Mental Health Information
This content is for informational purposes only. AI therapy tools are not substitutes for professional mental health treatment. Always consult a licensed mental health professional.
In crisis? Call 988 (Suicide & Crisis Lifeline) or text HOME to 741741 — free, confidential, 24/7.
Clinical Note
AI clinical documentation tools do not replace clinical judgment. All AI-generated notes require clinician review and attestation before inclusion in patient records.
HIPAA-Compliant AI Tools for Therapists: A Practical Guide
HIPAA compliance for AI tools is not a checkbox — it is a process. This guide walks therapists and practice owners through what HIPAA actually requires of AI vendors, which platforms in our coverage offer Business Associate Agreements (BAAs), and the questions to ask before letting any AI tool touch a patient session.
What HIPAA Actually Requires of AI Vendors
Under HIPAA, any third-party vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered entity is a Business Associate. AI session-note tools, AI scribes, and AI session-analysis platforms all fall into this category once they process recordings or transcripts containing patient information.
The therapist (the covered entity) and the AI vendor (the business associate) must execute a written Business Associate Agreement that defines how PHI is handled, secured, retained, and breach-notified. Without a signed BAA, using a consumer AI tool — including general-purpose ChatGPT — to process patient information is a HIPAA violation, even if the tool happens to be technically secure.
Which Platforms in Our Coverage Offer BAAs
- Upheal — HIPAA-compliant; BAA available
- Mentalyc — HIPAA-compliant; BAA available
- Blueprint — HIPAA-compliant; BAA available
- Freed — HIPAA-compliant; BAA available
- Lyssn — HIPAA-compliant enterprise platform; BAA available
- SimplePractice — HIPAA-compliant EHR; BAA available; AI Note Taker add-on under same BAA
- Alma — Alma operates as a covered entity for its network and handles compliance accordingly
- Talkiatry — Talkiatry is a licensed psychiatric practice and operates under HIPAA as a covered entity
What BAAs Do and Do Not Cover
A BAA is a contract about responsibilities; it is not a security audit. Signing a BAA does not by itself prove that a vendor is secure. It does establish that the vendor:
- Will use PHI only as permitted under the agreement
- Will implement appropriate safeguards
- Will report breaches within defined timelines
- Will return or destroy PHI when the relationship ends
- Will require subcontractors to sign equivalent agreements
Beyond the BAA, therapists should review the vendor's data handling practices, encryption, sub-processor list, retention policies, and deletion procedures. Reputable vendors publish trust pages with this information.
Questions to Ask Before Signing Up
- Will you sign a BAA with my practice? If no, you cannot use the tool with patient data — full stop.
- Where is patient audio and transcript data stored? US-based storage simplifies compliance for US practices.
- Is PHI used to train AI models? Reputable mental health AI vendors do not use PHI for general model training; if they do, this is a red flag.
- What is the retention period? Shorter is generally better; some tools allow per-session deletion.
- Who are the sub-processors? If the vendor uses third-party LLM APIs, those APIs must also be under HIPAA-compliant arrangements.
- What is the breach notification process and timeline?
- How is patient consent handled? Therapists should obtain explicit, documented consent from clients before recording sessions or processing them with AI.
Consumer AI Apps and HIPAA
Consumer AI mental health apps (Wysa, Replika, MindDoc, Elomia) are typically not covered entities and do not sign BAAs with users. They have their own privacy policies under general consumer privacy frameworks. If you are a therapist tempted to recommend a consumer AI app to a client, that recommendation does not create a HIPAA relationship — but you should still be thoughtful about what data the app collects and how it is used.
Don't Use General ChatGPT for Patient Notes
OpenAI does offer a HIPAA-eligible Enterprise tier with BAA, but standard ChatGPT (free, Plus, Team) is not HIPAA-compliant for processing PHI. Pasting client transcripts or identifiable details into general ChatGPT is a HIPAA violation. Use a purpose-built AI scribe (Mentalyc, Upheal, Blueprint, Freed) instead — these vendors have built their products specifically for clinical documentation under HIPAA.
Bottom Line
HIPAA-compliant AI for therapists in 2026 means: signed BAA, mature vendor security posture, transparent data handling, and explicit patient consent. Every platform we recommend in our coverage meets these criteria. The compliance burden is real but manageable, and the time savings AI scribes deliver — six to forty hours per week of documentation work — are worth the diligence.