TTheraIndex

Are AI Therapy Notes HIPAA Compliant? What Therapists Must Verify in 2026

·5 min read
Share:𝕏finr/

Short answer: AI therapy notes can be HIPAA compliant — but compliance belongs to your setup, not to the tool. The same product can be perfectly compliant in one practice and a violation in the practice next door, depending on paperwork, settings, and workflow.

Here's what actually matters, in plain English. (This is general information, not legal advice — for edge cases, talk to a healthcare attorney.)

TheraIndex may earn a commission from some links below — it never affects our rankings.

HIPAA in one paragraph, for this purpose

HIPAA lets you share protected health information (PHI) with a vendor that helps you operate — a "business associate" — only if that vendor signs a Business Associate Agreement (BAA) accepting legal responsibility for safeguarding it (see HHS's guidance on business associates). An AI scribe that hears your sessions is unambiguously a business associate. So:

No signed BAA = that tool can never touch client information. Full stop.

This is why consumer ChatGPT is off-limits for anything containing PHI — OpenAI doesn't sign BAAs for the consumer product. (HIPAA-configured alternatives like BastionGPT exist precisely to fill that gap.)

Will the vendor sign a BAA? ✕ No PHI. Ever. Mock or de-identified use only No Yes Audio deleted + no training on your data — confirmed in writing? ↩ Keep shopping Plenty of vendors clear this bar No Yes ✓ Add consent language, trial with a mock session, then go live
The two-gate test every AI tool must pass before it touches client information.

The BAA is necessary — but not sufficient

A signed BAA is the entry ticket. The differences between vendors show up in five questions:

1. What happens to the session audio? Best practice is deletion once the note is generated. Freed and Berries retain no audio; Mentalyc auto-deletes within days. If a vendor keeps audio indefinitely, ask why.

2. Is your data used to train their models? The answer you want: not on identifiable data, and ideally not at all without opt-in. Get it in writing — it's often in the BAA or a data processing addendum.

3. Is the note content de-identified in their systems? Some tools (Mentalyc, notably) de-identify notes in storage, which dramatically lowers breach impact.

4. Where does the data live, and who can see it? US-hosted, encrypted at rest and in transit, access-logged. Any serious vendor answers this in one email.

5. What's their breach history and notification commitment? The BAA should spell out notification timelines. A vendor that's cagey here is telling you something.

Client consent: the part that's on you

HIPAA governs the vendor relationship; recording a session is a separate consent question, and several states require all-party consent for recordings. Regardless of state law, the ethical move (and the one professional-association guidance supports — see the APA's guidance on AI tools in practice) is explicit, documented client consent.

Practical approach most practices use:

  • One paragraph in the intake consent describing the AI scribe, what it captures, and that the therapist reviews every note
  • A verbal mention in session one
  • An opt-out path that doesn't affect care (dictate a summary to the scribe instead of recording — nearly every tool supports this)

Your responsibilities don't transfer

Even with a perfect vendor: you remain the covered entity. That means you still must review and sign every AI-drafted note (they do make mistakes), keep the note accurate to the session, and include AI tools in your practice's required security risk analysis (HHS provides a free risk assessment tool).

The checklist

Before any AI tool touches real client data:

  • ☐ BAA signed and saved (not "available on request" — signed)
  • ☐ Audio retention policy in writing (prefer deletion after note generation)
  • ☐ "Do you train on my data?" answered in writing
  • ☐ Encryption + US hosting confirmed
  • ☐ Consent language added to intake paperwork
  • ☐ Recording consent verified against your state's law
  • ☐ Opt-out workflow decided (dictated summaries)
  • ☐ Tool added to your security risk analysis
  • ☐ Tested with mock sessions first — never real PHI on a trial without a BAA

The good news

The leading mental-health scribes were built by people who understood all of this from day one — every tool in our AI scribes category has its BAA status listed, and the top options (compared here) clear this checklist easily. The same diligence applies to secure email and compliance tools, or any category in the full directory.

For the broader landscape, start with the best AI tools for therapists in 2026.

FAQ

Is it a HIPAA violation to use ChatGPT for therapy notes? Using the consumer version with identifiable client information — yes, effectively, because there's no BAA. De-identified use is murkier but risky, since true de-identification is harder than it looks. Use a BAA-covered tool instead.

Do clients have to consent to AI note-taking? The BAA covers HIPAA's vendor side, but recording consent is separate law in many states, and documented consent is the professional-ethics expectation everywhere. Get it in writing.

Can insurance companies reject AI-drafted notes? Payers care that notes are accurate, signed by you, and support medical necessity — not what drafted them. Review-and-sign is the step that keeps you covered.

What if a client declines the AI scribe? Honor it gracefully: dictate a session summary to the tool afterward instead of recording. You keep most of the time savings; the client keeps their comfort.

Share:𝕏finr/

Get new AI tools for your practice, weekly