HIPAA Compliance & Architecture

Last Updated: March 2026

1. The "Local Application" Distinction

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a Business Associate is an external entity that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity. Murmur AI is NOT a Business Associate for our standard local-tier software.

2. Why No BAA is Required for Local Transcriptions

Murmur functions as a locally installed keyboard extension and Accessibility utility on your computer. When you use Murmur on your own hardware to dictate directly into your EHR:

• 1. You are not sending PHI to a third-party server.
• 2. Murmur AI does not receive, view, store, or transmit your patient data.
• 3. The transcription model (Whisper) is executed entirely by the CPU/GPU physically present inside your Mac or PC.

Because the data never leaves the "four walls" of your encrypted computer, utilizing Murmur is functionally identical to typing on your standard physical keyboard. Therefore, a Business Associate Agreement (BAA) is not required for the local dictation tier.

3. Cloud-Formatted Notes (Pro Tier)

For users who explicitly enable external cloud formatting, a different data path applies. In this optional mode, transcribed text is sent over an encrypted connection to the selected provider. Users should enable external providers only when their workflow and compliance requirements allow transcript text to leave the Mac. Local Ollama formatting keeps the formatting path on-device when a local model is installed.