All articles

May 7, 2026

HIPAA and AI in Therapy: What Every Therapist Needs to Know

Using AI tools to write therapy notes raises real HIPAA questions. Here's what the law actually requires, what risks to watch for, and how to use AI safely in your practice.

By the TherapNote Team  ·  May 7, 2026

The Question Every Therapist Is Asking

As AI documentation tools become more common in mental health practice, therapists have a legitimate question: Is this HIPAA-compliant?

It's the right question to ask. The answer is nuanced — not a simple yes or no — and understanding the nuance matters for protecting your clients, your license, and your practice.

HIPAA Basics: What the Law Actually Requires

HIPAA (Health Insurance Portability and Accountability Act) regulates how covered entities handle Protected Health Information (PHI). For therapists, PHI includes anything that could identify a patient and relates to their health, care, or payment for care.

When you use a third-party tool to process PHI, HIPAA requires you to have a Business Associate Agreement (BAA) with that vendor. A BAA is a legal contract in which the vendor agrees to protect PHI in accordance with HIPAA standards, limit its use to what's necessary, and report any breaches.

Without a BAA, you should not be sending PHI to a third-party tool. This is not a gray area.

What Counts as PHI in Therapy Documentation?

In the context of AI therapy note tools, PHI includes:

  • Client name or initials combined with session content
  • Dates of service combined with session information
  • Any detail that could identify a specific client (location, employer, family members mentioned by name)
  • Diagnosis codes combined with demographic information

The good news: most AI therapy documentation workflows allow you to strip or minimize PHI before dictation. Speaking about a client as "a 40-year-old woman presenting with anxiety" rather than naming them significantly reduces the PHI exposure. Using initials rather than full names is another common mitigation.

The Business Associate Agreement Requirement

Any AI platform that processes PHI for you must sign a BAA. When evaluating therapy documentation tools, the first question to ask is: Do you offer a Business Associate Agreement?

TherapNote, for example, is designed with HIPAA considerations in mind. The platform handles notes you generate, which can be structured to minimize direct PHI. Responsible AI documentation vendors will offer BAAs to their users.

Compare this to using a general-purpose AI tool like ChatGPT or Claude.ai for note-writing: these platforms' standard terms of service do not include HIPAA BAAs. Using them to process client PHI without a BAA is a compliance violation, regardless of how careful you are with the wording.

Practical Steps for HIPAA-Compliant AI Documentation

1. Use Initials, Not Names

When dictating session content, refer to clients by initials or simply as "the client." This is good practice regardless of the tool you use.

2. Verify the BAA

Before using any AI tool with PHI, ask for their BAA. If they don't have one or won't sign one, don't use that tool for session documentation.

3. Understand Data Retention Policies

Ask: Does the platform store my transcripts? For how long? Who can access them? A tool that processes your dictation and immediately discards the transcript presents a fundamentally different risk profile than one that retains it indefinitely.

4. Use the Minimum Necessary Standard

HIPAA's minimum necessary standard requires you to use, disclose, or request only the minimum amount of PHI needed to accomplish the task. In practice: don't include information in your dictation that isn't relevant to the note you're generating.

5. Review AI Output Before Filing

AI-generated notes require human review before they become part of the clinical record. You are the licensed professional; the AI is a tool. If a note contains an error or inaccuracy, filing it without correction is a clinical documentation problem — and potentially a liability issue.

Is AI Therapy Documentation Worth the Risk?

For most therapists who follow the guidelines above — use initials, get a BAA, review output — the compliance risk of AI documentation tools is manageable and small. The risk of not using them — documentation burnout, rushed notes, decreased note quality due to time pressure — is significant.

The key is choosing tools built with healthcare compliance in mind, not repurposing general-purpose AI assistants. Specialized therapy documentation platforms are designed around the specific constraints of clinical practice. That design difference matters.

The Bottom Line

Using AI for therapy documentation is HIPAA-compliant when you:

  1. Have a signed BAA with the platform
  2. Minimize PHI in your dictations
  3. Review every note before it enters the clinical record
  4. Choose a platform that understands healthcare compliance requirements

The technology is here. The compliance framework exists. Therapists who navigate this carefully will save hours every week — without compromising their professional obligations.

Save hours every week on therapy notes

TherapNote writes your SOAP, DAP, or BIRP note in 30 seconds. Try it free — 5 notes per month, no credit card required.

Generate your first note free →

More articles

April 10, 2026

How to Write SOAP Notes for Therapy Sessions: A Complete Guide

April 22, 2026

SOAP vs DAP vs BIRP Notes: Which Format Is Right for Your Practice?

May 1, 2026

How Therapists Can Cut Documentation Time by 80%