Is Around HIPAA Compliant? Here’s What Healthcare Teams Should Know

Whether you can use Around with Protected Health Information (PHI) depends on more than a marketing claim. You need a signed Business Associate Agreement, documented Administrative Safeguards, strong Technical Safeguards, disciplined PHI handling under the Minimum Necessary Rule, audit-ready logging, and a trained workforce. This guide shows you how to evaluate and configure Around for HIPAA-aligned use.

Use the sections below as a practical checklist to determine if your environment, contracts, and settings collectively support HIPAA compliance before any PHI touches the platform.

Business Associate Agreement Execution

A Business Associate Agreement (BAA) is the gating item. Without an executed BAA that explicitly covers the features you plan to use, do not create, receive, maintain, or transmit PHI in Around. Confirm that meetings, recordings, transcripts, storage, integrations, and any Notes AI features are in scope.

Key terms to require

• Permitted uses/disclosures limited to delivering the service; no unauthorized analytics, advertising, or model training on PHI.
• Obligations to implement Administrative Safeguards and Technical Safeguards, including access controls and encryption.
• Breach and security incident notification timelines, investigation cooperation, and risk assessment support.
• Subcontractor “flow‑down” requiring BAAs with all subprocessors that may handle PHI.
• PHI return/deletion at termination, defined retention periods, and backup handling.
• Audit Logging availability and reasonable audit/assessment rights for your organization.
• Controls for privileged support access, including Multi-factor Authentication and least privilege.

Execution steps

• Map PHI data flows for meetings, chat, screen sharing, recordings, transcripts, and Notes AI outputs.
• Request HIPAA terms and a BAA that names covered services and subprocessors; review with legal and security.
• Sign and store the BAA; record scope, effective dates, and contacts for incident notifications.
• Configure security controls post‑signature; disable features not covered by the BAA.
• Establish a change‑management process to re‑review the BAA when features, vendors, or data flows change.

Administrative Safeguards for PHI Protection

Administrative Safeguards operationalize HIPAA. They ensure that policies, risk management, and oversight keep technical settings aligned with your real‑world workflows in and around meetings.

Risk analysis and management

• Inventory where PHI could appear: screen shares, chat, whiteboards, recordings, transcripts, and Notes AI artifacts.
• Perform a documented risk analysis, prioritize gaps, and track mitigations to completion.
• Review risks at least annually and after major product or process changes.

Access management and governance

• Grant access on a role basis; apply the Minimum Necessary Rule to admins, users, and support accounts.
• Run quarterly access reviews; immediately revoke access on role change or termination.
• Define sanctions for violations and an approvals process for enabling high‑risk features (e.g., recordings).

Contingency planning

• Set retention and backup objectives for recordings and transcripts containing PHI.
• Document disaster recovery and emergency‑mode operations for continuity of care.
• Test restoration and data deletion processes regularly.

Technical Security Controls

Technical controls enforce day‑to‑day protections. Configure identity, encryption, data lifecycle, and device posture to meet HIPAA’s technical safeguard requirements.

Identity and authentication

• Enforce SSO with strong policies; require Multi-factor Authentication for all users and admins.
• Use role‑based access control and least privilege; restrict admin scopes and API tokens.
• Set session timeouts and automatic logoff, especially on shared workstations.

Data protection and integrity

• Require encryption in transit and at rest; confirm key management and separation of environments.
• Limit who can create or view recordings and transcripts; watermark or label PHI where feasible.
• Apply content controls such as download restrictions, DLP scanning, and redaction where available.

Platform and endpoint hygiene

• Harden admin and clinician endpoints with patching, EDR, disk encryption, and screen‑lock policies.
• Restrict integrations to HIPAA‑eligible partners listed in your BAA; review scopes before enabling.
• Use IP allowlists, device checks, or network restrictions for high‑risk roles.

Partner Compliance Management

Around’s compliance posture is only part of the picture. You must also manage risk from its subprocessors and any integrations you enable.

Due diligence

• Request a current list of subprocessors and confirm BAAs are executed for any that may handle PHI.
• Review security documentation (e.g., independent assessments, penetration tests) and remediation cadence.
• Validate data residency, retention, and deletion practices align with your policies.

Contractual safeguards

• Ensure “flow‑down” HIPAA obligations, right‑to‑audit language, and clear breach reporting paths.
• Require notice and approval for subprocessor changes that affect PHI.

Ongoing monitoring

• Track vendor attestations and BAA renewal dates; review impact of new features on PHI handling.
• Continuously monitor integration scopes and disable those you no longer need.

PHI Handling and the Minimum Necessary Rule

Apply the Minimum Necessary Rule to every meeting and artifact. Design your workflows so PHI exposure is intentionally limited and time‑boxed.

Meeting and collaboration hygiene

• Plan agendas to avoid displaying PHI unless strictly required; use de‑identified data in demos and training.
• Limit PHI in chat; configure retention to the minimum necessary and restrict exports.
• Disable or tightly control recording and transcription; if enabled, restrict access and set short retention.

Notes and AI features

• Use Notes AI only if your BAA explicitly covers it; otherwise, avoid entering PHI.
• Confirm prompts, transcripts, and summaries are encrypted, access‑controlled, and not used to train external models absent BAAs.
• Enable redaction, masking, and auto‑deletion where available; document who can view AI‑generated outputs.

Incident Response and Audit Logging

Rapid detection and thorough evidence are essential when PHI is involved. Prepare before an incident occurs.

Incident response

• Define triage, containment, eradication, and recovery steps for account compromise, misconfiguration, or data leakage.
• Document roles, on‑call contacts, and decision trees for breach determination and notification.
• Practice with tabletop exercises that include recordings, transcripts, and Notes AI artifacts.

Audit Logging essentials

• Collect logs for authentication events, admin changes, meeting creation/join/leave, recording and transcript actions, file shares, integrations, and data exports.
• Retain logs per policy, protect their integrity, and export to your SIEM for correlation and alerts.
• Provide least‑privilege log access to privacy and security teams for investigations and audits.

Workforce Training for HIPAA Compliance

Technology controls work only when people use them correctly. Training is a required Administrative Safeguard and should be role‑based and continuous.

Curriculum and cadence

• Cover HIPAA basics, the Minimum Necessary Rule, acceptable use in meetings, and handling of recordings and transcripts.
• Teach secure configuration, incident reporting, phishing awareness, and safe use of Notes AI features.
• Deliver training at onboarding and at least annually; track completion and comprehension.

Operational reinforcement

• Publish quick‑reference guides for starting secure sessions and sharing screens without PHI.
• Run periodic drills that test escalation paths and permissions for high‑risk features.
• Apply sanctions consistently for policy violations to reinforce expectations.

Bottom line: You can use Around in a HIPAA‑aligned manner only when a BAA is executed for the specific features you use, Administrative Safeguards and Technical Safeguards (including Multi-factor Authentication) are enforced, PHI exposure is minimized, Audit Logging is comprehensive, and your workforce is trained. If any of these are missing, do not process PHI in the platform.

FAQs.

What is a Business Associate Agreement (BAA)?

A BAA is a binding contract that allows a vendor to create, receive, maintain, or transmit PHI on your behalf under HIPAA. It defines permitted uses, requires safeguards, mandates breach reporting, and flows obligations to subcontractors. Without a signed BAA covering in‑scope features, a cloud tool may not be used with PHI.

How does Around Notes AI protect PHI?

Protection depends on the vendor’s architecture and your configuration. For HIPAA use, ensure your BAA explicitly includes Notes AI, confirm encryption and access controls, and verify that PHI is not used to train external models unless those providers are also bound by BAAs. Apply the Minimum Necessary Rule, restrict access to outputs, and set short retention and auto‑deletion.

What safeguards does Around implement?

Safeguards vary by plan and settings. Confirm encryption in transit and at rest, role‑based access with Multi-factor Authentication, granular permissions for recordings and transcripts, Audit Logging with export, secure software practices and vulnerability management, incident response procedures, and subcontractor oversight. Validate these controls in writing and test your configuration.

How does Around ensure vendor compliance?

A HIPAA‑eligible provider should require BAAs with all subprocessors that touch PHI, perform due diligence and ongoing monitoring, flow down security and breach‑reporting obligations, and notify you of subprocessor changes. Ask for a current subprocessor list, evidence of assessments, and how issues are tracked to remediation.