Therapy & coaching
HIPAA-aware transcription for therapists and coaches: a practical guide
HIPAA is a posture, not a checkbox. Here is what therapists, clinicians, and serious coaches need to evaluate before letting any AI tool near a session recording.
Why HIPAA is a posture, not a checkbox
Therapists and clinical workers approaching AI transcription often start with the question "is this HIPAA-compliant?" That phrasing is part of the problem. HIPAA compliance is not a property a tool has — it is a posture maintained jointly by the covered entity (the clinician or clinic) and the business associate (the vendor). A tool can have all the right certifications and still produce a HIPAA violation if the workflow around it is sloppy.
What actually matters is whether the vendor has signed a Business Associate Agreement with you, what protections the BAA includes, and whether your workflow honors the safeguards required by the HIPAA Security Rule. A vendor saying "we are HIPAA-compliant" without a signed BAA is decorative. A vendor with a BAA and a thoughtful security posture is the actual baseline.
The BAA conversation you must have
A BAA is a written contract between the covered entity and the business associate that specifies how PHI is handled, who can access it, retention rules, breach notification timelines, and termination behavior. Not all BAAs are equal. The standard the larger health-tech vendors offer is generally robust; some smaller transcription tools offer thinner BAAs that exclude common scenarios.
- Confirm the BAA names every subprocessor that may touch PHI.
- Confirm the breach notification timeline — 24 to 72 hours is standard.
- Confirm what happens to PHI on contract termination — return or destruction within a specified window.
- Confirm that audit logs are available to the covered entity, not just to the vendor.
- Confirm that AI model training on PHI is explicitly prohibited.
If any of those points is missing, push back. Reputable vendors will negotiate; transcription is not so commoditized that you have no leverage. If a vendor will not negotiate the gaps, that is your signal to choose a different one.
Encryption, retention, and audit trails
Acceptable for clinical use
- AES-256 at rest, TLS 1.3 in transit
- 7-30 day default retention
- User-initiated deletion within 24 hours
- Audit logs accessible to the covered entity
- EU residency option if cross-border patients
Disqualifying
- Vague "encrypted with industry standards"
- "Until manual deletion" retention
- Deletion as best-effort, no SLA
- No customer-facing audit logs
- Single-region storage with no residency option
Audit trails are particularly important for the gray-area scenarios. If a patient asks, "did anyone listen to my last session," you need the ability to answer with evidence — not the vendor's word. Tools that surface session-level access logs to the covered entity are doing the right thing.
SOAP notes, progress notes, and what auto-summaries miss
Several transcription tools now offer auto-generated clinical notes — SOAP, DAP, BIRP. The output is usable as a draft. It is not usable as a final note without clinician review. Auto-generated notes consistently miss subtle clinical signal: tone shifts, what the patient did not say, the meta-context the clinician brings to the session. They also occasionally invent content — "patient denied suicidal ideation" when the topic was never raised — and the consequences of that in a clinical record are severe.
The right pattern is auto-draft then clinician finalize. Treat the AI note as the first 60% of the work. Spend 5-10 minutes per session reviewing, correcting, adding the clinical reasoning the model could not surface. That gives you the speed gains without the documentation risk. Skip the review and you are accumulating notes you cannot fully defend in a chart audit.
Coaches: the lighter path
Coaches are not generally HIPAA-covered, but the privacy posture for coaching sessions is still serious. Clients share career, relational, and personal context that they would not want exposed. The "we use your data to improve the product" language some tools use is incompatible with the trust coaches build with clients.
For coaches, the right minimum bar is: no model training on client audio, short retention defaults, end-to-end encryption, and clear deletion semantics. A BAA is not legally required, but a vendor that can offer one (often on enterprise plans) is also one whose underlying data practices are stronger. That correlation is worth weighing in tool choice even when the BAA is not strictly necessary.
A tool-evaluation rubric you can actually use
| Criterion | Required | Preferred | Disqualifying |
|---|---|---|---|
| BAA available | Yes | Includes all subprocessors | No BAA at all |
| Default retention | < 90 days | < 30 days | Indefinite |
| Model training on PHI | Prohibited | Audited | Permitted |
| Audit log access | Customer-readable | Real-time API | Internal only |
| Deletion SLA | < 30 days | < 24 hours | Best effort |
| Speaker attribution | Reliable | Persistent voice IDs | Often wrong |
| Auto-notes | Optional | Editable, with citations | Required, not editable |
Score each tool, weight by what matters most to your practice, and you have a rubric you can actually defend in a procurement review or a chart audit. The exercise is rarely fun, but it is the closest thing to insurance you have for the kind of breach that ends careers.
Keep reading
Speaker Identification
The Speaker 1 problem: why every transcription tool fumbles who said what
9 min →
Audio to Text
Audio to text in 2026: a guide that actually accounts for accuracy, speakers, and privacy
10 min →
Video to Text
Video to text: how to convert video to clean, usable transcripts without losing context
9 min →