Are AI Scribe Tools HIPAA and PIPEDA Compliant for Therapists?

What HIPAA and PIPEDA compliance actually means for your AI scribe

AI compliance isn't a single checkbox. It's a combination of what your vendor does on their end and what you do on yours. Think of it like a lock on a door: the vendor builds the lock, but you're the one who needs to use it.

Here's what to look for on the vendor side.

If you're in the US and following HIPAA

• Strong encryption during transmission and storage (AES-256 or similar). This means your clients' information stays protected from the moment you hit record until it's stored, and the vendor can't view transcripts in plain text. That's the level of protection therapy sessions deserve.

• A signed Business Associate Agreement (BAA). This is non-negotiable. A BAA is a legal contract that makes your AI vendor a "business associate" under HIPAA. It holds them to the same privacy and security standards that apply to you, and makes them liable if they mishandle client data. If a vendor won't sign one, you can't legally use their tool for client sessions.

• Limited access controls so only authorized people can see client data.

• Audit logs that show who accessed what and when.

• Breach notification policies so you're told right away if something goes wrong.

If you're in Canada and following PIPEDA

• Clear, meaningful consent from clients before recording. They should always know when AI is part of the process.

• Data minimization. Only collect the information that's actually necessary.

• Client access and deletion rights. If a client asks to see their records or wants something deleted, you need to be able to honor that.

• Cross-border data protections. Many AI tools use servers in the U.S., so you'll want to confirm that equivalent privacy protections are in place. Check with your regulatory body for any specific rules about where data can be stored or processed.

A note for Canadian therapists: some provinces have their own health privacy laws, like PHIPA in Ontario and HIA in Alberta. In those cases, the provincial law takes the lead, and PIPEDA fills in any gaps.

No matter where you practice

A few things are universal when evaluating AI scribes:

• End-to-end encryption from the moment you press record

• A clear commitment that your session data won't be used to train their AI models

• Transparent policies about how recordings are stored and when they're deleted

Your AI scribe compliance checklist: must-haves vs. red flags

Not all AI scribe tools are created equal. Here's a quick way to sort the good from the not-so-good.

Must-haves

• End-to-end encryption (AES-256 or equivalent)

• A signed BAA (for US therapists)

• A clear, written policy that your data won't be used to train their AI

• SOC 2 Type II certification (or equivalent). This means an independent auditor has verified the vendor's security controls. It's third-party confirmation that their systems actually do what they say they do.

• Specific deletion policies. You want something concrete, like "recordings are automatically deleted within 24 hours after notes are generated." Vague language like "we handle data securely" isn't enough

• Permanent deletion on request. You should be able to fully delete recordings and transcripts, not just archive them.

🚩Red flags

• Won't sign a BAA (if you're in the US or treating US clients)

• Can't tell you where your data is stored

• Can't give you a clear timeline for when recordings are deleted

• Can't permanently delete data when you ask

• Uses vague language around privacy and security

• Completely free with no clear business model

That last one is worth pausing on. Building secure systems takes real investment. If a tool is free, it may be monetizing your data in ways that aren't transparent. Your clients' most sensitive information is worth protecting with tools you can trust.

Your responsibilities as a therapist using an AI scribe

Even the best vendor can't do it alone. Privacy is a shared responsibility between your vendor's infrastructure and the habits you build in your own practice.

Get client consent (and be specific about it)

Let your clients know you're using AI for note-taking. Explain how their data is collected and protected. And document that they've agreed.

Here's a way you might bring it up:

🗣️ "I use an encrypted, HIPAA-compliant AI tool to help with my clinical notes. It helps me stay fully present during our sessions. I review everything before it's added to your chart, and the recording is permanently deleted within 24 hours. Are you comfortable with that? Do you have any questions?"

Add a note in the client's file that you had this conversation. And if someone prefers you don't use it, respect that and switch to another note-taking method for their sessions. Most clinicians handle this on a client-by-client basis without any difficulty.

For more sample scripts and documentation tips, check out our guide to approaching AI scribe consent with clients.

Review every note before it goes into the chart

AI can mishear words, miss important context, or introduce small inaccuracies. You're still responsible for the accuracy of the clinical record. Always review and edit before saving.

Update your privacy policy

Include a short section about your use of AI-assisted documentation tools and how client information is protected. This should align with your informed consent process.

Keep your setup secure

This part is easy to overlook, but it matters. If you're reviewing notes on public WiFi or sharing login credentials, you're introducing risks that your vendor's encryption can't protect against. Safe tools work best when they're paired with safe habits.

What this looks like on a regular Monday

Sometimes it helps to picture the actual workflow. Here's a simple example.

2:00 PM - Client session

You let your client know you use an AI tool for note-taking, explain why, and confirm they're comfortable. (You've already captured written consent in your intake forms.) You start recording with your compliant AI scribe. You stay present with your client instead of typing notes.

3:00 PM - After session

The AI generates a clinical note based on the recording. You review it, catch a small error (the AI wrote "effects" instead of "affects"), fix it, and save the finalized note to your EHR. The recording is automatically deleted within 24 hours, or you can delete it manually right away since you no longer need it.

Behind the scenes:

Your recording was encrypted from the moment you hit record. It stayed encrypted during transmission and processing. Your vendor signed a BAA, so they're legally liable for protecting this data. And you have full control to delete everything permanently whenever you need to.

A closer look at what HIPAA and PIPEDA require

Both regulations exist to protect client health information (including therapy notes, session recordings, and any identifying data), but they work a little differently.

HIPAA (United States) is the primary federal law protecting health information. It includes three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Together, they define how to keep client information confidential, secure, and properly managed if something goes wrong. If your AI scribe records sessions, summarizes notes, or stores client details, it's handling protected health information under these rules. You can learn more in our guide to HIPAA compliance for private practices.

PIPEDA (Canada) is Canada's federal privacy law for private-sector organizations. It's not limited to healthcare, but it covers health data when it's part of client care. Its core goal is making sure personal information is handled responsibly, and only for the purposes clients have agreed to. The cross-border piece is especially important for Canadian therapists, since many AI tools use US-based servers. We’ve outlined more in our overview of PIPEDA and privacy laws for Canadian clinics.

What licensing and professional boards say about AI scribe tools

Guidance is evolving as more therapists explore these tools. Several licensing and ethics boards have started publishing recommendations.

In the US:

• The APA published a guide for evaluating AI-enabled clinical tools (October 2024) and ethical guidance for AI in professional practice (June 2025)

• The ACA released recommendations on transparency, informed consent, and data security

• The NBCC published ethical principles for AI in counseling (April 2024) with directives on confidentiality and encryption

In Canada:

• CRPO published guidance emphasizing informed consent, privacy compliance, and professional accountability

• The Ordre des psychologues du Quebec released AI guidance in September 2025

• BCACC published AI guidelines in March 2025 covering ethical use, informed consent, privacy, and professional accountability

Most licensing boards haven't published AI-specific standards yet, but their existing technology and confidentiality requirements still apply. When in doubt, it’s best to contact your regulatory body directly.

To sum it up

You can protect your clients' privacy and reclaim your time. Those two things don't have to be in tension.

Look for strong encryption, clear deletion policies, signed agreements where required, and transparent data practices. Get consent. Review your notes. Build safe habits around the tools you choose.

With the right tool and a little thoughtfulness, you can use an AI scribe with confidence, and maybe even get your evenings back.

FAQs

Can I use a free AI scribe and still be compliant?

Probably not. Most free tools don't sign BAAs, lack strong security measures, and may use your data to train their models. True compliance requires serious security infrastructure, which costs real resources to build and maintain.

If an AI scribe is HIPAA-compliant in the US, is it also PIPEDA-compliant in Canada?

Not automatically. HIPAA compliance is a good sign, but PIPEDA has its own rules around meaningful consent, data storage, and cross-border transfers. Confirm that the tool meets the specific requirements for your province or territory, and check with your regulatory body if you're unsure.

What if my client doesn't want me to use AI?

Respect their decision. Have another note-taking method ready for those sessions. This is a completely normal thing to navigate.

How long should recordings be kept?

Only as long as needed to create your clinical note, which is usually just a few hours to a day. Many compliant AI scribes delete recordings automatically within 2 to 48 hours after processing. The finalized note in your EHR becomes the official record. Ask your vendor to confirm their deletion policy so you can share it with your clients.

Do I still need to worry about compliance if my vendor says they're HIPAA-compliant?

Yes. The vendor handles their side of things (encryption, storage, breach notification), but you're responsible for how you use the tool. That means getting consent, reviewing notes, keeping your devices secure, and making sure a BAA is signed. Compliance is always a team effort.

This article provides educational information about AI scribe compliance, but is not legal or regulatory advice. Privacy regulations evolve, and requirements vary by jurisdiction and discipline. Consult with your regulatory body and legal counsel for guidance specific to your practice.

Front Desk Digital is brought to you by Jane. 🩵