Technology

Are AI therapy notes HIPAA compliant?

Whether AI therapy notes are HIPAA compliant: the business associate agreement, the required safeguards, and what to ask an AI scribe vendor before you buy.
Ease Health team
July 9, 2026
Are AI therapy notes HIPAA compliant?

AI-generated therapy notes can be HIPAA compliant, but the AI tool itself does not make that determination automatically. Compliance depends on whether the vendor signs a business associate agreement (BAA), whether protected health information (PHI) is encrypted and access-controlled the way the HIPAA Security Rule requires, and whether the practice keeps clinician oversight over what the AI produces. An AI scribe that skips any of these is not HIPAA compliant no matter how accurate its transcription is.

What actually determines HIPAA compliance for an AI scribe

The HIPAA Security Rule sets national standards to protect electronic PHI (ePHI) that is "created, received, used, or maintained" by a covered entity or its business associate, and it requires "appropriate administrative, physical, and technical safeguards" to protect the confidentiality, integrity, and availability of that data (HHS, Security Rule). The rule sits at 45 CFR Part 160 and Subparts A and C of Part 164 (HHS, Security Rule).

An AI clinical documentation tool touches ePHI the moment it records, transcribes, or drafts a note from a therapy session. That makes the vendor a business associate under HIPAA, not a neutral piece of software sitting outside the compliance boundary.

The business associate agreement is not optional

HHS guidance is explicit that a "business associate" is any person or entity, other than a member of the covered entity's own workforce, that performs a function or activity on behalf of the covered entity involving access to PHI (HHS, Business Associate Contracts). HHS's own list of business associate examples includes "an independent medical transcriptionist that provides transcription services to a physician" (HHS, Business Associates), the same functional role an AI scribe plays, just automated.

Two consequences follow directly from that classification:

  1. A written BAA is required. Covered entities and business associates must have a contract that establishes permitted and required uses of PHI, prohibits the business associate from using or disclosing PHI beyond what the contract or law allows, and requires the business associate to implement safeguards including Security Rule compliance for ePHI (HHS, Business Associate Contracts).
  2. The AI vendor is directly liable. A business associate is "directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties" for uses and disclosures not authorized by its contract or by law, and is separately liable for failing to safeguard ePHI under the Security Rule (HHS, Business Associate Contracts).

If a practice signs up for an AI note-taking tool and there is no BAA on file, the practice is out of compliance the first time PHI touches that tool, regardless of what the vendor's marketing page claims.

A compliant BAA, per HHS's sample provisions, also has to address what happens to the audio, transcript, and generated note after the engagement ends. The contract must require the business associate to return or destroy all PHI it created or received on the covered entity's behalf when the relationship terminates, "if feasible" (HHS, Business Associate Contracts). For an AI scribe, that means confirming in writing what the vendor does with raw audio recordings, not just the finished note.

What the Security Rule requires beyond the contract

A signed BAA covers the legal relationship. The Security Rule itself specifies the safeguards that must actually be in place. HHS's Security Rule Guidance breaks these into three categories, each with its own HHS educational reference (HHS, Security Rule Guidance Material):

Safeguard category What it covers
Administrative Risk analysis and risk management, workforce training, sanction policies, business associate oversight
Physical Facility access controls, workstation and device security, media disposal
Technical Access controls, audit controls, integrity controls, transmission security (encryption)

For an AI scribe specifically, the practical questions a practice should ask a vendor map directly onto this structure:

  • Is a documented risk analysis in place for how the AI tool handles ePHI (administrative)?
  • Are the devices and systems that capture session audio physically and technically secured (physical)?
  • Is PHI encrypted in transit and at rest (or protected by a documented equivalent safeguard, since the Security Rule treats encryption as addressable), and is access to notes and recordings restricted by role (technical)?

HHS also jointly runs a Security Risk Assessment Tool with ASTP/ONC specifically to help practices, including small and mid-sized ones, perform this kind of risk assessment (HHS, Security Rule).

AI transparency requirements are now part of certified health IT

Separately from the Security Rule, ONC's HTI-1 final rule established "first of its kind transparency requirements for the artificial intelligence (AI) and other predictive algorithms that are part of certified health IT," so clinicians can get a consistent, baseline set of information about the algorithms they use and assess them for "fairness, appropriateness, validity, effectiveness, and safety" (HealthIT.gov, HTI-1 Final Rule). ONC-certified health IT underlies care delivered by more than 96% of hospitals and 78% of office-based physicians nationally (HealthIT.gov, HTI-1 Final Rule). That means a practice evaluating an AI scribe embedded inside a certified EHR has a separate, additive question to ask beyond HIPAA: does the vendor disclose how the underlying model works, the way HTI-1's transparency provisions require for the predictive decision-support algorithms inside certified health IT (worth asking even where a scribe may fall outside the strict definition of a predictive intervention)?

Frequently asked questions

Does an AI note-taking tool need its own BAA, or is the EHR's BAA enough?

It needs its own BAA if it is a separate legal entity from the EHR vendor, or if the EHR's existing BAA does not name the AI feature and what it does with PHI. HHS guidance requires the BAA to describe the specific permitted and required uses of PHI by the business associate (HHS, Business Associate Contracts); a BAA that doesn't cover the AI scribe's access to session audio and drafted notes doesn't authorize that access.

Is voice data from a therapy session considered PHI?

Yes, once it is linked to an identifiable client and used for treatment documentation, recorded session audio is ePHI and falls under the Security Rule's protections for electronic protected health information created, received, used, or maintained by a covered entity or business associate (HHS, Security Rule).

What happens to the audio recording after the AI generates the note?

The BAA has to specify this, and HHS's model language requires the business associate to return or destroy PHI it created or received on the covered entity's behalf at the end of the engagement, where feasible (HHS, Business Associate Contracts). A practice should get this in writing rather than assuming the vendor deletes raw audio by default.

Can a solo practitioner or small practice use an AI scribe compliantly?

Yes, size does not change the underlying requirement, though HHS specifically built tools to help smaller practices meet it. The jointly developed HHS/ASTP-ONC Security Risk Assessment Tool exists in part to help "small and medium-sized health care practices and business associates" perform the risk assessment the Security Rule requires (HHS, Security Rule).

Is the AI vendor liable if there's a breach, or is the practice liable?

Both can be liable, and HIPAA now holds the business associate directly accountable rather than only the covered entity. HHS guidance states a business associate "is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties" for unauthorized uses and disclosures, and separately liable for failing to safeguard ePHI under the Security Rule (HHS, Business Associate Contracts).

Does HIPAA compliance mean the AI-generated note is clinically accurate?

No, HIPAA governs how PHI is handled and protected, not clinical accuracy. The Security Rule's scope is confidentiality, integrity, and availability of ePHI (HHS, Security Rule); a practice still needs its own clinical review workflow to confirm an AI-drafted note reflects what actually happened in session before it becomes part of the permanent record.

Where Ease Health fits

Ease Health's Voice AI Scribe is built into an ONC-certified, HIPAA-compliant, AI-native EHR designed from the ground up for behavioral health, so the same platform handling admissions, scheduling, and billing also handles clinical documentation under one set of access controls rather than a bolted-on third-party integration. Ease Health uses end-to-end encryption and role-based permissions and access controls across the platform, and supports 42 CFR Part 2 workflows for substance use disorder records, which carry stricter redisclosure protections than general PHI. Because documentation stays inside the same unified CRM, EHR, and RCM system, the practice does not need to negotiate a separate BAA with a third-party AI-scribe vendor for the scribing feature.

Sources

  • HHS, "The Security Rule": https://www.hhs.gov/hipaa/for-professionals/security/index.html
  • HHS, "Business Associate Contracts" (sample BAA provisions): https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  • HHS, "Business Associates": https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
  • HHS, "Security Rule Guidance Material": https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
  • HealthIT.gov (ONC), "HTI-1 Final Rule": https://www.healthit.gov/regulations/hti-rules/hti-1-final-rule/
  • eCFR, 45 CFR Part 164 Subpart C (Security Standards, incl. Appendix A safeguards matrix): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
AI Documentation
HIPAA
Compliance
Clinical Notes
Privacy