAA does these things. SOC 2 and a BAA are complementary—neither replaces the other.

Q: What happens if a breach occurs and I don't have a BAA with my AI scribe vendor?

A: Without a BAA, your practice is directly liable for sharing PHI with an entity that has no contractual obligation to protect it. OCR can impose penalties on your practice for the failure to obtain a BAA (a standalone violation), in addition to any penalties related to the breach itself. The vendor also faces penalties as an uncontracted business associate, but your practice cannot shift liability to them without an executed agreement.

Q: Does Scribing.io's BAA cover EHR integrations?

A: Yes. Our BAA explicitly covers data transfers between Scribing.io and integrated EHR systems, including Epic, Athenahealth, and eClinicalWorks. The BAA addresses both the inbound data (encounter audio) and outbound data (generated notes pushed to the EHR) as covered PHI transactions.

Q: How do I verify that my AI scribe vendor has BAAs with their sub-processors?

A: Request a sub-processor list and written confirmation that BAAs are in place with each entity. Your BAA with the vendor should include a clause requiring them to maintain downstream agreements. If the vendor refuses to provide this information, you cannot verify the chain of custody and should document this gap in your compliance file. Scribing.io publishes our sub-processor list and confirms BAA coverage with each entity.

Get Started Today

Charting burnout and documentation lag are solvable problems—but solving them with a tool that creates regulatory exposure defeats the purpose. Your practice deserves an AI scribe that eliminates documentation burden and eliminates compliance uncertainty simultaneously.

Scribing.io provides a self-serve BAA at signup, before any audio is recorded, on every plan including the free trial. No sales calls. No enterprise-only gating. No evaluation-period liability windows. Review our BAA today, sign up in minutes, and start documenting encounters with full HIPAA coverage from your very first session.

Start your free trial with immediate BAA coverage →