Otter.ai is now HIPAA compliant, which means you can confidently use our AI meeting agent for clinical documentation, team communication, and patient coordination. Healthcare teams can now use Otter for meetings involving Protected Health Information (PHI) without worry. Learn more about Otter’s commitment to Privacy & Security.
HIPAA’s benefits for all Otter users
We follow HIPAA requirements in how we collect, store, and process health-related information, implementing both administrative and technical safeguards to help protect against unauthorized access or misuse. Otter has implemented many new security measures and processes, providing benefits across the board:
- Better encryption to keep Protected Health Information (PHI) locked down.
- Tighter access controls so only the right people see sensitive data.
- Team training to make sure everyone knows HIPAA inside and out.
- Regular security audits to stay on top of our game.
User controls
To ensure HIPAA-compliant use of Otter, review the information below. The info listed below is non-exhaustive. Speak with your account executive for any questions regarding your organization’s specific needs.
Sign a Business Associate Agreement
Otter.ai is not a HIPAA-covered entity by default. It becomes a Business Associate only when a signed BAA is in place. Customers must assess whether their intended use of Otter.ai will involve the creation, receipt, transmission, or maintenance of PHI. If so, a BAA must be executed with Otter.ai before any such data is handled. Contact your account executive to start the process.
Control PHI capture in meetings
Healthcare organizations are responsible for controlling when and how PHI is introduced into the Otter environment. This includes managing features like Otter Notetaker, which can automatically join and record scheduled meetings.
Customers should implement policies and technical controls to ensure PHI is not captured unintentionally or without proper authorization.
Manage Notetaker for your Workspace
Workspace admins can disable the option for members to use Notetaker in Workspace > Members > Notetaker.
Review synced calendar events and connection
Calendar integrations and user behavior should be carefully reviewed to prevent unintentional exposure of sensitive health information. Enforce policies with employees to ensure compliance.
Users can review their calendar integration in Account Settings > Apps and the events synced over on the homepage calendar.
Users should review their individual meeting settings for auto-join in Account Settings > Meetings to meet compliance. Admins can manage auto-join and share settings for the Workspace in Workspace > Settings.
Disable Public and Link-Based Sharing
Otter supports public and link-based transcript sharing, which is not appropriate when PHI is involved. Customers must explicitly disable these features to avoid unauthorized disclosures. Team administrators should enforce sharing restrictions within Otter’s settings and implement oversight to regularly audit and revoke any externally shared content that could contain PHI.
Disable External sharing
Workspace admins can disable external sharing in Workspace > Settings.
Enforce Role-Based Access and Identity Controls
Otter provides access controls at the user and team levels, including two-factor authentication (2FA) and Single Sign-On (SSO) for enterprise customers. Customers must implement these controls to enforce least-privilege access and reduce the risk of unauthorized PHI access. Account provisioning and de-provisioning should be tightly managed. Access for terminated employees or users changing roles must be removed promptly, ideally within 24 hours.
Enforce 2FA for the Workspace
Admins can enforce 2FA and set up SSO for the Workspace in Workspace > Settings.
Manage Workspace members
Admins can deactivate, remove, or delete members from the Workspace in Workspace > Members.
User Awareness and Monitoring
Administrators should routinely review Otter usage logs and dashboard activity. Any policy violations or abnormal behavior should be investigated in accordance with internal incident response procedures.
View Workspace usage analytics
Admins have a quick overview of all member usage in Workspace > Analytics.
Review and manage conversations created in the Workspace
Admins can see a quick overview of all conversations created in the Workspace, including filtering by title, owner, shared with, and start/end times.
Learn more about Otter’s centralized conversation management.
Define and Apply Retention and Deletion Policies
Otter supports customer-defined data retention policies and secure deletion of content. Healthcare organizations must configure transcript and recording retention in accordance with their HIPAA-compliant data lifecycle policies. Additionally, upon account termination or contract expiration, Otter will delete residual data per customer request. Customers should ensure data deletion actions are documented and verified.
Set a custom data retention policy
Customers have full control over how long a conversation remains in the Workspace. Once an admin sets a custom duration, all conversations created by users in the Workspace will be automatically deleted once the duration has been met. Deleted conversations will not be accessible by any user in the Workspace.
Reach out to your account executive to get started. Learn more about setting a custom data retention policy.
Feedback
0 comments
Article is closed for comments.