Is an ambient AI scribe a HIPAA business associate, and what does the 2025 Security Rule NPRM change?

An ambient AI scribe vendor that creates, receives, maintains, or transmits ePHI on a covered entity's behalf is generally a business associate and needs a BAA. HHS's 2025 Security Rule NPRM proposes to modernize and strengthen safeguards — moving toward more…

register 09 · Compliance pins· HIPAA Security Rule
01 ·

Answer.

Healthcare regulation · HIPAA Security Rule.

An ambient AI scribe vendor that creates, receives, maintains, or transmits ePHI on a covered entity's behalf is generally a business associate and needs a BAA. HHS's 2025 Security Rule NPRM proposes to modernize and strengthen safeguards — moving toward more mandatory technical controls — but it is a proposed rule, not yet final, so treat its specifics as not-yet-binding. Planisphere does not establish your BAA or HIPAA posture; it can measure AI behaviour without ingesting PHI where designed to.

02 ·

The mark behind the answer.

HIPAA Security Rule can require evidence around clinical workflows, ePHI boundaries, change control, or patient-impactin…

ePHI safeguards · 2025 NPRM cyber-modernization (PROPOSED).

→ Full reference for HIPAA Security Rule

03 ·

More on HIPAA Security Rule.

Other questions this mark answers.

Prepare evidence for HIPAA Security Rule review.

First evidence record within 21 days of access · re-runs in a single business day. Planisphere measures model behaviour and emits a reproducible, sha-pinned record — it does not certify, file, or give legal advice.