HIPAA Compliance & Architecture

Last Updated: March 2026

1. The "Local Application" Distinction

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a Business Associate is an external entity that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity. Murmur AI is NOT a Business Associate for our standard local-tier software.

2. Why No BAA is Required for Local Transcriptions

Murmur functions as a locally installed keyboard extension and Accessibility utility on your computer. When you use Murmur on your own hardware to dictate directly into your EHR:

• 1. You are not sending PHI to a third-party server.
• 2. Murmur AI does not receive, view, store, or transmit your patient data.
• 3. The transcription model (Whisper) is executed entirely by the CPU/GPU physically present inside your Mac or PC.

Because the data never leaves the "four walls" of your encrypted computer, utilizing Murmur is functionally identical to typing on your standard physical keyboard. Therefore, a Business Associate Agreement (BAA) is not required for the local dictation tier.

3. Cloud-Formatted Notes (Pro Tier)

For users who upgrade to Murmur Pro to utilize Cloud AI formatting algorithms, a different data path applies. In this optional mode, transcribed text is sent securely over TLS 1.3 to our HIPAA-compliant API endpoints. We will execute a BAA with Pro-tier users or their organizations prior to enabling this feature. Even in the cloud pipeline, note data is instantly wiped from memory post-processing and is strictly prohibited from being used for LLM AI training.