Skip to main content
Confidant
← All posts

Can Therapists Use AI for Progress Notes? What HIPAA Actually Says

AI note tools promise to save hours every week. But are they HIPAA-compliant? The answer depends on one critical question most therapists aren't asking.

June 20267 min read

Therapists are burning out on documentation. That's not a new observation. It's been true for years, and every survey of clinician wellbeing confirms it. What's new is that AI has gotten good enough that it actually helps. Recording a session and getting a structured SOAP or DAP note in minutes is no longer a tech demo. It's something thousands of therapists are doing right now.

But here's the question that keeps coming up in every Facebook group, every consultation call, every ethics CE: Is this actually HIPAA-compliant?

The short answer is: it depends. And what it depends on is something most therapists aren't asking clearly enough.

What HIPAA actually requires

HIPAA doesn't ban AI. It doesn't ban cloud storage. It doesn't ban any specific technology. What it requires is that protected health information (PHI) is handled in a way that ensures its confidentiality, integrity, and availability. PHI includes session content, client names, dates of service, and anything else that could identify a client.

In practical terms, if you're sending audio or transcripts of sessions to an AI tool, you need to know:

  • Where does that data go?
  • Who can access it?
  • Is it stored, and if so, for how long?
  • Is the vendor a HIPAA Business Associate? Do you have a signed BAA?
  • Could it be used to train their AI models?

That last one matters more than most therapists realize.

The BAA is necessary but not sufficient

A Business Associate Agreement (BAA) is the contract between you and a vendor that says they'll handle PHI responsibly. Most major AI note platforms offer them. Signing one is required under HIPAA, but signing one doesn't mean your clients' information is safe from being used in ways you wouldn't endorse.

A vendor can sign a BAA and still:

  • Store session transcripts indefinitely on their servers
  • Use de-identified session data to improve their models
  • Share data with third-party processors, each with their own security posture
  • Become subject to a data breach that exposes your clients' words

None of these necessarily violate the BAA. But they're all things your clients likely didn't agree to when they sat down in your office.

It's also worth paying attention to how terms of service change over time. EHRs and AI note platforms update their policies regularly, and the language is often carefully constructed to sound reassuring while leaving significant latitude for data use. Phrases like "we may use aggregated or de-identified data to improve our services" are written by lawyers who know exactly what they can say without crossing a legal line. That doesn't mean they're being straightforward with you. Reading the current terms once isn't enough — what a platform says it does today may not be what it does after the next update.

There's also the data broker industry to consider. De-identified health data — session content stripped of obvious identifiers — is bought and sold as a commodity. It can be used for research, advertising targeting, insurance underwriting, and other purposes that have nothing to do with why it was originally collected. Re-identification from de-identified data is more achievable than most people assume, particularly when mental health content is involved. When you send session recordings or transcripts to a cloud server, you are trusting not just the vendor's current policies, but every downstream use of that data you may never know about.

The question to ask any AI notes vendor:"Does session audio, transcripts, or note content ever leave my device or get stored on your servers? Is it used to train your models?" If the answer is yes or unclear, that's a meaningful risk to understand before you sign.

Informed consent: the ethical layer HIPAA doesn't cover

Even if you have a BAA and the vendor is fully HIPAA-compliant, you have an ethical obligation your licensing board cares about independently of federal law: informed consent.

Your clients have a right to know that their sessions are being recorded, that an AI is processing that recording, and where that processing happens. The specifics matter. "An AI helps me with notes" is not the same as "your session is recorded, uploaded to a server in another state, processed by a third-party AI, and the transcript may be retained for 12 months."

Most AI note tools require the second description. Most therapists are only giving the first.

Local AI changes the equation entirely

There's a category of AI notes tools that sidestep the cloud problem entirely: local AI. Instead of sending audio or transcripts to an external server, all processing happens on your computer. The AI model runs on your device, the transcript never leaves your machine, and there's no third party involved at all.

From a HIPAA standpoint, this is significantly simpler. There's no Business Associate because there's no associate. You're the only party involved. There's no data transmission to protect. There's no server to breach.

From a consent standpoint, the conversation is much shorter: "I use a tool on my laptop that helps me draft notes. Your recording stays on my computer, is used only to create your note, and is automatically deleted on a schedule." That's something most clients can genuinely agree to.

Confidant is built on exactly this model. The AI runs locally on Apple Silicon. Your session audio and transcripts never leave your Mac. No cloud, no servers, no BAA required. It was designed specifically because the trade-off between convenience and privacy shouldn't exist.

What to do if you're using a cloud-based tool right now

You're not automatically doing something wrong. But you should know what you've agreed to. Here's a quick audit:

  • Do you have a signed BAA with the vendor?
  • Have you read what they do with session data? (Check the privacy policy and data processing agreement, not just the marketing page.)
  • Does your informed consent form mention AI-assisted documentation, recording, and where data goes?
  • Have you verbally discussed this with each client before using the tool?

If any of those are "no," that's the place to start. Not by stopping your use of AI, but by closing the gap between what you're doing and what your clients understand you're doing.

The bottom line

AI for therapy notes is not inherently a HIPAA problem. It's a "which tool, and how" problem. Cloud-based tools can be compliant with the right BAA and careful vendor vetting, but they carry risks that therapists need to actively manage. Local AI tools remove most of those risks by removing the cloud entirely.

Either way, the most important thing isn't the technology. It's whether your clients understand what happens in your office and genuinely agree to it. That part is on you, and no BAA covers it.

About Confidant

Confidant is the only AI-assisted therapy notes app that runs entirely on your Mac. No cloud, no servers, no subscription required.

Learn more →
← Back to all posts