Start free

Blog · · 10 min read

Therapy session transcription: HIPAA, consent, and what AI can ethically do

Mental health professionals using AI transcription for session notes face two-party consent laws, BAA requirements, and patient trust. What's allowed, what's not.

Therapy session transcription: what HIPAA, consent law, and the APA actually allow

If you're a licensed therapist looking at AI transcription for session notes, here's the short answer: yes, AI can draft your progress note from a recording — but only if you have a signed Business Associate Agreement (BAA) with the transcription vendor, only if your state's consent law is satisfied, and only if you, not the model, sign off on the final note. We don't yet offer BAA coverage at Transcription.Solutions — so we'll tell you up front where we fit and where we don't.

The rest of this piece is the long form: what HIPAA requires, where two-party consent bites, the difference between progress notes and psychotherapy notes (it matters), and the workflow that actually saves the 30 minutes after each 50-minute session.

The documentation tax

The American Psychological Association estimates clinicians spend 20% to 30% of the workweek on clinical documentation and progress notes. For a 40-hour week with a full caseload, that's 8 to 12 hours of typing — paperwork insurance doesn't reimburse and that eats into evenings.

AI transcription doesn't remove the documentation requirement. It changes the input from "remember and write" to "edit a draft". When the underlying speech-to-text is accurate, the time math shifts meaningfully — typing a SOAP note from scratch takes 8 to 15 minutes; editing a structured draft built from a transcript takes 3 to 5.

That math is the whole reason this category exists. Everything below is the legal and ethical fence around it.

What HIPAA actually requires for session recordings

HIPAA treats audio of a clinical encounter the same way it treats any other patient record: as Protected Health Information (PHI). The moment audio leaves the device — uploaded to a cloud transcription service, processed by an ASR model, stored as text — a Business Associate is handling PHI on your behalf.

That triggers two requirements:

  • A signed BAA between your practice and the transcription vendor.
  • Reasonable safeguards: encryption in transit and at rest, access controls, audit logs, breach notification within 60 days.

Per the HHS 2024 Annual Adjustments, the inflation-adjusted civil penalty range is $137 to $68,928 per violation under the lowest "Lack of Knowledge" tier. Maximum annual penalty for willful neglect: $2,067,813 per calendar year. The penalty doesn't depend on whether anyone actually saw the data — it depends on whether the safeguards existed.

In March 2024, the HHS Office for Civil Rights clarified that IP addresses and user interactions on authenticated patient portals — including AI transcription web apps — are themselves PHI. That closed a loophole some vendors had relied on. If a clinician logs in to a transcription tool with a patient identifier attached to a file, the vendor is a Business Associate. There is no "we just process audio" carve-out, and there is no "I stripped the name from the filename" workaround.

The misconception about deletion

A common workaround: "I delete the audio right after the session, so HIPAA doesn't apply." It does apply. Transmission to the cloud is the regulated act. The resulting transcript is also PHI. Deleting the source audio in 60 seconds doesn't retroactively make the upload unregulated — and the transcript still needs the same BAA-backed handling.

Two-party consent, state by state

Eleven U.S. states require all parties to a conversation to consent before recording: California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. The other 39 states (and federal law) require only one party — which, in a therapy session, is you.

For therapists, the practical rule is stricter than the legal floor. The APA's February 2024 policy statement on AI in psychology says clinicians must obtain informed consent for any AI-assisted documentation, regardless of state law. The ethical standard is universal consent. The legal standard varies.

What this looks like in practice:

  • Add an AI documentation clause to your intake paperwork. Name the tool. Describe what gets recorded, where it's stored, who can access it, how long it's retained, and how the client can refuse or withdraw consent without penalty.
  • Re-affirm verbally at the start of the first session that uses recording. A one-sentence reminder is enough: "I'm going to record today so my notes software can help me draft the session note — same consent we signed at intake. Still okay?"
  • Document the consent in the chart.

A checkbox buried in intake paperwork is not real consent. The client needs a real choice — including the option to say no without it affecting the therapeutic relationship.

EU and UK analogs

Under GDPR, audio of a clinical encounter is Article 9 "special category" data. It requires explicit, written, granular consent — separate from general intake consent — naming the processor and the purpose. Practically: an EU therapist needs a Data Processing Agreement (DPA) with the transcription vendor, EU data residency or Standard Contractual Clauses, and a Data Protection Impact Assessment (DPIA) if processing is "large-scale". The DPIA threshold is fuzzy — a solo practice with 30 active clients is probably under it; a 40-clinician group practice is over. The UK's UK-GDPR mirrors this and adds Caldicott principles for NHS-linked practice.

Psychotherapy notes vs. progress notes — they are not the same

This is the distinction that catches clinicians off guard, and the one most relevant to what AI can and can't ethically produce.

Progress notes are the official medical record entries: presenting issue, interventions, response, plan. They go in the chart. Patients can request them under the HIPAA Right of Access. Insurers can audit them. Other providers can request them with authorization.

Psychotherapy notes are a specific HIPAA category: the clinician's private analytical notes, kept separate from the medical record. They have heightened protection — even the patient generally cannot request them without your release. To qualify, they must be physically or digitally separated from the chart and contain only the clinician's analysis of conversation content.

The misconception: "If my AI generates a verbatim transcript, that's protected as psychotherapy notes."

It's not. A verbatim transcript captures dialogue, not the clinician's private analysis. HHS guidance treats verbatim session transcripts as part of the general medical record. That means:

  • They're discoverable under HIPAA Right of Access.
  • They're subject to subpoena under standard rules.
  • A patient can request a copy and you generally must provide it.

The implication for workflow: most clinicians do not want a verbatim transcript living in the chart. They want a structured progress note generated from a transcript that is then deleted. The transcript is a transient processing artifact; the note is the record. Larger records carry larger access, retention, breach, and trust consequences — keep only what you need.

Try it on your audio

Start free →

30 minutes a month, no card.

What AI can ethically do — and what it can't

What it can do well:

  • Generate a first-draft progress note from a session recording in a standard format (SOAP, DAP, BIRP).
  • Extract themes, medication mentions, risk indicators for clinician review.
  • Save 5 to 10 minutes per session of typing time when the draft is decent.

What it can't do — ethically or legally:

  • Be the clinical record on its own. The APA's February 2024 statement is explicit: the psychologist is responsible for clinical decisions and documentation. AI assists; it does not author.
  • Make a risk assessment. Suicide or homicide risk language flagged in a transcript is a prompt for clinician review, not an automated alert to anyone.
  • Replace your judgment on what belongs in the chart versus what belongs in your private psychotherapy notes (which, again, should be hand-written or typed by you, not transcribed).

The ONC's HTI-1 rule, finalized December 13, 2023, adds another layer for AI tools embedded in certified EHRs: developers must publish "source attributes" describing training data, intended use, and known limitations. Most standalone transcription tools don't fall under HTI-1 directly, but if you're piping output into a certified EHR, the EHR vendor is now on the hook for AI transparency. Ask them what materials they publish — and ask whether the AI feature is generating text, predicting risk, or suggesting diagnoses. Those are different liabilities.

Accuracy: where therapy audio breaks the benchmark

Therapy is not a podcast studio. Our baseline WER on conversational 16 kHz audio is ~7.88% on AssemblyAI Universal-3, the model we use as primary ASR. That number climbs fast in a real consulting room: a client who is crying, whispering, or overlapping with your speech; a phone sitting too far from the couch; masks; children in the room; accents underrepresented in training data; SSRI brand names and DSM codes. On 8 kHz telephony (telehealth via phone), expect ~17.7% WER.

Diarization compounds this. Stereo recordings — clinician on one channel, client on the other — give perfect channel-split separation. Mono recordings rely on pyannote-3.1, which handles 2 to 4 speakers well and degrades beyond 6. If you're using a single phone on a table, you're in mono. Overlapping speech in mono can scramble who said what — which matters if the transcript is used to reconstruct a risk statement or a quoted commitment.

The rule: never paste AI output into the chart without clinician review.

A practical session-to-note workflow

  1. Intake: client signs consent that names the transcription vendor and the purpose. Re-confirm verbally before the first recorded session.
  2. Record: use a phone or a dedicated recorder. Stereo if you can.
  3. Upload after the session, not during. Live transcription introduces a second set of risks and rarely helps clinically.
  4. Review the transcript: spot-check clinical terminology, medication names, and any risk language.
  5. Generate a structured note: SOAP or DAP. The model produces a draft; you edit for accuracy, risk, diagnosis, plan, and billing.
  6. Chart the note, not the transcript, unless your policy specifically requires retaining the verbatim record.
  7. Delete the audio and transcript once the note is finalized, per your retention policy.
  8. Sign the note: you, not the AI. Your license, your liability.

For multi-clinician practices, add: per-clinician access controls, audit logs reviewed monthly, and a documented incident response plan with breach notification timelines matching HIPAA's 60-day rule.

The patient-trust test

A workflow can be technically legal and still change the room. Therapy is built on confidentiality and attention, not data capture. Before you start recording, ask whether the client speaks less freely with a phone on the table — whether they avoid sensitive topics, whether they worry that a transcript will follow them into insurance, custody, employment, or litigation contexts.

For some clients, transcription will feel neutral or helpful. For others, it will close them down. Ethical AI use respects both reactions. If the consent conversation feels like a formality you're rushing through, the consent isn't real.

Where Transcription.Solutions fits — and where it doesn't

Honest version: we run AssemblyAI Universal-3 as primary ASR, with channel-split diarization for stereo and pyannote-3.1 for mono. WER is ~7.88% on clean 16 kHz audio, ~17.7% on 8 kHz telephony. We support 99 languages at one price. Our audio-to-text pipeline handles the upload-and-transcribe flow.

What we do NOT have, as of May 2026:

  • A signed BAA. We hold HIPAA-grade data handling at rest — encryption, access controls, audit logs — but we are not a BAA-covered Business Associate yet. If your practice requires a BAA (and almost every U.S. clinical practice does), we are not the right vendor today for identifiable session audio. We're piloting BAA coverage with a small group of clinicians; email us to be part of that.
  • A native progress-note template engine. You can paste a transcript into a SOAP-format prompt and get a draft, but we don't ship a clinician-specific UI for that today.
  • Automatic EHR integration. No direct write into Epic, Cerner, SimplePractice, or TherapyNotes. You copy-paste.

What a serious BAA review with any vendor should cover: which subprocessors touch audio, text, and metadata; encryption at rest and in transit; retention and deletion settings; breach notification terms; support staff access controls; whether analytics or tracking tools run inside authenticated workflows; export handling. If a vendor won't put answers in writing, that's the answer.

What we do ship that's useful for clinicians generally — clinical research interviews, training tape transcription, supervision recordings (with consent), administrative meeting notes, de-identified dictation — is the same pipeline at the same accuracy. For identifiable session notes, wait for the BAA or use a BAA-covered competitor.

Where competitors fit

  • Otter.ai: strong meeting-notes UX, but standard plans don't include a BAA. Their enterprise tier offers BAA on request — verify before uploading PHI. See our Otter comparison for the feature breakdown.
  • Rev.com: offers BAA on its enterprise plan. Slower (human-in-the-loop) but very accurate for clinical terminology.
  • Mentalyc, Upheal, Eleos: purpose-built for therapy notes, BAA-covered, opinionated SOAP/DAP templates. Higher price per minute than horizontal tools. The seam: lock-in to their template format and less flexibility for non-session audio.

We're naming these because the right answer for a HIPAA-covered therapy practice today is one of them, not us. We'd rather tell you that than sell you a tool that puts your license at risk.

What next

  • If you're in a two-party consent state, update your intake form before your next session — the consent paperwork is the cheapest legal protection you can deploy this week.
  • Read the APA's February 2024 AI policy statement end to end. It's the standard your licensing board will reference.
  • If you need a BAA today, evaluate Mentalyc, Upheal, or Rev.com Enterprise against your EHR's native AI features.
  • Test transcription quality with a mock session or fully synthetic audio (no PHI) on our 60-minute Free plan — see our pricing page for limits.
  • If you want to be in our BAA pilot — small group, no promises on timing — email us. We'll be honest about where we are.