Can I have medical or patient conversations transcribed?
Short answer
Yes, but under strict requirements: GDPR Art. 9 (health data), professional-secrecy laws, a DPA with confidentiality undertakings — and EU data residency.
Medical audio data is protected twice: as health data (special category under GDPR Art. 9) and by medical confidentiality (§ 203 StGB in Germany; equivalents across EU). Sloppy handling here risks not just GDPR fines but professional disciplinary action and criminal prosecution.
What's actually required:
1. Legal basis under GDPR Art. 9(2). Typically (a) explicit consent or (h) medical diagnosis/care. "Informed consent" only — blanket click-through doesn't qualify.
2. § 203 StGB. Since the 2017 reform, professionals bound by confidentiality may use external service providers, but must: - contractually bind them to confidentiality, - inform them about criminal liability under § 203(4), - choose them carefully.
3. DPA with confidentiality undertakings. A standard DPA isn't enough — the contract must reference § 203 StGB and bind all of the processor's staff to confidentiality (including post-termination). DeepScript provides an extended DPA for this case.
4. EU data residency + no US sub-processing. For health data, Schrems II is especially sharp — a transfer to the US is practically unjustifiable.
5. Maximum-tier TOMs. End-to-end encryption, audit logs for every access, strict role-based access, regular security audits.
6. Pseudonymization / anonymization where possible. Replace patient names with pseudonyms before submission if your dictation system allows it. GDPR Art. 32 recommends pseudonymization explicitly.
7. Retention. Audio deleted immediately after transcription; transcript text retained per statutory requirements (in Germany 10 years for medical records under § 630f BGB) — stored on your own infrastructure, separate from the provider.
Note: HIPAA only applies in the US. If you transcribe records of US patients, you additionally need a Business Associate Agreement (BAA) and HIPAA-compliant infrastructure. Most EU providers including DeepScript are not HIPAA-covered entities but cover the stricter GDPR framework instead.
Practical tip: for medical transcription always pick the Premium model — errors in drug names or diagnoses can have serious consequences.
Related questions
Still have a question?
Three transcriptions free to try. Or drop us a line — we answer within 24 hours, compliance questions included.