Building HIPAA-Friendly Software: Lessons from Clearminutes

James Gibbard -

Healthcare software is hard. Not because the technology is particularly complex, but because the stakes are high and the regulations are strict. When I built Clearminutes, I knew it needed to work for healthcare professionals – doctors, nurses, therapists who can't just send patient discussions to random cloud services.

Why HIPAA Matters for Meeting Assistants

The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information (PHI). Any software that touches PHI needs to comply with HIPAA's Privacy Rule and Security Rule.

Traditional meeting assistants create obvious HIPAA violations:

  • Audio recordings contain patient names, conditions, treatments
  • Cloud processing means PHI goes to third-party servers
  • Transcripts may be stored indefinitely in unknown locations
  • Data breaches could expose sensitive health information

The Local-First Approach

Clearminutes takes a different approach: PHI never leaves the healthcare provider's device.

Here's how we achieve HIPAA-friendly operation:

1. Local Transcription

All audio processing happens on the user's Mac or Windows PC using Whisper. No audio data is transmitted to external servers.

2. Local Storage

Meeting transcripts and summaries are stored in a local SQLite database. The user controls where this data lives.

3. Optional Cloud Features

If users want more powerful summarization, they can optionally connect to cloud LLMs (Claude, OpenAI). But this is optional – the default is completely local Ollama summarization.

4. User-Controlled Data

Users can export, delete, or move their data at any time. There's no vendor lock-in.

What "HIPAA-Friendly" Means

Important disclaimer: Clearminutes is not HIPAA certified (no software is "HIPAA certified" – that's not how it works). We're HIPAA-friendly, meaning:

  • We designed with HIPAA requirements in mind
  • We don't handle PHI on our servers
  • We provide tools for healthcare providers to maintain compliance
  • Healthcare organizations can deploy us without BAA concerns

For healthcare organizations, the fact that Clearminutes doesn't process data on external servers significantly simplifies compliance. You don't need a Business Associate Agreement (BAA) with us because we don't touch your data.

Lessons Learned

Privacy is a Feature

I didn't set out to build HIPAA-friendly software. I built Clearminutes because I wanted meeting notes without sending my voice to third-party servers. But this privacy-first approach turned out to be the key feature for healthcare.

Local AI is Practical Now

Five years ago, building a local meeting assistant would have been impractical. Whisper changed that. Modern Macs and Windows PCs have enough GPU power for real-time transcription and summarization.

Compliance is Easier Than You Think

By not handling user data, we sidestep most compliance complexity. The best way to protect data is to not have access to it.

Beyond Healthcare

This approach works beyond healthcare:

  • Legal: Attorney-client privilege protected
  • Finance: Confidential client discussions stay private
  • Consulting: Client strategies don't leave your device
  • Government: Classified or sensitive discussions stay local

Try It

If you work in healthcare, law, or any field dealing with sensitive information, give Clearminutes a try. The default setup runs completely offline – no internet required after installation.

The future of AI-powered productivity tools is local. And for good reason: your data belongs to you.