Skip to content
Compliance

What is the most HIPAA-compliant AI scribe for therapists?

HIPAA is a floor, not a ranking. What actually separates safer AI scribes for therapy: BAA scope, audio retention, training on PHI, subprocessors, and 42 CFR Part 2 posture.

TherapyScribes Editorial10 min · 638 words
Reviewed by TherapyScribes EditorialUpdated Facts verified Methodology

The short version "HIPAA-compliant" is not a certification a vendor holds — it's a shared-responsibility posture that requires a signed BAA plus reasonable administrative, physical, and technical safeguards. Every therapy-first AI scribe worth considering signs a BAA. What separates them is what happens *after* the BAA: audio retention, training on PHI, subprocessor list, breach-notification SLA, and 42 CFR Part 2 awareness for SUD-adjacent work.

**For solo and small-group US therapy practices, Twofold is our current recommendation on compliance posture — BAA on every paid tier, no training on customer data, audio not retained after note generation, and a clean subprocessor story. Upheal matches it on posture and adds the option of EU data residency, which matters if you serve European clients. Mentalyc matches on posture and adds deeper template breadth. Eleos Health** is the honest pick for CCBHC and 42 CFR Part 2 settings where enterprise-grade audit trails and Part 2 language are non-negotiable.

The five things that actually matter after the BAA 1. Audio retention. The safest posture is "audio deleted after the note is generated, unedited retained only for a short debugging window with your consent." Twofold, Upheal (default), and Mentalyc (default) all clear this bar. 2. Training on PHI. The safest posture is "we do not train models on customer PHI, ever, opt-in or otherwise." Ask specifically about opt-out defaults, third-party model training, and de-identified data reuse. 3. Subprocessor list. The safest posture is a published subprocessor list with change notification. Sub-processors typically include a hyperscaler (AWS/GCP/Azure) and one or two foundation-model providers. Opaque sub-processors are a yellow flag. 4. Breach-notification SLA. HIPAA requires 60 days from discovery for BAAs; strong vendors commit to notification within 72 hours in the BAA itself. 5. 42 CFR Part 2 awareness. If any of your caseload includes federally-assisted SUD treatment, you need a vendor that either treats Part 2 as a first-class posture (Eleos) or explicitly documents that you must not send Part 2 records through their pipeline. Silence on Part 2 is a yellow flag.

Compliance posture at a glance

ToolBAA on paid tiersTrains on customer PHIDefault audio retentionEU residency option42 CFR Part 2 stance
TwofoldYesNoDeleted after noteNoDocumented — do not process Part 2 records
UphealYes (incl. free tier)NoDeleted after noteYesDocumented
MentalycYesNoDeleted after noteNoDocumented
Eleos HealthYesNoConfigurableNoFirst-class support (CCBHC-oriented)
HeidiYesNoConfigurableAU optionDocumented

What "HIPAA-compliant" doesn't mean - It doesn't mean the vendor has been audited by HHS — HHS doesn't audit vendors on request. - It doesn't mean a SOC 2 Type II report exists. Ask for one separately; it's a stronger signal than the BAA alone. - It doesn't cover state-level rules on top of HIPAA (California CMIA, Texas HB 300, New York SHIELD). Ask specifically if your state has stricter breach or consent rules.

The single most important operational control Get the client's consent before the first session, in writing, in a form your state's board recognizes. No vendor's compliance posture rescues a note taken without valid consent. See our consent template patterns for language that clears most state boards and meets HIPAA notice requirements.

Recommendation - Default for solo/small US practicesTwofold. Cleanest posture at the lowest entry price. - EU / multilingualUpheal. - CCBHC / Part 2Eleos Health. - Wide modality template needsMentalyc.

See also: HIPAA and 42 CFR Part 2 in detail and Canadian PIPEDA/PHIPA for cross-border considerations.

Continue reading