HIPAA-Safe AI Therapy Notes: SOAP & DAP Workflows
Practical guide for clinicians to trial HIPAA-safe AI therapy notes: de-identification, SOAP/DAP prompts, safe testing, vendor vetting, and upgrade criteria.
Read moreStandard ChatGPT is not HIPAA-compliant for PHI. We explain what changed in 2026 (ChatGPT for Healthcare, ChatGPT for Clinicians), compare 10 BAA-backed alternatives, and give you a decision tree.
Last reviewed: June 6, 2026 — updated to cover ChatGPT for Healthcare (January 2026) and ChatGPT for Clinicians (April 2026).
This post is part of our complete guide to HIPAA-Compliant AI for Behavioral Health Practices.
No. Standard ChatGPT is not HIPAA compliant for Protected Health Information (PHI). OpenAI does not offer a Business Associate Agreement (BAA) for its consumer ChatGPT product, meaning any PHI you enter — client names, diagnoses, session notes, dates of service — violates OpenAI's terms of use for that product and HIPAA itself. Mental health practices need purpose-built, BAA-backed AI tools designed specifically for clinical workflows.
OpenAI did release two healthcare-targeted products in 2026 — ChatGPT for Healthcare in January and ChatGPT for Clinicians in April — and we cover what each does (and doesn't) below. Neither replaces a purpose-built behavioral-health tool for most solo or group practices today.
For the first 18 months after ChatGPT launched, OpenAI's HIPAA position was simple: none of the consumer products were BAA-eligible, and the API was your only option if you wanted to build something compliant. In 2026 that changed twice. Both releases narrow the gap between "ChatGPT" and "HIPAA," but neither closes it for the typical behavioral-health practice.
In January 2026, OpenAI rolled "ChatGPT for Healthcare" out as part of a broader OpenAI for Healthcare initiative. It is an enterprise tier — your organization applies, signs an enterprise contract, and your administrators configure a "Regulated Workspace" where covered chats live. It is not something a solo clinician can sign up for in five minutes.
A BAA is available for eligible enterprise customers under the standard ChatGPT for Healthcare arrangement, as described in OpenAI's help-center article for the product. The BAA covers chats inside the Regulated Workspace — it does not retroactively cover anything your staff already pasted into a free or Plus account, and it does not extend to consumer ChatGPT sessions your team uses on the side.
For a hospital system, a large group practice, or a multi-location behavioral-health network with a procurement function, ChatGPT for Healthcare is now a real option worth evaluating. For most independent therapists, the procurement overhead alone makes it impractical.
In April 2026, OpenAI released ChatGPT for Clinicians — a free tier aimed at individually verified U.S. clinicians, with optional BAA support. The pitch is documentation help, clinical reasoning support, and medical research at the point of care.
Eligibility is narrow. OpenAI's ChatGPT for Clinicians help page lists physicians (MD/DO), nurse practitioners (NP), physician assistants (PA), and pharmacists with a valid NPI, verified through a third-party check. As of June 2026, LCSWs, LMFTs, LPCs, and psychologists (PsyD/PhD) are not on OpenAI's published verification list. Most behavioral-health clinicians cannot get an account today even if they want one.
For those who can qualify, the BAA is opt-in: eligible clinicians review and sign the agreement inside ChatGPT under Settings → Agreements, per OpenAI's BAA help article. The BAA covers conversations inside the clinician workspace only. Anything in a consumer or Plus account on the same email is still out of scope.
For most solo therapists, counselors, and psychologists, neither 2026 product is turnkey. ChatGPT for Healthcare assumes an enterprise procurement function you likely don't run for a solo or small-group practice. ChatGPT for Clinicians excludes the license types most behavioral-health practitioners hold.
The compliance baseline itself has not changed. Any AI tool that touches PHI still needs a BAA, technical safeguards, and a no-training data clause. The 2026 products meet that baseline only inside their narrow eligibility windows.
If you're a behavioral-health practice that wants AI help with documentation, intake, or scheduling today, a purpose-built BAA-backed product remains the most realistic option. The matrix below compares ten of them side-by-side.
| Tool | BAA available | Architecture | Best for | Pricing tier |
|---|---|---|---|---|
| PsyFiGPT | Yes — included on every plan | Per-tenant processing; no PHI to third-party LLMs | Solo + group behavioral-health practices, documentation + intake | Solo / Pro / Team |
| Mentalyc | Yes | Cloud LLM with vendor BAA | Solo therapists, SOAP notes | Solo / Pro |
| Upheal | Yes | Cloud LLM with vendor BAA | Group practices, EHR integrations | Solo / Group |
| DeepCura | Yes | Cloud LLM with vendor BAA | Solo therapists | Solo / Pro |
| JotPsych | Yes | Cloud LLM with vendor BAA | Group practices | Solo / Group |
| Blueprint Health | Yes | Cloud LLM with vendor BAA | Larger practices, measurement-based care | Group / Enterprise |
| Heidi Health | Yes | Cloud LLM with vendor BAA | General clinical documentation | Solo / Pro |
| Freed | Yes | Cloud LLM with vendor BAA | General clinical documentation | Solo / Pro |
| ChatGPT for Clinicians | Yes (verified physicians, NPs, PAs, pharmacists only) | OpenAI cloud; verified-clinician workspace | Solo clinicians whose license type is on OpenAI's verification list | Free for verified clinicians |
| ChatGPT (consumer / Plus / Team) | No | OpenAI cloud, default training opt-in | Not appropriate for PHI | $20/mo (Plus) |
Pricing tiers reflect each vendor's publicly listed plan structure as of June 2026. Always verify the current contract terms, included BAA scope, and per-seat or per-tenant pricing directly with the vendor before procurement.
AI has moved from buzzword to daily workflow tool for thousands of therapists, psychologists, and counselors. The appeal is real: faster SOAP notes, easier treatment plan drafts, quicker intake summaries. The problem is equally real: the most well-known AI tool on the market — ChatGPT — was not built to handle patient data.
For mental health professionals, the stakes are higher than in most other healthcare settings. Your clients share their most sensitive experiences. A HIPAA breach involving mental health records can expose you to Office for Civil Rights (OCR) enforcement, state licensing board complaints, and the kind of client trust destruction that no practice recovers from easily.
This guide explains exactly what makes ChatGPT non-compliant, what a safe alternative looks like, and how to evaluate any AI tool before it touches your clinical workflow.
Before diagnosing ChatGPT's compliance status, it helps to understand the standard every AI tool must meet to legally handle PHI.
1. A signed Business Associate Agreement (BAA) Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on your behalf is a "Business Associate" — the definition lives in 45 CFR 160.103. You must have a signed BAA with them before PHI flows to their platform. Without it, every session note you paste into their system is a potential violation.
2. Technical safeguards for PHI The HIPAA Security Rule at 45 CFR 164.312 requires covered entities and their Business Associates to implement access controls, audit logs, encryption in transit and at rest, and automatic logoff for systems handling ePHI.
3. No secondary use of clinical data A compliant AI vendor cannot use your client's PHI to train their models, improve their products, or share data with third parties without your explicit authorization. This is the rule most general-purpose AI tools silently break.
OpenAI's standard terms of service for ChatGPT do not include a BAA and do not position the product as a HIPAA-covered service. OpenAI does offer enterprise arrangements — ChatGPT Enterprise and the OpenAI API — with data processing agreements that may support BAA execution for specific use cases, but these require active procurement, legal review, and technical configuration that the average private practice has not completed.
If you are using ChatGPT through a browser at chat.openai.com, you do not have a BAA. Full stop.
OpenAI's data usage policies have evolved, but the default position for consumer accounts has historically permitted using conversation data to improve their models. Even under current policies where you can opt out, the burden falls on you to take action — and most clinicians using ChatGPT informally have never reviewed those settings.
ChatGPT was built for broad, general-purpose use. It does not have the role-based access controls, audit logging, or data residency guarantees that clinical environments require. When you paste a session note into ChatGPT, you have no visibility into where that text goes, how long it is retained, or who at OpenAI could theoretically access it.
Understanding the abstract legal risk is one thing. Here is what HIPAA non-compliance with AI actually looks like in practice for therapists and counselors.
ChatGPT is not without legitimate value in your practice. It just cannot touch PHI. Here are the tasks where it is safe to use, because no identifying client information is involved.
Safe, non-PHI uses for ChatGPT in mental health practices:
The governing principle is simple: if the task could be completed by a contractor who knows nothing about any of your clients, it is likely safe for ChatGPT.
The good news is that purpose-built, HIPAA-compliant AI tools for mental health are no longer niche products. They exist, they work, and they are designed around the specific workflows that consume therapists' administrative time.
PsyFiGPT is an AI-powered clinical documentation assistant built specifically for mental health professionals. It generates SOAP notes, intake summaries, and treatment plan drafts without sending PHI to third-party AI services. The AI processing happens in a HIPAA-compliant environment, and the product is designed for the BAA relationship your practice needs.
For therapists spending 30-60 minutes per session on documentation, PsyFiGPT addresses the exact problem that drives clinicians toward ChatGPT in the first place — but without the compliance exposure.
Best for: Therapists, psychologists, and counselors who want faster clinical notes and treatment documentation.
Administrative burden is not limited to documentation. Intake coordination, scheduling, client matching, and FAQ responses eat significant time in any growing practice. PsyFi Assist handles these workflows with AI intake forms, calendar integration, and automated therapist matching — all within a HIPAA-compliant framework.
Unlike using a general chatbot on your website (another common compliance gap), PsyFi Assist is designed from the ground up for behavioral health practices, with the data handling standards your clients' information requires.
Best for: Practice owners and group practices managing intake volume, scheduling complexity, and client-facing communications.
Practice analytics and formal clinical report generation carry their own compliance requirements. PsyFi Reports provides clinical report generation and behavioral health analytics in a compliant environment, giving practice owners visibility into outcomes and operational performance without moving client data through unsecured systems.
Best for: Practice owners tracking clinical outcomes, generating formal reports, and making data-informed operational decisions.
Whether you are evaluating PsyFi products, a competitor, or any general AI tool a vendor claims is "HIPAA compliant," ask these specific questions before any PHI touches the system.
| Evaluation Criterion | What to Ask | What a Good Answer Looks Like |
|---|---|---|
| BAA availability | "Will you sign a BAA with my practice?" | Yes, provided as a standard part of onboarding |
| Data training use | "Is my data used to train your models?" | No — client data is never used for model training |
| Encryption | "Is data encrypted in transit and at rest?" | Yes, with specific standards cited (e.g., AES-256, TLS 1.2+) |
| Data residency | "Where is my data stored?" | US-based servers, or a specific jurisdiction your compliance requires |
| Access controls | "Who at your company can access my data?" | Strict role-based access with audit logging |
| Deletion rights | "Can I request deletion of my data?" | Yes, with a documented process and timeline |
| Breach notification | "What is your breach notification process?" | Written policy aligning with HIPAA's 60-day requirement |
Any vendor that cannot clearly answer all seven questions is not ready to handle PHI from your practice.
Individual compliance knowledge is not enough. If you have staff, contractors, or trainees, your entire team needs clear guidance on AI tool use.
1. Approved tool list. Name the specific AI tools your practice has approved for clinical use, administrative use, and personal productivity — separately. Be explicit about which tools are cleared for PHI.
2. PHI prohibition for unapproved tools. State clearly that entering any PHI into a non-approved AI tool (including ChatGPT, Google Gemini, Claude, and similar general-purpose tools) is prohibited and constitutes a potential HIPAA violation.
3. Incident reporting. Define what staff should do if they realize they have accidentally entered PHI into a non-compliant tool. Having a reporting process reduces the time between the incident and your required breach response.
4. Training cadence. Commit to annual or semi-annual AI compliance training that keeps pace with how quickly these tools are evolving.
5. Vendor review process. Establish that any new AI tool must be reviewed and approved before use, not after a staff member has already been using it for weeks.
For deeper guidance on protecting client data in AI-assisted workflows, see our related post on Private AI for Mental Health: What "Encrypted Memory" Should Mean.
HIPAA's Security Rule requires covered entities to conduct periodic risk assessments. When you add AI tools to your clinical or administrative workflow, that is a material change to your information environment and warrants a specific review.
Your AI risk assessment should document:
This process does not need to be elaborate for a solo or small-group practice. A documented two-page review updated annually is far better than nothing, and it demonstrates the "good faith" posture that regulators consider in enforcement decisions.
ChatGPT is a powerful tool. It is not a HIPAA-compliant tool for clinical use without significant enterprise procurement and legal due diligence that most private practices have not completed. The default position — using ChatGPT through a standard account to draft session notes or summarize client information — is a HIPAA violation, regardless of whether any actual harm results.
The solution is not to avoid AI. AI tools built specifically for mental health practice can save therapists hours per week on documentation, intake, scheduling, and reporting. The solution is to use the right tools.
Your clients trust you with their most sensitive experiences. The technology infrastructure supporting that relationship should reflect the same level of care.
This post is for informational purposes only and does not constitute legal advice. Consult a healthcare attorney for guidance specific to your practice's compliance obligations.