HIPAA AI for Therapists & Counselors
PHI in session notes, the BAA requirement, and a comparison vs Heidi, Mentalyc, and Upheal for clinicians who want AI without ending up in a breach disclosure.
Therapists are tired. The notes alone can eat ten hours a week, and they're the part nobody trained you for. AI can take a real chunk of that back, but only if it's set up so a single forgotten setting doesn't turn into a HIPAA notification letter to every client on your caseload. This is the practical version of how to do that.
What a therapist actually wants AI for
The marketing usually says "documentation." The reality is broader. When a clinician sits down with an AI tool, the actual asks tend to look like this:
- Session notes in your preferred format. SOAP, BIRP, DAP, or your own hybrid.
- Treatment plan drafting with measurable goals and objectives that an insurance reviewer won't kick back.
- Intake summaries that compress a 90-minute first session and a packet of forms into something usable.
- Client communications. Reschedule emails, between-session check-in messages, the difficult letter to a parent of a teen client.
- Billing code suggestions. What CPT codes fit the work you actually did, with diagnostic justification.
- Supervision case write-ups. The complex case you want to bring to consultation, summarized cleanly.
- Research and case conceptualization. "Here's what's going on, what does the literature say about this presentation."
Some of these are pure note-generation tasks. Others are open-ended thinking work. That distinction matters when you're picking a tool, because the best tool for note-generation is rarely the best tool for the rest of it.
Why consumer AI is a HIPAA breach waiting to happen
If you've ever typed a client's first name, presentation, and history into ChatGPT Free, Plus, or Pro to draft a note or think through a case, that was a HIPAA breach. Not "technically risky." Not "gray area." A breach.
Here's why. Consumer ChatGPT, Claude.ai, and Gemini all do three things by default that are incompatible with PHI handling:
- They store your input indefinitely attached to your account.
- They may use it to train future models unless you opt out, and even with opt-out the message still passes through their systems.
- They have no Business Associate Agreement with you on consumer plans. None. The terms of service explicitly say the service isn't for protected health information.
The BAA is the load-bearing piece. Under HIPAA, a covered entity (you) can only share PHI with a vendor (the AI tool) if there's a signed contract that makes the vendor legally accountable. No BAA means the moment PHI hits the tool, you've shared protected information with a third party who has no obligation to handle it correctly. That's a reportable breach the second it happens, regardless of whether anyone at OpenAI ever reads the message.
Most therapists doing this don't realize. The fix isn't to be more careful with what you type. It's to use a tool that comes with the contract.
The minimum bar for a therapist's AI tool
Before looking at any specific vendor, here's the checklist any AI tool needs to clear before PHI goes near it:
- Signed BAA on the plan you're paying for. Not "available on enterprise." Available on yours.
- Encryption in transit and at rest. TLS for the connection, AES-256 or equivalent for stored data.
- Audit logs. Who accessed what, when. You may need them for a board complaint or an internal review.
- Role-based access if you have associates, interns, or admin staff. The receptionist shouldn't see clinical notes.
- Stated retention policy. How long does the vendor keep recordings, transcripts, and notes? You need a number, not a vibe.
- Deletion on demand. If a client revokes consent or terminates, you need to be able to remove their data.
- Breach notification SLA. If the vendor gets breached, how fast do they tell you. Federal HIPAA gives you 60 days from discovery to notify clients, so the vendor needs to tell you fast enough to meet that.
If a tool can't show you a clear answer on each of these, it's not a fit, no matter how good the demo looks.
Heidi Health
Heidi is a clinical AI scribe that grew up in primary care and has been moving into mental health. Based on publicly available info at time of writing: it offers BAAs to U.S. clinicians on its paid plans, hosts in compliant cloud infrastructure, and focuses on real-time scribing during the session itself.
Where it's strong: the listening accuracy is excellent, the note generation is fast, and the interface is clean enough that you can run it during a session without it feeling clinical-cold. It supports a range of note templates and lets you customize.
Where it's less strong for therapy specifically: because Heidi started in medicine, the default templates lean toward medical SOAP rather than therapy-tuned BIRP or DAP. You can configure your own, but you're doing the configuration. It also doesn't have the deeper therapy workflow features (consent flows tuned for psychotherapy, session-pacing prompts) that the therapy-specific tools below build in.
Good fit if: you want a high-quality general clinical scribe and you're comfortable customizing templates for your modality.
Mentalyc
Mentalyc is built specifically for mental health professionals. Based on publicly available info at time of writing: it offers a BAA, encrypts in transit and at rest, generates SOAP, BIRP, DAP, and other therapy-specific note formats, and works from either session audio or text input.
Where it's strong: the templates are made for therapy out of the box. It understands what a presenting concern is versus a medical chief complaint, what a clinical impression looks like in mental health, and how to phrase progress toward goals in a way that an insurance auditor won't reject. You can paste in a transcript or upload audio.
Where it's less strong: it's a note tool. If you want help drafting a letter, brainstorming a treatment direction, or writing a supervision case, you're outside its scope. It's a focused product, and the focus is the note.
Good fit if: you want a therapy-first scribe that gives you a usable note draft in minutes and you're willing to use a separate tool for everything else.
Upheal
Upheal is the other major therapy-focused AI scribe. Based on publicly available info at time of writing: BAA available, EU and US hosting options, integrated session-recording with consent flows built into the client-facing experience, and a practice-management layer alongside the AI scribing.
Where it's strong: the consent workflow is the most mature of the three scribes. Clients see and acknowledge the recording before the session, which makes the documentation side of consent cleaner. It also adds session-pattern analytics that some therapists find useful (talk-time ratios, sentiment markers) and others find clinically suspect.
Where it's less strong: like Mentalyc, it's a vertical product. It does therapy notes and therapy session workflow well. It's not the tool for drafting a letter to a school district about a 504 accommodation, processing literature, or running a supervision write-up.
Good fit if: you want a therapy-first scribe with built-in client consent flow and you do telehealth sessions where the recording integration matters.
General-purpose AI (Private Claude Business) for therapy
Scribes are great at the note. They're not built for the rest of clinical work. When a therapist needs to draft a thoughtful letter, brainstorm options for a stuck case, write up a complex situation for consultation, or work through a research question, they need a flexible AI with a BAA on it.
That's the slot Private Claude Business fills. It's full Claude (Opus, Sonnet, Haiku) wrapped in a HIPAA-aligned setup:
- Signed BAA as part of the plan.
- Bring-your-own-key. You connect with your own Anthropic API key, which means PHI flows from your browser to Anthropic's API directly. PrivateClaude never sees the conversation content on its servers.
- No chat history at the PrivateClaude layer. Conversations live in the browser tab. Close the tab, the conversation is gone.
- Anthropic API rules apply to the model side: no training on your inputs, 7-day operational log retention, then auto-delete.
- $1,449 a year for the Business plan, plus your own Anthropic API spend (typically $5 to $20 a month for a solo therapist's use).
This is not a replacement for a session-recording scribe. It can draft a note from a transcript or your bullet points, but it doesn't sit in the room and listen. The realistic stack for a clinician who wants AI everywhere it helps: a scribe like Mentalyc or Upheal for in-session notes, plus Private Claude Business for everything else clinical.
Vendor comparison
Quick side-by-side on the things that actually matter when you're picking. All info based on publicly available sources at time of writing; verify current terms before signing.
| Tool | BAA | Model | Deployment | Retention | Pricing | Focus |
|---|---|---|---|---|---|---|
| Heidi | Yes (paid plans) | Proprietary scribe stack | Hosted SaaS | Per vendor policy | ~$99/mo solo | General clinical scribe |
| Mentalyc | Yes | Proprietary, therapy-tuned | Hosted SaaS | Configurable, deletion on demand | ~$80 to $150/mo | Therapy notes (SOAP/BIRP/DAP) |
| Upheal | Yes | Proprietary, therapy-tuned | Hosted SaaS (US/EU) | Configurable | ~$79 to $129/mo | Therapy notes + session workflow |
| Private Claude Business | Yes | Claude Opus/Sonnet/Haiku (BYOK) | Browser + Anthropic API | 7-day API log auto-delete; no chat history | $1,449/yr + your API | General-purpose clinical AI |
Different tools for different jobs. The scribes are vertical and focused. Private Claude Business is horizontal and flexible. Most therapists who go all-in on AI end up running both.
The consent question
Recording sessions for AI scribing requires informed client consent in writing. This is HIPAA, state licensure ethics, and basic clinical practice all pointing the same direction. Skipping it isn't an option.
What's being recorded (audio, transcript, or both). What the AI does with it (drafts notes, deletes recording after X days, etc.). How long the recording is kept and where. Who has access (you, the vendor, anyone else). The client's right to refuse without changing their treatment, and how to revoke later. A signature and date in the chart.
Most clinicians already have a consent paragraph in their intake forms. The AI scribing addition is usually a single new clause or a separate AI consent form that gets signed alongside the standard intake. Mentalyc and Upheal both publish sample language. Your malpractice carrier often has template language too, and it's worth a five-minute call to ask.
If a client says no, you don't record. You can still use AI to draft a note from your own bullet points after the session, because that's your work product, not a recording of the client. That distinction matters legally and clinically.
A practical 30-minute setup for a private practice
Pick the tool. Sign the BAA. Update consent forms. Train any associates. Document the workflow. That's it. Most solo practitioners can do this in a single afternoon between clients.
Step by step:
- Pick the tool for the job. Note-focused with in-session recording: Mentalyc or Upheal. General-purpose flexibility: Private Claude Business. If you want both worlds, run a scribe and Private Claude Business side by side.
- Sign the BAA. Every vendor above has one. Read it before you sign. Look for breach notification SLA, retention terms, and the deletion clause. Save the signed copy in your compliance folder.
- Update your intake consent forms. Add the AI clause. Reference your malpractice carrier's template if you have one, or use the sample language the vendor provides. If you're already using a practice-management system like SimplePractice or TherapyNotes, paste it into the consent template there.
- Train associates and admin staff. Walk through what gets entered where. The rule is simple: client-identifying clinical content goes in the BAA-covered tool, never in a consumer one. Anyone who has access needs to know that boundary clearly.
- Document the workflow. Two paragraphs in your practice's policies: which tool, what data goes in it, who has access, how long it's retained, what happens when a client revokes. This is the document a board investigator wants to see if anyone ever asks. Write it once, update it when tools change.
That's the whole project. The AI tooling itself is the easy part once the contract and consent layer is set up. After that, you just have less paperwork in your evening.
For more on the broader BAA question and how it applies across healthcare practices generally, the companion piece on HIPAA-compliant AI chat covers the ground rules. And if you're curious about AI as a personal mental health tool from the client's side rather than the clinician's, the consumer-side companion piece looks at that question separately.
Frequently asked questions
Is ChatGPT HIPAA compliant for therapists?
No. The consumer ChatGPT plans (Free, Plus, Pro) do not come with a Business Associate Agreement. If you type any client name, presentation, history, or session content into them, that is a HIPAA breach by definition. The same applies to Claude.ai consumer plans and Gemini consumer plans. You need a vendor who will sign a BAA before any PHI touches the tool.
Do I need a BAA to use AI in my therapy practice?
Yes, if the AI tool will see, store, or process any protected health information. PHI includes session content, client names tied to clinical context, treatment plans, intake answers, and even appointment metadata in many cases. A BAA is the contract that makes the vendor legally accountable for handling that data under HIPAA. No BAA, no PHI.
Can I record therapy sessions for AI scribing?
Yes, with informed written client consent. You need to explain what's being recorded, what the AI does with it, how long the recording is kept, who can access it, and the client's right to refuse without penalty. Most state licensure boards expect this in your intake paperwork. Recording without documented consent is a clinical and legal problem regardless of HIPAA.
What's the difference between Mentalyc, Upheal, and Heidi?
Based on publicly available info at time of writing: Mentalyc and Upheal are built specifically for mental health, with note formats (SOAP, BIRP, DAP) and consent flows tuned for therapy. Heidi started in primary care medicine and expanded into therapy, so its scribing is excellent but its therapy-specific workflows are less mature. All three offer BAAs to clinicians on paid plans. The right pick depends on whether you want a therapy-first tool or a general clinical scribe.
Why would a therapist want general-purpose AI instead of a scribe?
Scribes write notes from sessions. They don't help you draft a difficult client letter, brainstorm a treatment plan for a complex case, write a supervision case write-up, summarize a research article, or work through ethical questions. A general-purpose AI with a BAA covers everything outside the note. Many therapists want both: a scribe for notes, a general AI for everything else.
How much does Private Claude Business cost?
Private Claude Business is $1,449 a year. That includes a signed BAA, the bring-your-own-key model so PHI never touches our servers, no chat history at the PrivateClaude layer, and full access to Claude Opus, Sonnet, and Haiku. Anthropic API usage is billed separately on your own account, typically $5 to $20 a month for a solo therapist's load.
Can I use Private Claude Business as my session note scribe?
It can draft a note from a transcript or your bullet points, but it doesn't record sessions or do real-time scribing. If real-time recording and automatic SOAP generation is what you want, a purpose-built scribe like Mentalyc or Upheal is the better fit. Private Claude Business is for everything around the note: letters, treatment planning, supervision write-ups, research review, intake summaries from text.
Does using AI for therapy notes meet documentation standards?
AI-assisted notes can meet documentation standards when the clinician reviews and signs every note, edits anything inaccurate, and the workflow is documented in the practice's policies. The AI is a draft tool. The clinician is the author of record. Boards and insurers care that the note is accurate and that you stand behind it, not whether a tool helped you draft the first version.
Private Claude for regulated teams.
BAA available. Zero data retention. Self-serve or deploy in your VPC. Talk to us about your compliance requirements.
Contact sales