Do therapy practices need a Business Associate Agreement before using an AI scribe?
Yes. Any AI scribe vendor that records, transcribes, or processes patient session audio is a Business Associate under HIPAA and must sign a Business Associate Agreement with your practice before you use their service. A BAA is not a formality. It is a binding legal contract specifying how the vendor can use your patients’ protected health information, what security standards they must maintain, and what happens if there is a breach. No BAA means no legal authorization to process PHI.
Table of Contents
Key Takeaways
- AI scribes are not automatically HIPAA compliant. You must confirm the vendor will sign a Business Associate Agreement before using their tool.
- State recording consent laws vary significantly. Some states require all-party consent before recording any clinical conversation.
- Your AI scribe vendor’s audio retention policy matters. Ask how long the recording is kept and whether it can be used to train their AI model.
- HelloNote AI Scribe includes a signed BAA on every plan, does not use session audio to train AI models, and includes patient consent language templates.
Before a single therapist we talk to asks about features or pricing, they ask this: Is AI scribe actually HIPAA compliant? The question is exactly right. In a practice that handles protected health information every single day, adopting any technology that touches patient data without verifying compliance is not just a policy failure. It is a legal and ethical one.
What frustrates us about how this question usually gets answered is that vendors say “yes, we are HIPAA compliant” and call it done. That answer is incomplete. HIPAA compliance is not a certification issued by the government. It is a set of required behaviors and safeguards that vary based on what data is processed, how it is stored, and what happens to it afterward. The right question is not just “are you HIPAA compliant?” It is “what exactly does that mean for my patient’s audio recording?”
This post answers that question completely. We are not attorneys. If you have specific legal questions about your practice’s compliance situation, consult a healthcare attorney. But we have gone through this process ourselves building HelloNote’s AI Scribe, and we want to share what we learned.
The Compliance Question We Get Before Every Demo
What does HIPAA compliance actually mean for an AI scribe in a therapy practice?
HIPAA compliance for an AI scribe means the vendor has signed a Business Associate Agreement with your practice, maintains appropriate security safeguards for electronic protected health information, and has clear policies for how patient audio is stored, retained, and used. It is not a government certification. Every therapy practice is responsible for verifying those safeguards before activating any AI documentation tool that touches patient data.
We hear this question in every single demo we run, and we think that is exactly how it should be. A therapy practice that does not ask about HIPAA compliance before adopting an AI documentation tool is taking a risk it may not fully understand. The question is not paranoid. It is professional due diligence.
The problem is that “yes, we are HIPAA compliant” is not a complete answer. It is the beginning of a conversation, not the end of one. What compliance actually means depends on how the vendor handles audio, how long they retain it, what they do with it, and whether they have put their obligations in writing in a Business Associate Agreement. Every one of those details matters.
The Business Associate Agreement — Non-Negotiable
Why the BAA Matters for AI Scribe
Under HIPAA, any company that handles protected health information on behalf of your practice is defined as a Business Associate. An AI scribe vendor that records, transcribes, or processes patient session audio is handling PHI. That means they are legally required to sign a Business Associate Agreement with your practice before you use their service.
A BAA is not a marketing document or a formality. It is a binding legal contract that specifies exactly how the vendor is allowed to use your patients’ health information, what security standards they must maintain, and what they must do if there is a breach. If a vendor will not sign a BAA, they are either not designed for healthcare use or are choosing not to accept the legal responsibilities that come with handling PHI. Either way — do not use them.
Questions to Ask Every AI Scribe Vendor Before Signing
- Will you sign a HIPAA Business Associate Agreement before we use your service, including during a free trial?
- Where is patient audio stored, and for how long? Is it deleted after processing?
- Is session audio used to train your AI model? Can patients or practices opt out?
- Who at your company can access session recordings, and under what circumstances?
- What is your breach notification process, and how quickly will you notify us if patient data is compromised?
- Are you SOC 2 Type II certified in addition to HIPAA compliant?
State Recording Consent Laws — The Gap HIPAA Does Not Cover
Which states require patient consent before using an AI scribe to record a therapy session?
All-party consent states require that every person in a recorded conversation provide explicit consent before recording begins. These states include California, Florida, Pennsylvania, Maryland, Michigan, Connecticut, and several others. In these states, activating ambient AI listening during a patient session without explicit patient consent may violate state law regardless of HIPAA compliance. One-party consent states allow recording if one party consents, which in a clinical setting means the therapist. However, best practice is to disclose AI scribe use and document patient consent in every state.
Here is the compliance piece that very few AI scribe vendors explain clearly, and it is the one with the most legal risk for individual therapy practices. HIPAA is a federal law. Recording consent is a state law. And those two layers of regulation address completely different questions.
HIPAA Is Federal. Recording Consent Laws Are State.
HIPAA establishes the national floor for protecting patient health information in electronic form. But recording consent — the question of whether you can legally record a conversation between you and a patient — is governed by state law, not federal law. And state laws vary dramatically.
One-Party vs All-Party Consent States
One-party consent states allow recording if one party to the conversation consents, which means you can record your own session without the patient’s explicit consent, though best practice is still to disclose. All-party consent states require that every person in the recorded conversation consent before recording begins. These states include California, Florida, Pennsylvania, Maryland, Michigan, Connecticut, and several others.
If you practice in an all-party consent state and activate ambient AI listening in a patient session without explicit patient consent, you may be in violation of state law regardless of your HIPAA compliance. We are not attorneys and this is not legal advice. But this is a real risk that therapy practices in affected states need to understand and address.
What We Recommend for All Practices
Regardless of your state’s recording consent requirements, we recommend a simple verbal disclosure at the start of every session where AI scribe is activated. Something like: “I use an AI documentation assistant during sessions that helps me focus on you instead of typing. It generates a draft note that I review and sign. Is it okay if I use it today?” This covers you in all-party consent states and builds patient trust in every state.
HelloNote’s AI Scribe includes consent language templates that practices can use at intake and verbally during sessions. We built these in because we knew therapists needed them and no vendor was providing them.
Every HelloNote Plan Includes a Signed BAA — Before Your First Session
No setup fees. No contracts. HIPAA compliant documentation
built for PT, OT, and SLP practices.
No credit card required • HIPAA Compliant • PT, OT & SLP
Audio Retention — What Happens to the Recording After the Session
The Question Most Therapists Do Not Ask
When the session ends and your AI scribe generates the SOAP note, what happens to the audio recording? This question matters for two distinct reasons: patient privacy and AI training data.
Privacy: How Long Is the Audio Kept?
Different vendors have very different audio retention policies. Some delete the audio within hours of processing. Others retain it for weeks or months for quality review. Some archive it indefinitely. The HIPAA minimum necessary standard requires that PHI, including audio, is not retained longer than necessary for the purpose it was collected. For AI scribe documentation, that purpose is generating a clinical note. After the note is generated and approved, there is no clinical reason to retain the audio.
AI Training: Is My Patient's Voice Training Someone's Model?
This is the question that keeps getting missed. Some AI scribe vendors use session recordings to improve and train their AI models. Depending on the terms of your BAA and the vendor’s privacy policy, your patients’ voices and clinical conversations may be contributing to a commercial AI model’s development. Patients generally have not consented to this use.
Review your vendor’s terms carefully and specifically ask whether session data is used for AI model training. HelloNote does not use session audio for AI model training.
Frequently Asked Questions
Is AI scribe HIPAA compliant for therapy practices?
AI scribes can be HIPAA compliant, but only if the vendor signs a Business Associate Agreement with your practice and maintains appropriate safeguards for electronic PHI. HIPAA compliance is not certified by the government. You must verify the vendor's security practices and BAA terms before use.
Do I need patient consent to use AI scribe in my therapy sessions?
This depends on your state. In all-party consent states, you legally require patient consent before recording any clinical conversation. In one-party consent states, you are the consenting party. Regardless of your state, best practice is to disclose AI scribe use to every patient and document their consent.
What is a Business Associate Agreement and why does it matter for AI scribe?
A BAA is a legally binding contract that any company handling your patients' protected health information must sign under HIPAA. It specifies how the vendor can use PHI, what security standards they must maintain, and their breach notification obligations. If an AI scribe vendor will not sign a BAA, they cannot legally process your patients' health information.
Can AI scribe vendors use my patients' session recordings to train their AI?
Some can and do. It depends on the vendor's privacy policy and BAA terms. Always ask specifically whether session audio or transcripts are used to train AI models, and whether practices or patients can opt out of this use. HelloNote does not use patient session audio for AI model training.
What states require all-party consent for recording therapy sessions?
All-party consent states include California, Florida, Pennsylvania, Maryland, Michigan, Connecticut, and several others. In these states, every person in the recorded conversation must consent before recording begins. If you practice in one of these states, you must obtain explicit patient consent before activating AI scribe during a session. We recommend consulting a healthcare attorney for state-specific guidance.
READY TO STREAMLINE YOUR CLINIC?
See How HelloNote Handles All of This in One Platform
Managing staff hours, compliance, inventory, and financial reports — all inside one HIPAA-compliant EMR built for PT, OT, and SLP clinics.
No credit card required · HIPAA Compliant · PT, OT & SLP
