Informed Consent for AI-Assisted Notes: What to Tell Clients and How

Using AI to help write therapy notes raises real consent questions. Here's what clients need to know, how to have the conversation, and what to put in writing.

June 20266 min read

If you're using an AI tool to help write progress notes, you need client consent before you use it. That's not a legal technicality. It's the foundation of the therapeutic relationship. Clients have a right to know what happens in the room, and "an AI helps me with my notes" leaves out most of what they actually need to understand.

What they need to understand depends heavily on which kind of tool you're using. A local AI tool that runs entirely on your computer requires a very different conversation than a cloud-based platform that sends session data to an external server. Those are not the same situation ethically, and they shouldn't be described the same way.

The two very different situations

Cloud-based AI tools

Most AI note tools on the market work by transmitting session audio or transcripts to a remote server, where the AI processing happens. That means your client's words leave your office, travel over the internet, and are handled by a third-party company under whatever data policies that company maintains.

HIPAA requires that protected health information be removed before data can be used for purposes like model training. In practice, that means vendors de-identify session content before using it. Clients should understand what that means: their name and obvious identifiers are stripped, but the substance of what was said remains. De-identification is a legal standard, not a guarantee of true anonymity, and re-identification from detailed mental health content is more achievable than most people assume.

The harder issue is that the terms governing all of this are written in dense legal language that most clinicians and clients will never fully parse, and those terms change. Platforms update their privacy policies and terms of service regularly. If a company has taken venture capital funding, there is structural pressure over time to extract more value from the data it holds. What a platform says it does today may not be what it does after the next funding round or acquisition. Informed consent for a cloud-based tool isn't a one-time disclosure. The ground shifts under it.

The fact that a vendor has signed a HIPAA Business Associate Agreement doesn't change any of this. It means the vendor is legally accountable for certain things. It doesn't mean the client's data is contained, or that the terms won't change.

Local AI tools

A local AI tool runs the AI model directly on your device. Session audio is recorded locally, the transcript is generated locally, and the draft note is produced locally. Nothing is transmitted. There is no third party involved at all. The data never leaves your computer.

This makes privacy with a local AI tool almost entirely independent of the vendor's terms of service. The terms don't govern much, because there is nothing for the software to access. The data is architecturally out of reach. A vendor could change their terms tomorrow and it wouldn't affect what happens to your clients' information, because their information was never on the vendor's systems to begin with.

Informed consent for a local tool is a significantly simpler conversation. You are not asking a client to trust a vendor they've never heard of, or to accept that legal terms they can't read might change. You are telling them that their words stay in the room, get used to draft a note, and are deleted on a schedule you control. That's it.

What clients need to know

1. That sessions may be recorded

Both tool types record session audio. Clients need to know this is happening before it happens, not after you've already started. Cover what kind of recording it is (audio only, no video), how long it is kept, and who can access it.

With a local tool: the recording stays on your device, is accessible only to you, and is deleted automatically after a set period. With a cloud tool: the recording is transmitted to a server and handled according to the vendor's retention and access policies, which the client should be able to review if they want to.

2. How the AI uses the recording

In both cases, the AI processes a transcript to generate a draft note that you then review and edit. Clients should understand that the note reflects your clinical judgment. The AI produces a starting point, not a final document.

With a cloud tool, there is an additional disclosure worth making: whether the vendor uses session data to train or improve their AI models. Many do, or reserve the right to. This is something clients cannot reasonably be expected to discover on their own.

3. Where the data goes

This is the sharpest difference between the two tool types. With a local tool, the honest answer is simple: nowhere. It stays on your computer. With a cloud tool, the honest answer is more complicated: it goes to the vendor's servers, may pass through third-party processors, and is subject to the vendor's current privacy policy, which can be updated.

Clients deserve a straight answer to this question. "It's processed securely" is not an answer. "It stays on my computer and never leaves" is.

4. Their right to decline

Consent is only meaningful if declining is a real option, regardless of which tool you use. Clients should know they can opt out and that their care won't be affected. If a client declines, you write notes the way you always have. Document that the conversation happened and that they declined.

What the conversation sounds like

A brief verbal conversation before you begin is what actually constitutes informed consent. A signed form is necessary but not sufficient on its own. Here is what each conversation looks like honestly:

If you use a local AI tool

"Before we get started, I want to mention that I use a tool that helps me write my session notes. It records our audio, creates a transcript, and drafts a note that I then review and edit. Everything stays on my computer. Nothing is sent to a server or stored anywhere else. The recording is automatically deleted after a set number of days. You're completely in control: if you're not comfortable with it, just say so and I won't use it with you. Any questions?"

If you use a cloud-based AI tool

"Before we get started, I want to mention that I use a tool that helps me write my session notes. It records our audio, sends that recording to a secure server, and an AI generates a draft note that I then review and edit. The recording is handled by a third-party company, and I have a HIPAA-compliant agreement with them. They retain the data for [X days/months] before it's deleted. I want to be transparent about that so you can decide whether you're comfortable with it. You can absolutely say no and it won't change anything about how we work together. Do you have any questions?"

Notice the difference in length and complexity. The cloud version requires more explanation because more is actually happening. If the cloud version feels like a lot to ask a client to absorb at the start of a first session, that feeling is worth sitting with.

What to put in writing

Your informed consent document should include a section specifically covering AI-assisted documentation. For a local AI tool, it needs to address:

That session audio is recorded on the therapist's device for the purpose of generating notes
That all processing happens locally and no data is transmitted to external servers
How long recordings and transcripts are retained before deletion
That the therapist reviews all AI-generated content before it enters the clinical record
The client's right to decline without affecting their care

For a cloud-based tool, add:

The name of the third-party vendor processing the data
That a HIPAA Business Associate Agreement is in place
The vendor's data retention and deletion policy
Whether session data may be used to improve the vendor's AI models
How the client can access the vendor's privacy policy

Keep all of it in plain language. If a client couldn't explain back to you what they agreed to, the consent language needs work.

Timing and ongoing consent

Have this conversation before the first session in which you plan to use the tool, ideally during the initial consultation or at the very start of intake. Don't introduce it mid-treatment without revisiting consent.

If you switch tools (including switching from one cloud platform to another), treat it as a new consent conversation. A client who consented to one vendor's data practices has not consented to a different vendor's. This matters more with cloud tools, where the vendor relationship is part of what they're agreeing to, than with local tools, where the tool change doesn't affect the client's data at all.

When a client declines

Some clients will decline, and that's a legitimate outcome. Note in the record that you discussed AI-assisted documentation, that the client declined, and that you are not using it in their care. Don't treat it as a problem to be talked through. If a client is uncomfortable with recording, that discomfort is information worth respecting.

In practice, therapists using local AI tools tend to have fewer clients decline than those using cloud tools. When a client hears that nothing leaves the room, the concern about where their information ends up is answered directly. That's harder to achieve when the honest answer involves servers, third parties, and privacy policies.

Confidant's resources page includes sample language for talking to clients about AI-assisted notes and a consent form you can adapt for your practice. If you want to understand the HIPAA side of AI note tools before the consent conversation, this post on what HIPAA actually requires covers the compliance picture. And if you are evaluating local vs cloud AI specifically, this post on local AI for therapists explains the difference in plain terms.

About Confidant

Confidant is the only AI-assisted therapy notes app that runs entirely on your Mac. No cloud, no servers, no subscription required.

Learn more →

← Back to all posts