Yundra
← All articlesPractical Guides

HIPAA-Compliant Note Taking for Therapists: Paper, Digital, and AI

11 min read

Your notes are the heart of your clinical work — and the most sensitive data you hold. They contain diagnoses, observations, the contents of deeply personal conversations. Naturally, they're also where a lot of therapists feel uncertain about HIPAA.

Can you still use paper? Is your EHR enough? And what about those AI tools that promise to write your notes for you while you focus on the client?

This guide answers all of it in plain terms. We'll cover the rules that actually apply to notes, then walk through paper, digital, and AI — with a concrete checklist of what to do today.

Two Kinds of Notes, Two Different Rule Sets

Before anything else, you need to understand a distinction that trips up a lot of therapists: HIPAA treats psychotherapy notes very differently from progress notes.

Progress notes (also called clinical notes) are part of the medical record. They document things like diagnosis, treatment plan, symptoms, medication, test results, session start and stop times, and your assessment of progress. These are standard PHI. Clients can request them under their right of access, and they may be shared for treatment, payment, and operations.

Psychotherapy notes are something narrower and more protected. Under §164.501, these are the private notes a therapist records analysing or documenting the contents of a counselling session — your process notes, your impressions, the raw material of your clinical thinking. They get special protection precisely because they're so personal.

The protections for psychotherapy notes are significant:

  • They must be kept separate from the rest of the medical record. Not just a different tab — separated such that they aren't bundled with everything else.
  • Most disclosures of them require specific, separate authorisation under §164.508(a)(2) — a general consent or release does not cover them.
  • A client's general right to access their records does not automatically extend to psychotherapy notes. You can decline to release them in many cases.

There's a catch. To qualify for this extra protection, psychotherapy notes must genuinely be separate and must exclude certain content — medication prescriptions, session times, treatment frequency, diagnosis, and the like. If you dump everything into one note, it's all just a progress note, and you lose the special protection.

Practical takeaway: if you keep process notes, keep them physically and logically separate from your clinical record, and keep the routine clinical facts in your progress notes where they belong.

Paper Notes and Physical Safeguards

Paper is still completely HIPAA compliant. The Privacy Rule applies to PHI in any form, and there's no requirement to go digital. What HIPAA requires is reasonable physical safeguards under §164.310.

If you keep paper notes, here's what "reasonable" looks like:

  • Locked storage. A locking file cabinet or a locked room. Not a desk drawer that anyone in the building can open.
  • Access control. Only you (and authorised staff) can get to the records. If you share an office suite, your files cannot be accessible to other practices.
  • A clean desk. Don't leave open files visible during or between sessions. A client should never see another client's record.
  • Secure transport. If you carry files between locations, keep them with you and out of sight. A folder left in a car is a classic breach.
  • Proper disposal. Shred records when their retention period ends. Tossing paper PHI in a regular bin has been the basis for real OCR settlements with small practices.

Paper has one real advantage: it can't be hacked from across the world. It also has real disadvantages — it can be lost, stolen, burned, or flooded, and there's no audit log showing who looked at it. Many solo therapists keep paper for psychotherapy notes specifically, because the separation requirement is easy to satisfy with a physically separate locked file.

EHR Note-Taking and the BAA Requirement

The most common setup today is an electronic health record. Tools like SimplePractice, TherapyNotes, and Jane are built for behavioural health and handle notes, scheduling, and billing in one place.

When your notes live in software run by another company, that company is a business associate — they store and process your clients' PHI on your behalf. That triggers one non-negotiable requirement: a Business Associate Agreement (BAA), required under §164.502(e) and §164.308(b).

No BAA means the vendor is not legally bound to protect your data, and you are out of compliance — full stop. The good news is the major therapy EHRs all offer one. SimplePractice auto-accepts a BAA during setup; TherapyNotes provides a separate document; Jane offers one to US customers.

When you store notes in an EHR, confirm these basics:

  • Signed BAA in place and saved where you can find it
  • Encryption in transit (TLS) and at rest (AES-256) — all three major therapy EHRs meet this
  • Multi-factor authentication turned on for your login
  • Audit logging so you can see who accessed records and when
  • Automatic session timeout so an unattended screen locks itself

A word of caution about general-purpose tools. A note typed into a plain Google Doc, a generic notes app, or emailed to yourself is not compliant unless you have a BAA covering that service and the data is properly secured. Convenience is not a defence.

The New Wave: AI Note-Taking Tools

AI scribes are the biggest shift in therapy documentation in years. Tools like Mentalyc, Upheal, and Quill Therapy Solutions listen to or transcribe a session and draft a progress note for you. The appeal is obvious — less time writing, more time present with your client.

Can they be HIPAA compliant? Yes, in principle. But "AI-powered" and "HIPAA compliant" are not the same thing, and the burden is on you to verify. Before you let any AI tool near a session, check the following.

Is there a signed BAA? This is the threshold question. An AI tool that records or processes session content is handling PHI and must offer a BAA. If a vendor won't sign one, walk away. The reputable mental-health-focused tools do offer them.

Where is the data processed, and by whom? Many AI tools rely on third-party large language models behind the scenes. Ask whether your audio and transcripts are sent to a subprocessor, whether that subprocessor is also covered by a BAA, and where the servers are located. A compliant vendor can answer this clearly.

Does it train on your data? This is the clause that matters most for AI specifically. Some consumer AI services reserve the right to use your inputs to train their models. For PHI, that is unacceptable. You need explicit confirmation in writing that your client data is not used to train models — yours or anyone else's. The therapy-specific tools generally promise this; generic AI assistants often do not.

How is consent handled? Recording a session — even just to generate a note — generally requires informing your client and, depending on your state and the tool, obtaining consent. Build this into your intake and your informed-consent paperwork.

What happens to the recording? Find out whether audio is stored or deleted after transcription, how long transcripts are retained, and whether you control deletion.

A simple rule: if you wouldn't be comfortable explaining the tool's data handling to a client, don't use it yet. AI note-takers can be a genuine compliance-positive (better, more consistent documentation), but only when the vendor relationship is buttoned up.

What "Encryption at Rest" Actually Means

You'll see "encryption at rest" promised everywhere, so it's worth understanding. It simply means that when your notes are sitting on a hard drive or server — not moving anywhere — they're stored in scrambled form. Without the key, the data is unreadable gibberish.

This matters enormously for breach exposure. If an encrypted laptop or server is stolen, the data on it is generally considered unreadable, which can mean the loss is not a reportable breach at all. Encryption is one of the few things that can turn a potential disaster into a non-event.

"Encryption in transit" is the companion concept — protecting data while it travels over the internet, using TLS. You want both. For your own devices (the laptop you write notes on, your phone), turn on full-disk encryption: FileVault on Mac, BitLocker on Windows. It takes minutes and it's one of the highest-value steps you can take.

How Long to Keep Notes

HIPAA itself does not set a clinical record retention period. It requires you to keep your compliance documentation (policies, risk analyses, and similar) for six years under §164.316. But how long you keep client records is driven by state law and your licensing board — and those vary widely.

Retention periods commonly run anywhere from five to ten or more years after the last date of service, with longer rules often applying to minors (frequently counted from when the client reaches the age of majority). Because there is no single national number, you must check your specific state's requirements and your professional board's rules.

Two principles hold everywhere: don't destroy records before the required period ends, and when you do destroy them, do it securely — shredding for paper, certified deletion for digital.

What to Do Today

If you want a concrete action list, here it is:

  • Separate your psychotherapy notes from your progress notes, physically or logically, and keep routine clinical facts out of them.
  • Confirm you have a signed BAA with your EHR and any AI tool — and save copies.
  • Turn on full-disk encryption on every device you take notes on.
  • Enable multi-factor authentication on your EHR and any cloud account holding notes.
  • Audit your AI tool specifically for the no-training-on-your-data clause and subprocessor disclosure.
  • Lock up paper and adopt a clean-desk habit.
  • Look up your state's retention requirement and write it into your policies.

None of these takes long on its own. Together, they cover the vast majority of how notes go wrong — and they're entirely within reach for a solo practice.

Take the next step

Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.

Start your free assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly