AI is transforming how therapists manage their practices. From drafting session notes to streamlining insurance claims, the promise is real — but so are the risks. If you are a solo therapist in private practice, you have likely wondered whether the AI tools you are eyeing are actually safe to use with client data.
The short answer: most are not. And the consequences of getting it wrong fall squarely on you.
I built Therapy Companion specifically to solve this problem. But before I talk about my approach, I want to give you the full picture — because every therapist deserves to understand what HIPAA compliant AI for therapists actually means, not just take a vendor's word for it.
Why HIPAA Compliance Matters More Than Ever for AI Tools
The explosion of AI tools in 2024 and 2025 has created a dangerous gap. Therapists are discovering tools that can save hours per week on documentation, but most of these tools were never designed for healthcare. They were built for general consumers or enterprise tech teams — not for clinicians handling protected health information (PHI).
Here is what makes this moment particularly risky:
- AI tools process and store data differently. When you type a session note into an AI tool, that text may be stored on the vendor's servers, used for model training, or routed through third-party infrastructure. Each of those touchpoints is a potential HIPAA violation if there is no Business Associate Agreement (BAA) in place.
- Enforcement is increasing. The HHS Office for Civil Rights has been ramping up enforcement actions against small practices, not just hospitals. Solo practitioners have been fined for exactly these kinds of vendor oversights.
- The burden is on you. Under HIPAA, the covered entity — that is you, the therapist — is responsible for ensuring every vendor that touches PHI has a signed BAA and adequate safeguards. "I didn't know" is not a defense.
If you are using private practice AI tools without a BAA, you are exposed right now. The good news is that fixing this is straightforward once you know what to look for.
What Makes an AI Tool Actually HIPAA-Compliant?
Marketing pages love the phrase "HIPAA compliant." But compliance is not a badge you buy — it is a set of ongoing technical, administrative, and physical safeguards. Here is what actually matters when evaluating HIPAA compliant AI for therapists:
1. A signed Business Associate Agreement (BAA). This is non-negotiable. The BAA is a legal contract between you and the vendor that specifies how they will protect PHI, what happens in a breach, and their obligations under HIPAA. No BAA, no compliance — period.
2. Encryption at rest and in transit. All client data must be encrypted using industry-standard protocols (AES-256 for storage, TLS 1.2+ for transmission). This applies to session notes, client names, appointment times, and any other identifiable information.
3. Access controls and audit logging. The platform must restrict who can access PHI and maintain detailed logs of every access event. If someone views, edits, or exports a client record, that action should be logged with a timestamp and user ID.
4. U.S.-based data hosting. HIPAA is a U.S. law enforced by U.S. regulators. If your data is stored on servers outside U.S. jurisdiction, enforcement becomes murky at best. Look for vendors that explicitly confirm U.S.-based infrastructure.
5. Data isolation from model training. This is the one most AI tools fail on. Many AI vendors use customer inputs to improve their models. For therapy data, this is a dealbreaker. Your client's session content should never be used for model training, and the vendor should state this explicitly in their BAA or data processing agreement.
The BAA Checklist — What to Ask Every Vendor
Before you enter a single piece of client data into any tool, ask these questions. If the vendor cannot answer clearly, walk away.
- Do you sign a BAA? If the answer is "not yet" or "we're working on it," that means no.
- Where is my data stored? You want a specific answer: AWS us-east-1, Google Cloud us-central1, etc. "The cloud" is not an answer.
- Is my data used for model training? The only acceptable answer is an unequivocal no, backed by contractual language.
- What happens if there is a breach? The BAA should specify notification timelines (HIPAA requires notification within 60 days), remediation steps, and liability.
- Who has access to my data? You want to know which employees or subprocessors can access PHI and under what circumstances.
- Can I export or delete all my data? You should be able to get a full export and request complete deletion at any time.
This checklist applies to every tool — not just your EHR. If you are using a separate AI tool for HIPAA compliant session notes, a scheduling platform, or a billing service, each one needs its own BAA. This is what makes finding the right BAA therapy software so critical for private practice.
Which AI Tools Have Signed BAAs?
Let me break down the current landscape for the major AI providers therapists might consider:
OpenAI (ChatGPT, GPT-4) Consumer ChatGPT — both the free and Plus tiers — does not come with a BAA. OpenAI does offer a HIPAA-eligible enterprise API product with a signed BAA, but this is designed for developers building applications, not for therapists typing notes into a chat window. If you are using ChatGPT directly with client data, you are not compliant.
Google (Gemini, Vertex AI) Google Cloud offers BAAs through its Cloud Platform and Workspace enterprise products. However, the consumer Gemini product does not include a BAA. Google's HIPAA coverage applies only to specific "covered services" listed in their BAA — not everything with a Google logo.
Amazon Web Services (AWS Bedrock) AWS has the most mature HIPAA compliance program among cloud providers. They offer BAAs covering a broad range of services, including their AI and machine learning tools. AWS is often the infrastructure behind HIPAA compliant practice management platforms.
Anthropic (Claude) Anthropic offers a HIPAA-eligible API with a signed BAA for organizations building healthcare applications. Like OpenAI, this applies to the API product — not the consumer-facing Claude chat. Any platform using Anthropic's API for clinical purposes should have their own BAA with Anthropic and extend that compliance to you.
The pattern is clear: the consumer versions of these AI tools are never HIPAA compliant. Only the enterprise or API products, with signed BAAs and specific configurations, meet the bar. This is exactly why HIPAA compliant AI for therapists needs to come through a purpose-built platform — not a general-purpose chatbot.
Red Flags to Avoid in AI Tools Marketed to Therapists
I have seen too many tools marketed to therapists that use compliance language without actually being compliant. Here are the red flags:
"HIPAA compatible" or "HIPAA ready." These are meaningless terms. A tool is either compliant — with a signed BAA and verifiable safeguards — or it is not. Vague language is a signal to dig deeper.
No BAA available on request. If you have to hunt for BAA information or the vendor says they will "get back to you," move on. Legitimate HIPAA compliant AI for therapists will have this documentation ready and accessible.
Overseas development teams with no U.S. legal entity. The tool might work fine technically, but if the company is not subject to U.S. jurisdiction, HIPAA enforcement has no teeth. Your data could be exposed with no legal recourse.
Free tools that are "totally fine for therapy." If a tool is free and there is no BAA, it is not fine for therapy. Free tools monetize through data. Your clients' PHI is not a monetization opportunity.
Session recordings routed through unknown third parties. Some AI note-taking tools record sessions and process audio through third-party transcription services. Each of those services needs to be covered under the BAA. If the vendor cannot tell you exactly where your audio goes, that is a problem.
I wrote more about this in my post on AI session notes for private practice therapists, where I break down what to look for specifically in documentation tools.
How Therapy Companion Approaches HIPAA Compliance
When I started building Therapy Companion, HIPAA compliance was not an afterthought — it was the foundation. Every architectural decision I have made flows from one principle: therapists should never have to wonder whether their tools are safe to use with client data.
Here is how I approach it:
U.S.-built, U.S.-hosted. Therapy Companion is a U.S. company with all infrastructure hosted on U.S.-based servers. There is no ambiguity about jurisdiction or data residency.
BAA available from day one. Every Therapy Companion user gets a signed BAA before they enter any client data. Not after onboarding. Not as an add-on. From day one.
PHI never touches external AI for training. I use a hybrid architecture specifically designed for healthcare: client PHI is processed in isolated, HIPAA-compliant environments and is never sent to any AI model's training pipeline. Non-PHI features like scheduling suggestions or general practice insights can use external AI, but the wall between PHI and non-PHI is absolute.
Encryption, audit logging, and access controls are built in. AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and comprehensive audit logs are not premium features — they are standard for every account.
No private equity. No insurance company ties. I am an independent founder. There is no PE firm in the background, no insurance company pulling strings. Your data works for you — not for someone else's portfolio. I documented the ownership structures behind every major therapy platform if you want to see the contrast.
Therapy Companion is HIPAA compliant practice management built specifically for solo therapists who want to use AI without compromising their clients' privacy.
FAQ
Do I need a BAA with every AI tool I use in my practice?
Yes. Under HIPAA, any vendor that creates, receives, maintains, or transmits protected health information on your behalf is a business associate. You need a signed BAA before entering any client data into the tool — even for session notes or scheduling.
Is ChatGPT HIPAA compliant?
Consumer ChatGPT is not HIPAA compliant. OpenAI offers a HIPAA-eligible API product with a signed BAA for enterprise customers, but the free and Plus consumer products do not qualify. Never enter client PHI into consumer ChatGPT.
What's the penalty for using a non-compliant AI tool with client data?
HIPAA violations can range from $100 to $50,000 per violation, up to $1.5 million per year for repeated violations. Beyond fines, a breach can trigger mandatory client notification, state attorney general investigations, and lasting damage to your professional reputation.
Can I use AI to write session notes if I have a BAA?
Yes. With a signed BAA in place and proper safeguards — encryption, access controls, audit logging — AI-generated session notes are permissible under HIPAA. You remain clinically responsible for reviewing and signing off on every note.
What does "U.S.-built" mean for HIPAA compliance?
When a platform is U.S.-built, it means the company, its servers, and its legal entity operate under U.S. jurisdiction and U.S. data privacy laws. This matters because HIPAA enforcement requires U.S. legal accountability. Tools hosted overseas or by non-U.S. entities may not be subject to HIPAA enforcement.