Resource
Yes — with three conditions that must all hold at once, and a price tier attached. Fireflies documents this more precisely than most vendors, so the answer is knowable; it’s just longer than the marketing headline. Here it is, sourced to Fireflies’ own documentation, followed by the architectural question the checklist implies.
Quick answer
Fireflies can be HIPAA-compliant, but only in one configuration: an active Enterprise plan ($39/user/month, billed annually) plus Private Storage enabled plusa signed BAA — all three simultaneously. Fireflies’ own setup guide states compliance is disabled if any single requirement is removed, downgraded, or expires.
On Free, Pro, and Business plans, the answer is no. Recording PHI on those tiers is a disclosure to a vendor with no BAA in effect — regardless of Fireflies’ generally strong security posture (SOC 2 Type II, zero-retention agreements with its AI vendors).
Credit where due: Fireflies publishes a self-serve BAA page and documents the requirements plainly. The compliant setup means Enterprise pricing, enabling Private Storage (dedicated or bring-your-own AWS S3/GCS, with EU region options), signing the BAA, and keeping all three alive — your workspace’s security checklist shows “HIPAA Compliance: Enabled” when configured. Fireflies also states it has signed BAAs downstream with OpenAI and its speech-recognition vendors, with zero-retention terms.
What the configuration doesn’t change: your patients’ conversations are still processed in Fireflies’ cloud (US-based AWS/GCP by default) and still pass through third-party AI vendors. The BAA chain makes those disclosures lawful and governed. It does not make them not-disclosures — every link in that chain is a party holding or touching PHI, bound by contract rather than removed from the picture.
One nuance worth flagging: Fireflies’ healthcare marketing describes features “available to all Fireflies customers,” while the compliance docs gate the HIPAA configuration to Enterprise. The features are broad; the compliance is not. Read the setup guide, not the press release.
A three-condition compliance checklist exists because the audio leaves your machine. The alternative architecture makes the checklist disappear: transcription that runs entirely on your own device never gives any vendor the conversation, so there is no business associate, no BAA, no Private Storage tier, and no configuration to keep alive. That’s Minutes— open source, on-device transcription and diarization, markdown on your own disk with owner-only permissions. No local tool is “HIPAA certified” (no tool of any kind is — HHS certifies nobody); on-device processing simply removes the vendor from the analysis. Device encryption, access control, and recording consent remain your responsibilities, as they already are for the machine your EHR runs on.
Next step
This page is informational, not legal advice. Verify plan details, Private Storage setup, and BAA terms with Fireflies and your compliance counsel before recording PHI with any tool.