HIPAA-compliant therapy notes: what clinicians actually need to know.

HIPAA is the Health Insurance Portability and Accountability Act, and the rules that matter day-to-day are the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (Subpart C), and the Breach Notification Rule (Subpart D). Together they govern how “protected health information” (PHI) is used, disclosed, and safeguarded by covered entities (you, as a licensed clinician in private practice) and their business associates (vendors who touch PHI on your behalf).

PHI is any individually identifiable health information — names, dates of service, transcripts, progress notes, even the fact that someone is your client. If a piece of data can be linked to a specific person and relates to their care, it's PHI.

HIPAA draws a hard line between two categories of clinical documentation. Most clinicians lump them together; insurers and boards don't.

The practical implication: if your software mixes your private reflections into the same structured field as the billable progress note, you've lost the legal protection of keeping them separate. A proper couples-therapy template keeps a progress-note structure and gives you a separate private field for psychotherapy-note content that stays out of the exportable record.

Any vendor that touches PHI on your behalf — your EHR, your transcription service, your analytics provider, your cloud storage — is a “business associate” under HIPAA. You cannot legally share PHI with them unless you have a signed BAA in place. This is non-negotiable.

A valid BAA under 45 CFR § 164.504(e) must cover, at minimum:

• Permitted uses and disclosures of PHI (the vendor can only use PHI to perform the service, period)
• Administrative, physical, and technical safeguards the vendor maintains
• Subcontractor flow-down (if the vendor uses an AI provider, a cloud host, anyone — those parties need BAAs too)
• Breach notification timelines (HIPAA requires notice within 60 days of discovery)
• Return or destruction of PHI at termination
• Access, amendment, and accounting rights for the covered entity

The Security Rule requires “reasonable and appropriate” administrative, physical, and technical safeguards. Encryption isn't explicitly mandated, but not encrypting puts you on the wrong side of the breach-notification safe harbor — so in practice it's required.

• Encryption at rest: PHI stored in a database, file system, or backup is encrypted using a modern algorithm (AES-256 is the standard). If the storage is stolen, the attacker gets ciphertext, not your notes.
• Encryption in transit: Every network hop uses TLS 1.2+ (TLS 1.3 preferred). The connection between your phone, the server, and the AI provider is encrypted end-to-end on the wire.
• Key management: Who can decrypt? If your vendor also holds the keys, they can read your notes. Ask whether customer-specific keys are used.

If a session is recorded and the audio file sticks around, that audio is PHI. Every copy of it, for every minute it exists, expands your breach surface area. The question to ask any transcription vendor is not “is the audio encrypted?” but “is the audio stored at all?”

The weaker version isn't non-compliant — it's just more surface area. Every day the audio lives on disk is a day a breach would include raw session recordings. Transcribe-and-discard removes that risk class entirely.

If your vendor has an incident that exposes your PHI, the breach notification rule requires them to notify you without unreasonable delay and in no event later than 60 calendar days after discovery. You then have your own 60-day clock to notify affected clients, and if the breach hit 500 or more records, HHS and the media get notified too.

When evaluating a vendor, read the breach section of their BAA carefully. You want:

• A specific, numeric notification timeline (hours or days, not “promptly”)
• A commitment to provide the information you need to meet your own notification obligations
• Aggregate reporting for unsuccessful attempts (pings, port scans, failed logins) — you don't want a daily email about every scanned port

45 CFR § 164.502(b) requires you to use and disclose only the “minimum necessary” PHI to accomplish the purpose. When an AI model generates your note, what exactly is sent upstream?

• Transcript: Yes — the model needs it to draft. Make sure the AI provider has a signed BAA with your vendor and doesn't train on your data.
• Client name: No. Pseudonyms (“M&J” or “Couple 17”) are sufficient context for the model. Real names never need to leave your device.
• Identifiers (DOB, SSN, address): Never. The model doesn't need them, and including them in a prompt is a minimum-necessary violation.

Conjoin uses client pseudonyms in the UI specifically so identifying names never enter a transcript or a prompt. The AI provider (Anthropic) operates under a signed BAA and their zero-retention endpoint for covered entities.

The Security Rule requires audit controls — the ability to record and review activity in systems containing PHI. For a couples-therapy practice, this means every access to a session note needs to be traceable: which user, which client, what action, what time.

This matters in two places. First, for internal security: if something looks wrong, you can trace it. Second, for breach response: if a laptop is stolen or credentials are compromised, you need to know what the attacker could have seen.

• Will you sign a BAA compliant with 45 CFR § 164.504(e)? (If they hesitate, stop.)
• Is audio stored, and for how long? (“Never” is the best answer.)
• What encryption algorithm is used at rest? (AES-256 or better.)
• Are TLS 1.2+ and modern cipher suites enforced in transit?
• Who are your subcontractors that touch PHI, and do they all have BAAs with you?
• What's your breach notification timeline, and in what format?
• How long is PHI retained after account termination?
• Can I export and delete my data at any time?
• Do you train AI models on customer data? (Answer must be no.)

• BAA signed on every paid account, stored as a server-rendered PDF you can download anytime.
• Audio is transcribed in-stream and discarded — never written to disk on our infrastructure.
• AES-256 encryption at rest, TLS 1.3 in transit.
• Row-level security in the database — every query is scoped to your user id, enforced at the storage layer.
• Client pseudonyms enforced in the UI; real names never reach transcripts or model prompts.
• Audit log of all PHI access retained for 6 years per HIPAA.
• Full JSON export + full account deletion with cascade, any time, from Settings → Privacy.

• Conjoin's full privacy policy