HIPAA dictation software that keeps patient information on your machine
Fully on-device in Lockdown Mode, so no vendor touches your patients' information and there is no BAA to sign
No dictation software is HIPAA certified; HHS does not certify products, and compliance comes from how you run your practice, not from a download. Whisperstream's Lockdown Mode transcribes entirely on your Windows PC. Audio, transcripts, and history never leave your machine, so Lanreal never creates, receives, maintains, or transmits protected health information (PHI) on your behalf, and there is no business associate agreement (BAA) to sign. $29, one-time.
Updated
At a glance
Whisperstream is a $29 one-time dictation app for Windows. In Lockdown Mode, transcription, AI cleanup, and transcript storage all run on your own PC, and cloud providers are turned off. That is the whole idea: when nothing you dictate leaves your machine, there is no third party handling your patients' information for this workflow, and no business associate agreement to sign.
- The short answer
- No software is HIPAA certified. HHS does not endorse or recognize private certifications regarding the Security Rule; compliance describes how the covered entity (under HIPAA, that is you or your practice) uses a tool inside its own program.
- The local-only angle
- In Lockdown Mode, audio, transcripts, and dictated text never leave your machine. Lanreal, the company behind Whisperstream, never touches your patients' information in this workflow.
- Why no BAA
- A business associate is anyone who creates, receives, maintains, or transmits PHI on your behalf (45 CFR 160.103). Local-only software does none of the four, so there is no business associate for you and nothing to sign.
- Who this is for
- Therapists, solo and small-practice clinicians, and anyone dictating patient information on a Windows PC without an IT department to run a BAA process. If your sensitivity driver is attorney-client confidentiality instead, see legal dictation software.
There is no such thing as HIPAA certified dictation software
If you searched for "HIPAA compliant dictation software", here is the part most vendors skip: that label does not exist as a certification. HHS does not endorse or recognize private certifications regarding the Security Rule, and FTC business guidance is blunter still, noting that HHS does not certify companies or products as HIPAA compliant. There is no seal to earn, no registry to check, and no product that can hand you compliance in a download.
The FTC has gone after companies that leaned on that label anyway: its 2023 complaint against BetterHelp alleged a deceptive HIPAA seal and false "HIPAA certified" representations, and in 2020 it alleged that SkyMed displayed a "HIPAA Compliance" seal for roughly five years with no third-party review behind it. Both cases settled, and both are framed here as allegations, but the pattern matters more than the case law: a compliance badge on a product page is a marketing artifact, not a legal status.
So the useful question is not "which dictation software is HIPAA compliant" but "where does my session note go when I dictate it, who can access it, and what safeguards does the tool support". Compliance lives in how you run your practice, not in any software box. The rest of this page answers the useful question for Whisperstream's Lockdown Mode, and it applies the same honest framing to the cloud alternatives.
Sources
- HHS, "Are we required to certify our organization's compliance with the standards of the Security Rule?" (hhs.gov FAQ)
- 45 CFR 160.103, definition of business associate (law.cornell.edu)
- 45 CFR 164.312, technical safeguards (law.cornell.edu)
- 45 CFR 164.308, administrative safeguards (law.cornell.edu)
- 45 CFR 164.310, physical safeguards (law.cornell.edu)
- HHS, Guidance on HIPAA and Cloud Computing (hhs.gov)
- FTC, complaint against BetterHelp, Inc., 2023 (ftc.gov, PDF)
- FTC, press release on the SkyMed settlement, 2020 (ftc.gov)
- FTC Business Blog, "FTC says flight service winged it, leaving data unprotected in the cloud", 2020 (ftc.gov)
Why local-only dictation means no BAA to sign
You already know the drill from every other tool in your practice: if a company handles PHI for you, you need a BAA first. HIPAA's definition is what decides it. A business associate is a person or company that creates, receives, maintains, or transmits protected health information on your behalf (45 CFR 160.103). Those four verbs are the whole test. If a vendor's servers do any of the four with your patients' information, that vendor is your business associate, and HIPAA requires a business associate agreement before PHI can flow to them.
Cloud dictation trips the test. The moment you dictate a session note or a patient email into a cloud tool, that audio travels to the vendor's servers to be transcribed, and receiving and transmitting a patient encounter is exactly what the definition covers. HHS's cloud computing guidance says a cloud service provider that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate, and that this is true even if the provider stores only encrypted ePHI and lacks the encryption key. That is why the legitimate cloud path comes with a BAA.
Local-only dictation never enters the test. In Lockdown Mode, your microphone audio is transcribed on your device, AI cleanup uses an on-device model, and cloud providers are turned off. The note you just dictated exists in exactly one place: your PC. Lanreal never receives your audio or transcripts. Because nothing leaves your machine and no third party handles your patients' information for this workflow, there is no business associate and no business associate agreement to sign. Not because of a clever contract, but because there is no associate.
Three ways dictation tools handle patient information
There are three ways a dictation tool can handle your patients' information. Only one keeps a vendor out of the data path entirely.
No vendor in the data path, no BAA to sign
- Mechanism
- Transcription runs on your own PC. Audio, text, and history never leave the machine.
- Example
- Whisperstream in Lockdown Mode. On-device transcription and on-device AI cleanup, with cloud providers blocked.
- What you sign
- Nothing. Lanreal is not a business associate for this workflow because in Lockdown Mode it never handles your PHI.
Works, with a BAA and vendor trust
- Mechanism
- Audio is sent to the vendor's servers and decrypted there for transcription.
- Example
- Wispr Flow. Its privacy documentation states that transcription always happens in the cloud, and it offers a BAA on all plans as a self-serve click-through.
- What you sign
- Wispr Flow's click-through BAA, which locks Privacy Mode (zero data retention) on.
Works, at enterprise procurement scale
- Mechanism
- Speech is recognized in the vendor's cloud data centers; the client streams audio to them.
- Example
- Dragon Medical One, subscription-priced per user and running on the Microsoft cloud stack.
- What you sign
- A BAA with Microsoft, which signs BAAs with healthcare customers by default.
Whisperstream details are first-hand. Wispr Flow and Dragon Medical One details come from their published documentation: Wispr Flow's privacy page and security FAQ, and Microsoft's Dragon Medical One and HIPAA compliance pages. Both are legitimate paths for PHI; the difference is where your audio goes and what paperwork that creates.
What about free local dictation apps?
Free local dictation tools are a reasonable instinct. If audio never leaves the machine, no vendor handles PHI and the BAA question falls away, exactly as it does for Lockdown Mode. That instinct gets the network half right. The half your risk analysis also has to cover is what happens on the machine itself: per their published source code, the popular free local dictation tools we audited in July 2026 store plaintext transcripts and unencrypted audio of every dictation, saved unconditionally, with no history-off switch and no lock.
For patient notes, that means months of dictated PHI sitting readable on disk for anyone who can reach the PC, its backups, or a sync folder, which is the same access-control and encryption-at-rest vocabulary you already apply under 45 CFR 164.312. Locality is necessary for the no-BAA path, but it is not sufficient on its own. We published the full tool-by-tool findings in our dictation app privacy audit.
How Lockdown Mode protects patient information
Here is what Lockdown Mode does for your notes and transcripts, mapped to the HIPAA Security Rule's technical safeguards (45 CFR 164.312) in the regulation's own vocabulary, so you can drop it straight into your risk analysis. Lockdown Mode's features are designed to align with these safeguards; the map is a description of what the software does, not a compliance determination, which only you can make for your own practice. Two rows below are marked Addressable, the regulation's term for safeguards you must assess and document rather than implement in one fixed way. Addressable is not optional.
- Access control45 CFR 164.312(a)(1)
- Your transcript history is locked behind a password. A key derived from that password wraps the encryption key. Without your password or your one-time recovery code, the history stays encrypted.
- Automatic logoff45 CFR 164.312(a)(2)(iii) · Addressable
- Transcripts lock again automatically after a period of inactivity that you set.
- Encryption at rest45 CFR 164.312(a)(2)(iv) · Addressable
- Transcript history is encrypted at rest with AES-256-GCM.
- Audit controls45 CFR 164.312(b)
- A private, content-free access log records when your history is opened, locked, and unlocked, and when an unlock fails. It never records what your transcripts say, and it stays on your device.
- Integrity45 CFR 164.312(c)
- The authenticated encryption used for transcript history is designed to detect tampering, which helps confirm your transcripts have not been altered.
- Person authentication45 CFR 164.312(d)
- Opening transcript history requires your password, and repeated failed attempts trigger escalating delays.
- Transmission security45 CFR 164.312(e)
- In Lockdown Mode your audio, transcripts, and dictated text are never transmitted off your device, so there is no ePHI in transit to secure.
What it is not, and what stays yours
An on-device dictation mode whose features are designed to align with the HIPAA Security Rule technical safeguards in 45 CFR 164.312. When it is on, transcription, AI cleanup, and transcript storage all happen on your Windows PC, and cloud providers are turned off.
Not a HIPAA certification: HHS does not certify or approve any product as HIPAA compliant. Not legal advice: this page describes how the software handles your data so you can evaluate it for your own program. And not a substitute for your own risk analysis.
- Administrative safeguards
- Your risk analysis, your policies, and your workforce training stay yours (45 CFR 164.308). No software performs these for you.
- Physical safeguards
- So do facility access and device controls, including who can physically reach the PC that holds your transcript history (45 CFR 164.310).
- User identity
- Whisperstream relies on your Windows account to know who is using it. The Lockdown password is a second gate on the transcript history, not a separate identity for each person who shares the device. If several people share one Windows login, they share one identity.
- Recovery
- If you lose both your password and your one-time recovery code, your transcript history cannot be recovered. That is by design: the encryption key is wrapped by a key derived from your password, so there is no reset path through Lanreal.
Frequently asked questions
The Lockdown Mode safeguard mapping as a one-page PDF, for your compliance file or for whoever reviews the tools in your practice.
Download the PDF summaryOwn your dictation.$29 once.Fully local.
Free to try. No account.