AI & Health

Therapists, AI Notes Can Break HIPAA

Arpit TripathiArpit TripathiLinkedIn·July 2, 2026·11 min read

Pasting client session details into a consumer AI can breach HIPAA. Here is the compliant path and the special rule for psychotherapy notes.

Pasting a client's session details into a free consumer AI chatbot can breach HIPAA. If the tool has not signed a Business Associate Agreement, feeding it identifiable client information is a disclosure your practice is not authorized to make, and psychotherapy notes carry protection that goes further than ordinary health data. Picture the end of a long day: you want to turn twelve minutes of scrawled observations into a clean progress note, so you drop them into whatever chatbot is open in your browser. That single paste can move protected health information to a vendor you have no compliant relationship with.

The fix is not to swear off AI. It is to understand what HIPAA actually requires, why the free tier is the trap, and why psychotherapy notes deserve a rule of their own. This guide walks the compliant path so you can use these tools without turning a clinical shortcut into a reportable incident.

Yes, a consumer AI can break HIPAA when it touches client PHI

Any information that identifies a client and relates to their care is protected health information, or PHI. The HIPAA Privacy Rule governs how PHI may be used and disclosed, and the Security Rule requires safeguards for electronic PHI. When you paste a client's name, diagnosis, or the specifics of a session into a tool, you are disclosing PHI to whoever operates that tool.

The question is not whether the AI is smart or well-behaved. The question is whether the company behind it is legally bound to protect what you sent. With a consumer free tier, it usually is not. The disclosure happens the moment the text leaves your screen, regardless of what the model does next.

Two things get blurred together, and pulling them apart clarifies the risk. One is your ethical duty of confidentiality to the client, which predates any technology. The other is HIPAA, a federal framework that attaches specific rules to how PHI moves. A tool can feel private, in the sense that only you are reading the screen, while still creating a disclosure the law recognizes. The Security Rule exists because electronic PHI travels easily and copies itself in ways paper never did. Once text enters a third party's system, you have limited insight into where it is stored, how long it is retained, and who at that company can access it. That uncertainty is exactly what the Privacy and Security Rules are built to manage, and it is why the identity and obligations of the receiving company matter more than the wording of any single prompt.

Insight

PHI is not only a name. A quote from session, a rare diagnosis, an address, or an unusual set of circumstances can identify a client even when you strip the obvious labels. Treat identifiability as the test, not the presence of a name field.

The BAA is the line between compliant and not

A vendor that handles PHI on your behalf is a business associate, and it must sign a Business Associate Agreement, or BAA, under 45 CFR 164.504(e). The BAA is a contract that binds the vendor to protect PHI, limit how it is used, and report breaches. No BAA means no permission to hand that vendor client data.

Here is where clinicians get caught: consumer AI free tiers do not offer a BAA. Putting client PHI into them can therefore be a HIPAA violation, even if you never intended harm and even if you deleted the chat afterward. Some enterprise or business plans from the same companies do offer a BAA, which changes the analysis entirely. The plan name matters more than the model name.

The BAA also names responsibilities that outlast the day you sign it. It sets terms for how the vendor may use and disclose PHI, requires safeguards, and obligates the vendor to report breaches back to you. That last point is not a formality. If a compliant vendor suffers an incident, the contract is what gives you the notice and cooperation you need to meet your own obligations. A free chatbot with no such agreement owes you none of that. You would be relying on a public privacy policy that can change without warning and that was never written with a clinician's duties in mind.

Pro Tip

Before you use any AI tool for clinical work, find the BAA in writing. If a sales page says 'HIPAA-ready' but no one will countersign a BAA for your account, you do not have coverage. A marketing badge is not a contract.

Psychotherapy notes get a rule of their own

Psychotherapy notes sit in a protected category above ordinary health data. Under 45 CFR 164.508(a)(2), a covered entity generally must obtain a separate, specific authorization to disclose them, and they are kept apart from the rest of the medical record. These are the notes you record analyzing or documenting the contents of a counseling session, kept separate from the client's chart.

This separation is deliberate. The record that supports billing and treatment coordination is one thing. Your private process notes about what a client said and what it might mean are another, and the law treats them that way. A general consent for treatment or a standard release does not cover them.

The practical takeaway is a mental line between two kinds of writing. Progress notes and the information needed to bill and coordinate care live in the medical record. The reflective, interpretive notes you keep for your own clinical thinking live outside it, and disclosing them generally calls for a separate, specific authorization. When you drop text into any external tool, the first thing to ask is which side of that line it came from. A structured treatment plan sits on one side. Your unfiltered impressions of a session sit firmly on the other, and that is the material the extra rule was written to guard.

Why a signed BAA still does not make raw notes safe

Here is what most guides won't tell you: even an enterprise AI with a signed BAA does not make it wise to pour raw psychotherapy notes into a model. A BAA can satisfy the vendor-relationship requirement. It does not dissolve the special status of psychotherapy notes, which are legally separated from the medical record and carry extra protection precisely because they are the most sensitive material you hold.

A BAA governs how a vendor may handle PHI. It is not a substitute for the separate authorization that psychotherapy notes generally require to disclose, and it does not change the fact that these notes are meant to stay siloed. Sending your rawest interpretive notes into any external system, compliant or not, widens the circle of places that content can live. The safest default is to keep psychotherapy notes where they belong and route AI toward the parts of your workflow that do not depend on them.

ConsiderationConsumer AI (free)Enterprise AI + BAAYour BAA-covered EHR
BAA in place?NoYes, if signed for your accountYes, part of your vendor setup
Safe for raw psychotherapy notes?NoStill not advisable; extra protection standsDesigned to keep them separate
Client consent still needed?Yes, and no compliant path existsYes; inform clients and honor declinesYes; standard practice policies apply

The compliant path: BAA, consent, and minimization

You can use AI in a mental health practice without breaking HIPAA. Three habits carry most of the weight, and they stack: get the contract, get the client on board, and send the model as little as the task allows.

1. Sign the BAA first

Before any client information touches a tool, confirm a BAA is executed for your specific account and plan. Keep a copy. If the tool cannot produce one, it does not get client data, no matter how useful the feature looks.

2. Inform clients and let them decline

Clients should be told when AI is used in their care, and they can decline it. There is no single federal statute that spells out an AI-specific disclosure script, so this is grounded in professional ethics and informed consent rather than one code section. Fold it into your intake and informed-consent conversation rather than treating it as fine print. A client who knows how the tool works and agrees to it is on very different footing than one who was never asked, and building an explicit opt-out into your consent form honors that autonomy.

3. Minimize what you send

Data minimization means sending only what the task needs. If you want help structuring a treatment plan, you rarely need the client's full name and identifying details in the prompt. Strip what you can, keep the truly sensitive interpretive content out of external tools, and never assume a compliant vendor is a reason to send more than necessary.

Minimization is easier when you separate the reusable from the specific. Most of what makes an AI helpful in a practice is context that never touches a single client: your preferred note format, the frameworks you lean on, the phrasing you use for goals and interventions. That scaffolding can be set up once and reused, so your prompts carry structure without carrying a person's identity. When you do need the model to work with case-specific material, de-identify aggressively and remember that unusual details can re-identify a client on their own. The goal is a workflow where the AI knows how you work without ever needing to know who your client is.

4. Know what real de-identification takes

De-identification is stricter than deleting a name. HIPAA's Safe Harbor method, at 45 CFR 164.514(b), lists eighteen categories of identifiers a covered entity must strip before data stops counting as PHI. The list runs well past the obvious ones. It includes all geographic detail smaller than a state, with a narrow exception for the first three digits of a ZIP code in populous areas. It includes every date element except the year that ties to an individual, such as a birth date or an admission date. It includes ages over 89, which must be collapsed into a single 'age 90 or older' bucket. And Safe Harbor only holds if you also have no actual knowledge that what remains could still identify the person.

For a therapist, that last clause is the trap. You can scrub every name and date and still hand a model a fact pattern so specific that it points at one person. A rare presentation, a distinctive occupation, an unusual family structure, or a well-known local event can re-identify a client the way a fingerprint would. This is why 'I removed the name' is not the same as 'this is de-identified,' and why the safest interpretive notes never leave your control at all. Safe Harbor is a floor for data you must send. It is not a license to feed a model the vivid, one-of-a-kind material that makes clinical notes clinical.

Insight

A quick gut check before you paste: Is there a BAA? Does the client know and agree? Am I sending the minimum? And is this a psychotherapy note that should never leave its silo? If any answer gives you pause, stop.

Where a memory layer you control fits in

Much of the reason clinicians reach for a chatbot is context. You want the model to remember the framework you use, your preferred note structure, the language you favor for treatment plans, so you do not re-explain it every session. That planning context does not have to sit in a consumer model's history to be useful.

MemX is an external memory layer you control that holds your working context and stays portable across the AI tools you use. Designed to be private by architecture, with per-user isolation, encryption at rest, and on-device options, it lets you keep the reusable scaffolding of your practice in a space you own rather than scattered across chat logs. MemX is not HIPAA-compliant and makes no compliance guarantee, and it is not a place for raw psychotherapy notes. The point is narrower and more honest: keep your planning framework in a layer you govern, and keep identifiable client detail out of a consumer model's path.

Frequently asked questions

Frequently Asked Questions
01Can I use ChatGPT to write therapy notes?

Not on a consumer free tier with real client information. Those plans do not offer a BAA, so entering PHI can violate HIPAA. Some enterprise plans offer a BAA, which changes the picture. Even then, keep raw psychotherapy notes out and minimize what you send.

02Is a BAA enough to be HIPAA compliant with AI?

A BAA is required when a vendor handles PHI, but it is not the whole job. You still need client consent, data minimization, and appropriate safeguards. And a BAA does not erase the special protection psychotherapy notes get under HIPAA.

03What are psychotherapy notes under HIPAA?

They are the notes a clinician records analyzing a counseling session, kept separate from the medical record. Under 45 CFR 164.508(a)(2), disclosing them generally requires a separate, specific authorization, beyond a standard treatment consent.

04Do I have to tell clients I use AI?

Yes, clients should be informed when AI is part of their care, and they can decline it. Building this into your informed-consent process is the compliant and ethical default, rather than disclosing it only if asked.

05How do I use AI without sending client PHI?

Strip identifying details, keep interpretive psychotherapy notes out of external tools, and send only what the task needs. Store your reusable frameworks and preferences in a layer you control so the model has context without holding client identities.

AI can save clinicians real time, but the shortcut has a legal shape. Confirm the BAA, bring clients into the decision, send the minimum, and treat psychotherapy notes as the protected category they are. Do that, and the tool works for your practice instead of against your license.

Read Next

Or try MemX to access 40+ AI models in one place — including Claude Sonnet 4.6 and GPT-5.4 — and get your questions answered today.

Was this article helpful?

Found this useful? Share it with someone who needs it.

Free · iOS, Android & WhatsApp

Stop losing what you save.
Let MemX remember it for you.

Every screenshot, photo, PDF and voice note — captured, encrypted, and instantly searchable. Ask in plain English, get the answer in seconds.

  • Reads text inside images and handwriting
  • Private and encrypted by default
  • Free to start, no credit card

Takes under a minute to set up. Your data stays yours.

Arpit Tripathi
Written by
Arpit TripathiLinkedIn

Founder of MemX. Ex-Google Staff Tech Lead Manager, ex-AWS Senior SDE (Elastic Block Store). Writes about practical AI on the MemX blog.

Keep reading

More guides for AI-powered students.