HIPAA + 42 CFR Part 2 for AI therapy scribes — who actually complies

The baseline: HIPAA + BAA Every AI scribe that handles client audio is a Business Associate under HIPAA. You need a signed Business Associate Agreement (BAA) before the first real session — not after, not "in the works." All therapy-first vendors in our rankings sign a BAA at every paid tier. Upheal and Supanote extend BAA coverage to free users; most others do not.

"HIPAA-compliant" on a marketing page is not a BAA. Ask for the BAA in writing, read it, and store the signed copy with your other Business Associate agreements.

Why HIPAA alone is not enough for SUD programs If you operate a federally-assisted substance-use program — most OTPs, many CCBHCs, many residential SUD facilities, any program receiving federal funds or DEA-registered for buprenorphine — 42 CFR Part 2 applies. Part 2 is stricter than HIPAA in three ways that matter for AI scribes:

1. Consent is per-disclosure, per-recipient, time-limited. A generic HIPAA authorization does not satisfy Part 2. 2. Re-disclosure prohibition. Information disclosed under Part 2 cannot be re-disclosed without separate consent. 3. Qualified Service Organization Agreement (QSOA). Vendors handling Part 2 records need a QSOA, not just a BAA. The QSOA explicitly binds the vendor to Part 2 obligations.

A vendor that signs a HIPAA BAA but cannot produce a QSOA is not Part-2 compliant, period.

Who explicitly addresses 42 CFR Part 2

"Not publicly attested" does not mean "will refuse to comply" — it means they have not put it in writing on a public page. If you operate a Part 2 program, get the assurance in the contract.

What to read in the contract (BAA + DPA + QSOA) Whichever vendor you pick, the document should cover:

• Audio retention — is the audio file deleted after note generation? Within how many hours? Is the transcript retained, and for how long?
• No training on customer data — explicit clause, not a general statement of "responsible AI."
• Subprocessor list — at minimum the LLM provider (OpenAI, Anthropic, Google, an open model on a host) and the cloud host (AWS, GCP, Azure). Subprocessor changes should require notice.
• Data residency — US, EU, UK. Matters for cross-border practices.
• Breach-notification timeline — HIPAA allows 60 days; faster is better. 72 hours is the practical norm.
• Audit logs — who accessed which session, when, from where. Required at audit.
• For Part 2: explicit reference to 42 CFR Part 2 and Qualified Service Organization language. The QSOA is usually an addendum to the BAA.
• Termination & data return — how do you get your data back, and is it then deleted from the vendor's systems?

Questions to send procurement Copy/paste these into your vendor email:

1. Please send your standard HIPAA BAA for review. 2. Do you support 42 CFR Part 2? If yes, please send the QSOA addendum. 3. After a note is generated, how long is the original audio retained? The transcript? 4. List all subprocessors that process PHI, including the LLM provider and hosting region. 5. Do you train any model on customer audio, transcripts or notes — including for de-identified research or "quality improvement"? 6. What is your breach-notification timeline? 7. Where is data stored at rest? Can data be pinned to a specific region (US / EU / UK)? 8. On termination, what is the process for export and deletion?

If a vendor cannot answer 1–8 within a week, that is the answer.

Documenting your own decision Whichever scribe you pick, keep a one-page memo in your compliance binder noting: vendor, contract date, BAA/QSOA reference, subprocessors at signing, data-residency choice, retention settings, and the date you next plan to re-review. Auditors love this.