You’ve found an AI note-taking tool that promises to free you from late-night paperwork. It listens, summarizes, and drafts your therapy notes- all while you focus on your client.
But, before you upload a single transcript or session summary, one crucial step protects both you and your clients: securing a Business Associate Agreement (BAA).
This isn’t just another form. It’s what turns an AI vendor into a legally accountable business associate under HIPAA. Without it, even the most HIPAA compliant AI system could leave your protected health information (PHI) exposed.
This guide walks mental health professionals through how to get a BAA from an AI therapy note vendor- what it covers, how to ask for one, and how to make sure your clients’ patient data stays fully protected.
What Is a BAA? (And Why Therapists Can’t Skip It)
A Business Associate Agreement (or business associate agreement BAA) is a legal contract between your practice (the “covered entity”) and any third party that handles protected health information on your behalf- like AI note-taking software, transcription tools, or cloud storage providers.
In mental health care, this could mean anything from session audio to psychotherapy notes or AI-generated notes. The BAA defines how your vendor collects, uses, stores, and secures that information.
Without it, you risk HIPAA violations, financial penalties, and loss of client confidentiality- even if the vendor claims to be HIPAA compliant.
A strong BAA should outline:
- Permitted uses of PHI: The AI tool can only use client data for note generation, never for unrelated purposes.
- Security and safeguards: Encryption, access controls, and breach protocols that meet HIPAA regulations.
- Subcontractor oversight: Any partner involved in handling PHI must meet the same standards.
- Return or destruction: Clear terms for deleting protected health information PHI when you stop using the service.
Why BAAs Are Especially Important for AI Tools
Unlike typical EHRs, AI documentation tools often interact directly with live session content- recordings, transcripts, or notes that reflect deeply personal client experiences. That means more exposure, more responsibility, and a greater need for robust security measures.
Here’s what makes BAAs vital when using AI note-taking or AI-powered note-taking systems:
- AI models may process or store PHI during transcription or summarization. The BAA defines limits on how those AI systems can use the data.
- It ensures the vendor won’t train AI models using your client data or training data without explicit consent.
- It formalizes data encryption, storage, and prompt reporting in the event of a data breach.
- It keeps you compliant with all three pillars of HIPAA- Privacy, Security, and Breach Notification Rules.
Even if your AI tool advertises as a “HIPAA-compliant system,” you’re not covered until there’s a signed Business Associate Agreement in place.
How to Verify a Vendor’s HIPAA Claims
Before you request or sign a Business Associate Agreement, take a moment to verify that your AI note-taking vendor actually meets HIPAA standards in practice - not just in marketing.
Pro Tip: Don’t take “HIPAA compliant” at face value. Ask vendors for:
- Security certifications — such as SOC 2, HITRUST, or ISO 27001.
- Written data-handling policies — detailing how PHI is stored, encrypted, and deleted.
- Model-training disclosures — confirm they don’t use your session data to train AI models.
- Retention and deletion policies — how long data is kept after you end your contract.
- A signed BAA — before you upload or share any protected health information (PHI).
If a vendor hesitates to provide documentation or clarity, that’s a red flag.
Legitimate HIPAA-compliant AI providers are transparent about their security posture and compliance process.
Step-by-Step: How to Get a BAA From an AI Vendor
1. Ask Early- Before You Upload Anything
Before starting a trial, message the vendor directly:
“I’m a HIPAA-covered provider evaluating your AI note taker. Before sharing PHI, I’ll need a signed Business Associate Agreement. Could you share your standard BAA and details on your security framework?”
If they can’t or won’t provide one, that’s your signal to walk away. No BAA, no go.
2. Review the Fine Print
A therapist-friendly BAA should include:
- Encryption & access controls that protect sensitive client information in transit and at rest.
- Breach notification timelines- ideally within 30–60 days.
- Model-training restrictions: No use of your AI-generated notes, therapy notes, or client data to train AI models without informed consent.
- Data disposal procedures: Secure deletion once the contract ends.
- Subcontractor compliance: Everyone touching your PHI must be bound by the same terms.
If anything feels vague, ask for clarity in writing. Responsible vendors will be transparent.
3. Confirm the Scope of Coverage
Does the BAA apply to every feature- live transcription, session summarization, AI documentation, or integrations with your current practice management software?
Get clear on what’s included and what’s not.
If your AI vendor only covers part of their system, that’s a compliance gap waiting to happen.
4. Sign, Store, and Review Annually
Once executed, keep a digital and physical copy of your BAA with your other healthcare compliance records.
Review it yearly to ensure it reflects any updates to your therapy practice, HIPAA rules, or vendor structure.
Therapist’s Checklist: Evaluating an AI Note-Taking Vendor
Before signing a contract or uploading your first session, run a quick compliance check.
Use this list to confirm whether your AI note-taking tool meets every requirement for HIPAA compliance and client data protection.
Must-Have | Why It Matters |
|---|---|
HIPAA compliant AI tools with a signed BAA | Legal protection and accountability |
Encryption + access controls | Prevents unauthorized PHI exposure |
Clear breach reporting | Enables quick, compliant response |
No data used for AI training | Protects patient data and privacy |
Transparent deletion policies | Ensures PHI isn’t retained unnecessarily |
Client consent workflows | Supports informed consent and ethical standards |
Security certifications | SOC 2 / HITRUST prove robust security measures |
Sample Email You Can Send to Any AI Vendor
Subject: Request for Business Associate Agreement
Hi [Vendor Name],
I’m a licensed therapist evaluating your AI note-taking tool for my mental health practice. Because your system would handle protected health information, I’ll need a signed Business Associate Agreement (BAA) in place before I can use it with clients.
Could you please share your standard BAA and details on your data security and HIPAA compliance protocols?
Thank you,
[Your Name, Credentials]
Common Mistakes Therapists Make (and How to Avoid Them)
Even the most diligent clinicians can miss small details that lead to big compliance gaps.
Before finalizing your AI vendor agreement, double-check for these common pitfalls that can compromise HIPAA compliance or patient data security.
Mistake | Risk | Better Practice |
|---|---|---|
Assuming “HIPAA-compliant” marketing means protected | You may still violate HIPAA | Always request and sign a BAA |
Uploading PHI before signing | Unauthorized data use | Wait until the BAA is executed |
Ignoring subcontractors | Third-party access goes unchecked | Confirm all partners are covered |
Overlooking model-training terms | Your session data may train external systems | Require opt-out or written consent |
Forgetting renewals | Policies change | Re-review BAAs annually |
How Supanote Aces BAAs (So You Don’t Have To)
Therapists shouldn’t need a legal team to use AI note-taking tools safely.
Supanote bakes HIPAA compliance and Business Associate Agreements into the product from day one- so your documentation process stays fast, ethical, and audit-ready.
What Supanote guarantees:
- Signed BAA by default
Every account includes a Business Associate Agreement during onboarding- so no hidden forms, no extra fees, no delays. - Human-in-the-loop, always
Supanote generates AI-generated notes you review and finalize. Your clinical judgment leads; the AI tool helps with structure and speed. - Guardrails for PHI
Encryption in transit and at rest, strict access controls (least-privilege), and audit logging designed for protected health information (PHI). - Fewer weak links in your workflow
With EHR Autofill, finalized notes can move directly into your practice management system- reducing copy-paste errors and data sprawl.
What this means in practice:
Just sign your BAA, toggle on consent in your intake, and start capturing accurate, structured clinical notes- without compromising HIPAA compliance, data security, or client trust.
Ready to try? 10 notes on us!
Login to your Supanote account and instantly access 10 free notes
Get it Now!
Frequently Asked Questions
Q1. Do all AI documentation tools require a BAA?
A. Yes. Any AI system that creates, receives, or stores protected health information- from therapy notes to progress notes- must be covered under a business associate agreement (BAA) to maintain HIPAA compliance.
Q2. Can I skip the BAA if my data is “anonymized”?
A. Not safely. Even partial details (dates, locations, session content) can make client data identifiable. Unless the AI tool meets the strict federal de-identification standards, you’ll still need a signed BAA.
Q3. Is it okay to start using the AI tool before the agreement is signed?
A. No. Using an AI note-taking tool before executing a BAA counts as sharing PHI without authorization, a potential HIPAA violation. Always sign before uploading or syncing any data.
Q4. How long should a vendor keep my data?
A. Ideally no longer than necessary- usually 30 to 90 days post-termination. Your BAA should clearly define retention and deletion policies to prevent long-term storage of protected health information (PHI).
Q5. Should clients know I’m using AI note-taking software?
A. Yes. Informed consent is both ethical and professional. Include a section in your intake form explaining how AI documentation tools assist with note writing, and assure clients their patient data is encrypted and stored securely.
Q6. What if the AI vendor refuses to sign a BAA?
A. That’s a dealbreaker. Without it, the vendor isn’t a legal business associate, and you can’t share PHI. Choose another HIPAA compliant AI partner instead.
Q7. Can I customize what data my AI note taker has access to?
A. Many AI powered tools let you limit what’s recorded or transcribed. Choose vendors that allow selective access to ensure only relevant information is processed, supporting the “minimum necessary” HIPAA standard.
Q8. Do I need to get client consent every time?
A. No. You can collect explicit consent once during intake, but if your AI system changes vendors, models, or features, you should obtain informed consent again and update your privacy notice.
Q9. What should I do if my vendor reports a data breach?
A. Follow your practice management system’s breach protocol: notify affected clients, document your actions, and work with the AI vendor to mitigate risks. Your BAA should outline the prompt reporting and response timeline.
Q10. How do I verify if an AI tool is truly HIPAA compliant?
A. Ask for:
- Their security certifications (SOC 2, HITRUST, or ISO 27001)
- Written data-handling policies
- A copy of their business associate agreement BAA
If they can’t provide those, their system isn’t truly HIPAA compliant—no matter the marketing.
Q11. Can AI-generated notes replace therapist-written documentation?
A. No. AI generated notes are drafts to support your clinical documentation process. The therapist is still responsible for final review and accuracy.
Q12. How often should I review or renew my BAAs?
A. At least once a year or anytime there’s a new integration, update, or change in how your AI documentation platform handles patient data.
Conclusion: Compliance That Builds Trust
At the heart of every therapy practice lies trust- trust that your client’s words, experiences, and records are protected. A Business Associate Agreement isn’t just about legal compliance or avoiding fines; it’s about honoring that trust in a world increasingly shaped by AI technology.
The best AI note-taking tools don’t make you choose between efficiency and ethics- they help you achieve both. By securing a signed business associate agreement, setting clear access controls, and prioritizing informed consent, you ensure that innovation never comes at the cost of confidentiality.
If your AI vendor makes compliance effortless, you’ve chosen the right partner.
And if you’re still searching for one- Supanote was built for exactly this balance: HIPAA-compliant AI, transparent BAAs, and human-in-the-loop AI documentation designed for real therapists.
Try Supanote for free
Automated, HIPAA-compliant Progress Notes so you can focus on your clients
Get it now!