Skip to content
PrivateAI
← Back to Home
guide

Private AI for Therapists and Counselors: Session Notes Without a HIPAA Problem

10 min read min readBy PrivateAI Team

_Last updated: 2026-07-08_

If you have ever pasted a client's session notes into ChatGPT to help draft a treatment summary, you likely created a HIPAA disclosure — and possibly a licensing board violation — without meaning to.

That is the blunt version. Here is what the risk actually is and how to use AI in a therapy or counseling practice without it.

Consumer AI chatbots are not covered entities and, in almost every case, will not sign a Business Associate Agreement (BAA) with you. Under HIPAA, sharing protected health information (PHI) with a vendor that has not signed a BAA is a disclosure to an unauthorized third party — full stop, regardless of how useful the tool is or how good your intentions were. Add in state licensing board confidentiality rules, which are often stricter than HIPAA and apply even to notes that do not technically qualify as PHI, and the exposure compounds. A single pasted intake summary — client name, presenting problem, medication history, disclosure of self-harm risk — sitting on a general-purpose AI vendor's servers is a problem you cannot easily undo.

The good news: AI can still make you faster at documentation, treatment planning, and continuing education without any of that exposure. This guide covers where the actual risk lives and how to build a workflow around it.


Why "It's Just for Drafting" Doesn't Hold Up

A common rationalization is that the AI output is just a first draft, reviewed and edited before it goes in the chart, so the underlying data exposure doesn't matter. It does. The violation happens at the moment the data leaves your control, not at the moment the output is used. Once a client's session content is typed into a consumer chatbot, you no longer control:

  • Whether it is logged and for how long
  • Whether it is used to improve the vendor's models (most consumer tiers reserve this right)
  • Who at the vendor has system access to review flagged conversations
  • What happens if the vendor is breached or subpoenaed

None of that is hypothetical. Multiple mental health apps and even some AI note-taking startups have faced scrutiny — and in a few cases FTC action — for exactly this kind of data handling. Your license, not just your client's trust, is on the line if it happens through your workflow.

What the licensing rules actually require: Most state boards (and the ethics codes of the APA, ACA, and NASW) require counselors to take "reasonable steps" to protect client confidentiality and to understand the technology they use in practice. That standard does not ban AI. It requires you to know where client data goes before you use a tool — which is precisely what most practitioners skip.


The Three Places Client Data Actually Leaks

Mental health practice has three distinct exposure points, and securing only one leaves the others open.

1. The AI inference layer. The model or chatbot itself. Does your input get logged, retained, or used for training? Does the vendor have a BAA available, and have you signed it?

2. The notes storage layer. Where do session notes, treatment plans, and intake forms actually live? If they sit in a personal Google Drive, Dropbox, or an EHR with weak encryption practices, the AI question is almost moot — the data was already exposed before AI entered the picture.

3. The client communication layer. How do clients send you forms, insurance information, or messages between sessions? Standard email is not encrypted end to end, and a client emailing you about medication changes creates a plaintext record sitting in a mail provider's servers indefinitely.


Layer 1: AI Tools That Won't Create a Disclosure

Local Models: The Only True Zero-Disclosure Option

Running a model entirely on your own computer means client data never leaves your machine. Nothing is logged by a vendor because there is no vendor in the loop during inference.

Ollama is the simplest way to do this. It installs in minutes on a Mac or Windows machine and runs capable open-weight models like Llama 4 or Mistral Large locally. For therapists, the practical use cases are: turning rough session notes into a structured SOAP or DAP note format, summarizing a client's treatment history for a referral letter, or drafting psychoeducation handouts tailored to a client's specific situation. None of that requires sending a single word to an outside server. A mid-range Mac Mini or a Windows laptop with 16GB of RAM handles this comfortably for solo practice or small group practice use.

The tradeoff is setup time and the fact that local models are a step behind frontier cloud models in nuance. For documentation formatting and drafting, that gap does not matter. For anything requiring current research citations, it does — which is where the next tool comes in.

For Research: A Tool That Doesn't Build a Profile on You

Looking up current best practices, a new medication interaction, or recent research on a treatment modality is research about the field, not about a specific client, so the risk profile is different — but it still matters. Consumer search engines and general AI chatbots build a query history tied to your account. Over time, that history can reveal your caseload's clinical patterns even without a single client name attached.

Perplexity Pro is built for exactly this kind of research: cited answers pulled from current sources, with an explicit no-training policy on Pro subscriber queries. Ask it about the latest DBT skills research, a drug interaction, or CE-relevant literature, and you get sourced answers without a client's information anywhere in the query.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.


Layer 3: Securing Client Communication Between Sessions

Clients emailing you about scheduling changes, insurance questions, or updates between sessions is routine — and routine email is not private. Standard email providers can read message content, and messages sit indefinitely on servers you don't control.

Proton Mail provides end-to-end encryption automatically between Proton addresses, and password-protected encrypted messages to clients using any other email provider. For a practice, the practical move is giving clients a Proton-based intake or contact address for anything involving clinical content, while keeping a standard address for pure scheduling logistics that don't touch PHI.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.


Putting It Together: A Practice-Ready Workflow

Documentation drafting: Rough session notes typed or dictated, then run through Ollama locally to structure into your preferred note format (SOAP, DAP, BIRP). You review and finalize before it goes into your EHR. No client data leaves your machine at any point.

Clinical research and continuing education: Perplexity Pro for looking up current research, medication information, or modality-specific literature. You're researching the field, not a client, and the query history stays clean of PHI either way.

File storage outside the EHR: Tresorit for anything that needs encrypted storage but doesn't live natively in your EHR — scanned intake forms, exported summaries for referrals, draft materials.

Client-facing communication involving clinical content: Proton Mail for any email exchange that touches diagnosis, treatment, or anything you'd consider part of the clinical record. Standard email is fine for pure logistics.

Backup and continuity planning: Proton Drive or Tresorit for an encrypted, access-controlled backup of practice records, separate from your day-to-day EHR, for business continuity purposes.


Questions to Ask Any AI Tool Before You Use It With Client-Adjacent Data

  1. Will the vendor sign a BAA? If the answer is no, and there's any chance PHI touches the tool, don't use it for that purpose.
  2. Is my input used to train future models? Most consumer tiers say yes or reserve the right. Enterprise and Pro tiers of some tools opt out by default — verify, don't assume.
  3. Where is the data processed and stored? Jurisdiction matters for how aggressively a vendor can be compelled to disclose data.
  4. What happens to logs after my session ends? Retention policies vary widely and are usually buried in the terms of service, not the marketing page.

No licensing board has banned AI use in practice. Every one that has weighed in has said some version of: understand the tool, protect client confidentiality, and don't disclose PHI to a third party without authorization. A local model for drafting, encrypted storage for files, and encrypted email for clinical communication satisfies that standard without asking you to give up the efficiency AI actually offers.


Stay Ahead of AI and Confidentiality Rules in Practice

Licensing board guidance on AI use is still being written in real time, and it's inconsistent state to state. If you want to know what changed and what it means for your practice — without vendor pitches — the PrivateAI newsletter covers exactly this.

Subscribe below to get the next issue directly.


_Have a documentation workflow you've tested in your own practice? Let us know — we test and publish practitioner-sourced stacks regularly._