Last I checked, the popular medical transcription services did send your data to the cloud and run models there.

Yes, but with extra contracts and rules in place.

At least in the us I think HIPPA would cover this, and IME medical providers are very careful to select products and services that comply.

Yes, but HIPAA is notoriously vague with regards to what actual security measures have to be in place. Its more of an agreement between parties as to who is liable in case of a breach than it is a specific set of guidelines like SOC 2.

If your medical files are locked in the trunk of a car, that’s “HIPAA-compliant” until someone steals the car.

I think that's a good thing. I don't want a specific but largely useless checklist that absolves the party that ought to be held responsible. A hard guarantee of liability is much more effective at getting results.

It would be nice to extend the approximate equivalent of HIPAA to all personal data processing in all cases with absolutely zero exceptions. No more "oops we had a breach, pinky promise we're sorry, don't forget to reset all your passwords".

No disagreement. Its just something I point out when people are concerned about "HIPAA compliance."

My experience is that people tend to think its some objective level of security. But its really just the willingness to sign a BAA and then take responsibility for any breaches.

It's "HIPAA."

It was just last week that I learned about HIPAA Hippo!