Can I use Wispr Flow with PHI?

Only under a Business Associate Agreement, and only on the enterprise tier that Wispr Flow offers for that purpose. On the consumer or self-serve Pro tiers, dictating any Protected Health Information would not be HIPAA compliant. Even with a BAA in place, audio still leaves your Mac and is processed on Wispr Flow’s servers. That is the cloud-compliance model: contracts, audit logs and operational controls around audio that has left the device.

A Business Associate Agreement is a contract under HIPAA between a covered entity (a clinician, practice, hospital or health plan) and a business associate (a third party that processes Protected Health Information). It binds the business associate to specific safeguards and breach-notification obligations. Without a BAA in place, sending PHI to a third-party service breaches HIPAA, regardless of how secure that service is.

Does Privacy Mode mean audio doesn’t leave my Mac?

No. Privacy Mode (Zero Data Retention) means Wispr Flow does not retain or train on your audio and transcripts. The audio still uploads to their servers to be transcribed; it is just not stored afterwards. That is a meaningful privacy gain over the default, but it is not the same as on-device processing where audio never leaves the Mac.

Is there a HIPAA-safe alternative that doesn’t use cloud?

Parakeety transcribes locally on the Apple Neural Engine. Audio is captured to memory, processed on-device and discarded. There is no Protected Health Information traversing a network, so the question of whether the cloud provider holds a BAA does not apply. We unpack the distinction between architectural and contractual privacy in the cornerstone piece on HIPAA and dictation. For a side-by-side with Wispr Flow specifically, see Parakeety vs Wispr Flow.

← Resources

Is Wispr Flow HIPAA compliant?

Short answer: yes, on the enterprise tier with a signed Business Associate Agreement and Zero Data Retention enabled. Not on the consumer or self-serve tiers. And in every case, the architecture is still cloud: audio leaves your Mac, gets processed on Wispr Flow’s servers and the compliance work sits in the contract around that. Here is what that means in practice and where the on-device alternative fits.

What "HIPAA compliant" actually means here

HIPAA does not certify products. There is no "HIPAA certified" label that a software vendor earns. What a vendor can do is sign a Business Associate Agreement with a covered entity (a clinician, practice, hospital or health plan) that binds them to the safeguards HIPAA requires of business associates, plus breach-notification obligations and audit cooperation.

When Wispr Flow says it offers a HIPAA-compliant posture, that is what is being described. The enterprise tier supports a BAA. The audit and access controls expected of a cloud business associate are in place. With Zero Data Retention enabled, audio and transcripts are not retained or used for training.

On the consumer or self-serve Pro tiers, no BAA is in place by default, and dictating Protected Health Information would fall outside the covered relationship. That is a procurement and tiering question, not a technical one.

What still happens, even under a BAA

The audio leaves your Mac. That is structural to a cloud transcription service: the speech model runs in a data centre, so audio gets to the data centre. A BAA constrains what the business associate is allowed to do with that audio. It does not change the path. PHI is being transmitted to a third party that you are now contractually trusting to handle it correctly.

For US health systems with established cloud procurement and security teams, that contractual model is familiar and acceptable. Microsoft, AWS, Google Cloud and dozens of clinical SaaS vendors operate this way under HIPAA every day. The compliance burden is real but tractable.

For a sole practitioner, a small clinic, a UK NHS context where the data-protection conversation runs through GDPR and DPA 2018 as well as any local NHS information-governance framework, or any practice that simply does not want to manage a vendor relationship for every audio second of a working day, that model can feel heavier than the use case justifies. That is the part of the audience an architectural alternative addresses differently.

The architectural alternative

Parakeety transcribes on the Apple Neural Engine on your Mac. Audio is captured to memory, transcribed locally, pasted at the cursor and discarded. There is no audio leaving the device, so the question of whether the cloud vendor holds a BAA does not apply. PHI is not being transmitted at all.

This is not a Privacy Mode toggle or a Zero Data Retention setting. It is the architecture: the speech model runs on the Mac. The same outbound traffic exists for every install (a one-time speech-model download and periodic license checks) and never carries audio.

The wider unpacking of why "audio never leaves the device" is a different shape of privacy guarantee from "audio leaves the device but the vendor promises to handle it well" sits in the cornerstone piece on HIPAA and dictation: architectural vs contractual privacy.

How to decide

A simple frame:

You already operate cloud vendors under BAAs. Adding Wispr Flow on the enterprise tier with ZDR enabled is a familiar procurement; the compliance posture matches what your team already manages.
You want PHI to not leave the Mac at all. Parakeety is the architectural answer: nothing to negotiate, nothing to audit, no third-party data path to worry about.
You need a non-European language Parakeet does not cover. Wispr Flow’s 100+ language coverage is the trade you make for the cloud architecture.
You need ambient encounter scribing. Neither of these is that product category; Dragon Medical One / DAX Copilot is. See Parakeety vs Dragon for the Mac side of that comparison.

For the audiences this matters to

The deeper pieces by audience walk through the same trade in the language of each role: Parakeety for clinicians and GPs, Parakeety for therapists and counselors and Parakeety for lawyers and solicitors all sit on the same architectural answer. The full Wispr Flow comparison across pricing, languages, speed and feature set is in Parakeety vs Wispr Flow.

FAQ

Can I use Wispr Flow with PHI?: Only under a Business Associate Agreement, and only on the enterprise tier that Wispr Flow offers for that purpose. On the consumer or self-serve Pro tiers, dictating any Protected Health Information would not be HIPAA compliant. Even with a BAA in place, audio still leaves your Mac and is processed on Wispr Flow’s servers. That is the cloud-compliance model: contracts, audit logs and operational controls around audio that has left the device.
What is a BAA?: A Business Associate Agreement is a contract under HIPAA between a covered entity (a clinician, practice, hospital or health plan) and a business associate (a third party that processes Protected Health Information). It binds the business associate to specific safeguards and breach-notification obligations. Without a BAA in place, sending PHI to a third-party service breaches HIPAA, regardless of how secure that service is.
Does Privacy Mode mean audio doesn’t leave my Mac?: No. Privacy Mode (Zero Data Retention) means Wispr Flow does not retain or train on your audio and transcripts. The audio still uploads to their servers to be transcribed; it is just not stored afterwards. That is a meaningful privacy gain over the default, but it is not the same as on-device processing where audio never leaves the Mac.
Is there a HIPAA-safe alternative that doesn’t use cloud?: Parakeety transcribes locally on the Apple Neural Engine. Audio is captured to memory, processed on-device and discarded. There is no Protected Health Information traversing a network, so the question of whether the cloud provider holds a BAA does not apply. We unpack the distinction between architectural and contractual privacy in the cornerstone piece on HIPAA and dictation. For a side-by-side with Wispr Flow specifically, see Parakeety vs Wispr Flow.

Try it

Parakeety is a Mac menu-bar app. Hold the section key, talk, release; your words paste at the cursor in whichever app you were typing into. Audio never leaves the machine, so there is no PHI to put under a BAA in the first place. There is a free 7-day trial with no card required. After that it is $30 once.

Try Parakeety free →