logo

Best HIPAA Compliant AI Note Taking Apps for Therapists

GUIDE

cover image with book

Best HIPAA Compliant AI Note Taking Apps for Therapists

A colleague tells you they've started using an AI app that "writes their notes automatically," and it sounds like the answer to your worst evening. Then a quieter thought lands: that app is listening to sessions where clients disclose trauma, substance use, and suicidal thoughts. Where does that audio go? Who can read it? And if you're wrong about the answer, it's your license — not the vendor's — on the line.

"HIPAA compliant" is printed on nearly every AI note-taking app's homepage. The phrase is doing a lot of work, and it doesn't always mean what a careful clinician needs it to mean. This guide explains what HIPAA compliance actually requires of an AI note app, the criteria to evaluate before you trust one with PHI, a buyer's checklist you can use today, the red flags that should stop you, and how to switch without losing anything.

In this guide

1.   What "HIPAA compliant" actually means for an AI note app

2.   The evaluation criteria that matter

3.   A buyer's checklist (copy and use)

4.   Red flags that should stop you

5.   How AI note-taking apps work — and where the privacy risk lives

6.   How AI note-taking handles compliance (and where you stay responsible)

7.   How to switch apps safely

8.   FAQ

9.   References

What "HIPAA Compliant" Actually Means for an AI Note App

There's no government "HIPAA certified" stamp — any vendor can write "HIPAA compliant" on a website. For an AI tool that processes session audio and PHI, real compliance comes down to a specific, checkable set of things:

·     A Business Associate Agreement (BAA). This is non-negotiable. Under HIPAA, any vendor that handles PHI on your behalf is a "business associate" and must sign a BAA with you. No BAA, no lawful use of the tool with client data — full stop. If a vendor won't sign one, the conversation is over.

·     Encryption in transit and at rest. PHI should be encrypted while moving across the network and while stored. This is table stakes, but verify it rather than assume it.

·     Access controls and audit logging. Who at the vendor can access your data, and is that access logged? Strong tools enforce least-privilege access and keep audit trails.

·     Data handling and retention transparency. Where is data stored, for how long, and what happens to session recordings after a note is generated? Privacy-first tools strip identifiers, minimize retention, and delete audio promptly.

·     Subprocessor disclosure. AI apps often rely on third parties (cloud hosting, AI model providers). Those subprocessors must also be covered by BAAs, and the vendor should disclose them.

·     Training-data policy. Critically: is your client data used to train AI models? A compliant, trustworthy tool will explicitly say it does not train on your PHI.

The shorthand: a HIPAA-compliant AI note app is one that will sign a BAA, encrypts everything, minimizes and deletes data, discloses its subprocessors, and doesn't train on your clients' words. Anything vaguer than that on a vendor's site deserves a direct question.

The Evaluation Criteria That Matter

When comparing HIPAA-compliant AI note-taking apps, weigh them against criteria in roughly this priority order:

·     Compliance posture (highest weight). BAA availability, encryption, retention policy, subprocessor transparency, training-data stance, and any independent security attestations (e.g., SOC 2). For a clinician, this outranks features — a feature-rich tool you can't trust with PHI is unusable.

·     Recording and data minimization. Does it delete session audio after generating the note? Does it strip PII? The less PHI that lingers, the smaller your exposure.

·     Clinical output quality. Does it produce defensible, well-structured notes (SOAP, DAP, BIRP, progress notes) that actually reduce your editing time, or do you end up rewriting everything?

·     EHR integration. Does it sync into your existing chart, or create a second silo of PHI you now have to manage and secure separately?

·     Customization. Can you use your own templates, or are you locked into the vendor's format?

·     Transparency and support. Can you read a clear security page, get a BAA quickly, and reach a human?

·     Cost and trial terms. Pricing model and whether you can evaluate it on real workflows before committing.

A Buyer's Checklist (Copy and Use)

Run any AI note-taking app through this before you let it touch a session:

·     ☐ Will the vendor sign a BAA? (If no — stop here.)

·     ☐ Is PHI encrypted in transit and at rest?

·     ☐ Are session recordings deleted after the note is generated, and how soon?

·     ☐ Is PII stripped from stored data?

·     ☐ Does the vendor train AI models on your client data? (You want a clear "no.")

·     ☐ Are subprocessors disclosed and covered by BAAs?

·     ☐ Is there a published security page and ideally an independent attestation (SOC 2)?

·     ☐ Are there access controls and audit logs on the vendor side?

·     ☐ Does it integrate with your EHR, or create a separate PHI store?

·     ☐ Can you set a data-retention and deletion policy that fits your jurisdiction?

·     ☐ For Canadian/EU clients: does it also address PHIPA / PIPEDA / GDPR?

Print it, or keep it open while you read each vendor's security page.

Red Flags That Should Stop You

·     No BAA, or a vague "we're working on it." This alone disqualifies a tool for clinical use.

·     "HIPAA compliant" with no detail. A trustworthy vendor backs the claim with a security page describing encryption, retention, and subprocessors.

·     Silence on training data. If a vendor won't clearly state that it doesn't train models on your PHI, assume the worst.

·     Indefinite recording storage. Audio of therapy sessions sitting on a server indefinitely is a standing liability.

·     No subprocessor disclosure. If you can't find out who else touches your data, you can't assess your exposure.

·     Consumer "AI meeting notetaker" apps repurposed for therapy. General-purpose meeting transcribers are usually not built for PHI, often won't sign a BAA, and frequently train on user data. They are not appropriate for clinical sessions, however convenient they look.

How AI Note-Taking Apps Work — and Where the Privacy Risk Lives

Most AI note apps follow the same pipeline: capture session audio → transcribe it → send the transcript to an AI model that drafts a structured note → store or sync the result. PHI is present at every stage, which is why where each step happens, and what's retained afterward, is the entire compliance question. The risk isn't the note at the end — it's the audio and transcript in the middle, and whether they're encrypted, minimized, deleted, and kept out of model training.

How AI Note-Taking Handles Compliance (and Where You Stay Responsible)

Here's the honest division of labor between a well-built AI note app and you.

A privacy-first tool like Supanote is built so the compliance pipeline is handled by design rather than bolted on: it signs a BAA, encrypts data in transit and at rest, strips PII automatically, deletes session recordings promptly after generating the note, and does not train models on your client data. Its EHR integrations mean the finished note lands in your existing chart rather than creating a second store of PHI. (Supanote's security details are published at security.supanote.ai.)

What a compliant AI app handles for you:

·     The technical safeguards — encryption, access controls, audit logging.

·     Data minimization — stripping PII and deleting audio so PHI doesn't accumulate.

·     The BAA — giving you the legal instrument HIPAA requires.

·     Subprocessor coverage — extending BAAs to its own vendors.

Where you stay responsible:

·     Choosing a tool that will sign a BAA and actually executing it. Compliance isn't real until that document is signed.

·     Client consent and disclosure — your jurisdiction and ethics code may require informing clients that AI assists with documentation. The tool can't do this for you.

·     Reviewing every note before signing — the clinical and legal accountability for the record is yours.

·     Your own environment — secure devices, networks, and login hygiene sit on your side of the line.

A HIPAA-compliant AI app removes the technical burden of protecting PHI in the documentation pipeline. It does not remove your professional responsibility for consent, review, and clinical judgment. The tool supplements your compliance program; it doesn't replace your obligations.

How to Switch Apps Safely

If you're moving from one tool (or from manual notes) to a compliant AI app:

·     Execute the BAA first, before any session data goes through the new tool.

·     Confirm the EHR integration so notes flow into your existing chart and you're not creating a parallel PHI silo.

·     Decide what happens to data in your old tool — request deletion and confirmation if you're leaving a previous vendor.

·     Run a parallel trial on a few sessions to confirm output quality and integration before switching fully.

·     Document your due diligence — keep a record of the BAA, security review, and your consent process. If you're ever audited, that file is your defense.

FAQ

Q: Is an AI note-taking app automatically HIPAA compliant if the website says so? A: No. There's no certifying body that awards "HIPAA compliant" status, so the label on a homepage is a marketing claim, not proof. Compliance is something you verify: a signed BAA, encryption, a clear retention and deletion policy, subprocessor disclosure, and an explicit statement that your data isn't used to train models. Treat the website claim as the start of your diligence, not the end.

Q: Do I really need a BAA for an AI note app? A: Yes, without exception. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a HIPAA business associate, and you're required to have a BAA in place before they handle that data. Using an AI tool on real sessions without a signed BAA is itself a compliance violation, regardless of how secure the tool is technically.

Q: Can I use a general AI assistant or meeting-notes app for my therapy notes? A: Almost never appropriately. Consumer AI assistants and general meeting transcribers typically won't sign a BAA, often use inputs to train their models, and aren't built for PHI. Even if the output looks useful, running protected health information through a tool that won't sign a BAA and may train on your data exposes you to real liability. Use a tool purpose-built for clinical documentation.

Q: What happens to the session recording after the note is written? A: It depends entirely on the vendor, which is why you have to ask. The safest tools delete the recording promptly after generating the note and strip identifiers from anything retained. Indefinite storage of session audio is a standing liability — if a tool keeps recordings, you should know exactly where, for how long, and why.

Q: Does HIPAA compliance cover my Canadian or European clients? A: No — HIPAA is U.S. law. If you treat clients in Canada you're looking at PHIPA and PIPEDA; in Europe, GDPR. Some tools address all of these, but don't assume HIPAA compliance covers other jurisdictions. If you have cross-border clients, confirm the tool meets the relevant framework for each.

Q: How do I know if the app trains its AI on my clients' data? A: Read the privacy policy and security page, and if it's not explicit, ask directly in writing. A trustworthy clinical tool states plainly that it does not train models on customer PHI. Vague or absent language on this point should be treated as a no-go — your clients' most sensitive disclosures should never become training data.

Q: Is a tool that integrates with my EHR more compliant than a standalone one? A: It's not "more compliant" by definition, but integration reduces your risk surface. A standalone app that stores notes separately creates a second repository of PHI you now have to secure, back up, and account for. A tool that syncs into your existing EHR keeps your record in one governed place, which is generally easier to manage and defend.

Q: What's the difference between encryption "in transit" and "at rest"? A: In transit means data is encrypted while moving across the network (e.g., from your device to the vendor's servers); at rest means it's encrypted while stored. You need both. Encryption in transit alone leaves stored PHI exposed; encryption at rest alone leaves it exposed while moving. Any serious clinical tool does both — verify it.

Q: Do I need to tell my clients I'm using an AI note-taking app? A: Your jurisdiction, licensing board, and ethics code drive this, and many clinicians disclose and obtain consent as a best practice even where it's not strictly mandated. The tool can't handle consent for you. Build a brief disclosure into your intake or informed-consent process, and document it.

Q: What independent proof of security should I look for? A: Beyond the BAA, a SOC 2 report (or a published security page describing the same controls) is a strong signal that an independent party has examined the vendor's security practices. It's not legally required for HIPAA, but it's meaningful third-party evidence that the safeguards the vendor claims are actually in place.

Q: If I use a compliant app and it has a breach, am I liable? A: Liability depends on the circumstances and your BAA, which allocates breach responsibilities between you and the vendor — another reason the BAA matters. Choosing a vendor with strong safeguards, executing the BAA, and documenting your due diligence are your best protections. This is a legal question specific to your situation; for anything consequential, consult an attorney familiar with HIPAA.

References

1.   U.S. Department of Health & Human Services. Business Associate Contracts. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

2.   U.S. Department of Health & Human Services. Summary of the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

3.   U.S. Department of Health & Human Services. Guidance on HIPAA & Cloud Computing. https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html

4.   American Psychological Association. (2007). Record Keeping Guidelines. https://www.apa.org/practice/guidelines/record-keeping

5.   Office of the Privacy Commissioner of Canada. PIPEDA in brief. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/

 

This article is educational and not legal advice. For decisions about HIPAA compliance specific to your practice, consult a qualified healthcare attorney.

Written by Sam T, Founder & CEO of Supanote. Sam writes about behavioral health documentation, care workflows, and the operational realities of modern therapy practice.

 

Sam T

Written by

Sam T

Sam T is the Founder and CEO of Supanote. She writes about behavioral health documentation, care workflows, and the operational realities of modern therapy practice, drawing on deep exposure to U.S. mental health systems, RCM, and clinician-led care delivery.