AI for Therapists and Mental Health Professionals: HIPAA-Safe Workflows for Notes, Treatment Planning, and Continuing Education

Mental health and healthcare professionals have been more cautious adopting AI than financial or legal services — for good reason. HIPAA penalties are severe, the cultural norms in therapy prioritize human-centered care, and the consequences of a confidentiality breach in mental health care can be catastrophic for clients. But the right AI workflows, with the right architectural choices, can save hours per week without compromising any of these obligations. This is the practical guide.

The HIPAA Frame, Briefly

HIPAA covers Protected Health Information (PHI) handled by covered entities (clinicians, healthcare providers) and business associates (vendors handling PHI on a covered entity's behalf). Disclosing PHI to a third party without a Business Associate Agreement (BAA) is a HIPAA violation.¹

Consumer AI tools (ChatGPT, Claude.ai, Gemini) do not provide BAAs. Inputting PHI into them is a HIPAA disclosure without a BAA — typically a violation. Enterprise AI tools with BAAs are an option, with careful contract review.

On-device AI sidesteps the question entirely: no data leaves the device, so no third party receives PHI, so no BAA is needed.

HHS OCR proposed the first major HIPAA Security Rule update in 20 years (January 2025), citing AI tools and ransomware as the reasons. The proposed updates emphasize data minimization and stricter encryption — both of which favor on-device architectures.²

Important Caveat: AI Is Not a Clinical Decision-Making Tool

Before getting into workflows, this clarification matters. AI is a productivity and comprehension tool. It is not a clinical decision-making tool. It does not replace your training, judgment, supervision, or professional responsibility. The use cases below are for your own work process — never for direct clinical recommendations about an individual patient's care without your full clinical review.

Workflow 1: Progress Note Drafting

The use case: turning raw session notes — your own quick written or dictated notes during or immediately after session — into formatted progress notes (SOAP, DAP, or your preferred structure).

The AI workflow: type or paste your raw notes, ask AI to format them into your preferred clinical structure with proper section headers.

Compliance check: Raw session notes contain extensive PHI. Consumer AI tools are prohibited. Enterprise AI with BAA is acceptable with contract review. On-device AI is the structurally cleanest fit because the notes never leave your device.

Time savings: Clinicians using this workflow report 40–60% reduction in note-taking time, with no compromise to documentation quality. Time recovered goes to patient care, not paperwork.

Workflow 2: Treatment Plan Drafting

The use case: drafting initial treatment plans and treatment plan updates, including diagnostic considerations, treatment goals, intervention strategies, and measurable outcomes.

The AI workflow: provide AI with the clinical formulation, ask for a structured treatment plan in the format your practice or insurance requires.

Compliance check: Treatment plans contain PHI. Same tier rules as progress notes. On-device AI is the cleanest fit.

Clinical responsibility: AI-generated treatment plans must be clinically reviewed and modified before becoming the plan of record. The AI provides structure; you provide the clinical judgment.

Workflow 3: Letter and Report Writing

The use case: writing letters to PCPs, psychiatrists, schools, insurance companies, courts. Writing assessment reports. Writing documentation responsive to records requests.

The AI workflow: provide AI with the clinical content and the audience, ask for an appropriately-formatted letter or report.

Compliance check: Almost always involves PHI. Tier 2 or 3 only.

Workflow 4: Treatment Research and CE

The use case: researching evidence-based interventions for specific diagnoses, reviewing CE course materials, summarizing journal articles, keeping current on clinical literature.

The AI workflow: paste public materials (articles, course notes, treatment manuals) into AI for plain-language summaries focused on clinical application.

Compliance check: Public materials with no patient information pose no PHI issue. Any AI tier works.

Caveat: AI summaries of clinical literature may oversimplify or misstate research findings. Always go back to primary sources for clinically-relevant claims you'll act on.

Workflow 5: Documentation for Insurance and Audits

The use case: writing medical necessity documentation, justification for treatment intensity changes, responses to insurance utilization reviews, documentation for compliance audits.

The AI workflow: provide AI with the clinical context and the documentation requirement, get a structured draft that you then clinically review.

Compliance check: Insurance documentation contains PHI. Tier 2 with BAA or Tier 3.

Workflow 6: Practice Management and Administration

The use case: drafting practice policies, intake forms, informed consent documents, marketing content, website copy. The administrative writing that takes up surprising amounts of clinical time.

The AI workflow: standard drafting and editing assistance.

Compliance check: If no patient information is involved, any AI tier works. If you're drafting templates that will later be populated with patient information, the template-drafting itself is unrestricted.

The Three-Tier System for Clinical Practice

Tier 1 — Public AI: Approved for non-PHI work only — practice management drafting, CE summarization of public materials, broad clinical research with no patient context. Prohibited for any PHI.

Tier 2 — Enterprise AI with BAA: Approved for PHI-involved work if a Business Associate Agreement is in place, the vendor's security posture meets HIPAA Security Rule requirements, and your practice has updated forms reflecting AI vendor use.

Tier 3 — On-Device AI: Approved for any PHI-involved work. Because no third party receives PHI, no BAA is needed, no vendor diligence is required, and the HIPAA disclosure analysis becomes structurally moot.

Informed Consent Considerations

Most patient informed consent forms don't yet address AI use in clinical workflows. Practices using AI for documentation should consider updating consent forms to disclose:

• That AI tools are used to assist with documentation and administrative work
• What categories of AI tools are used (local-only vs vendor-based with BAA)
• That the clinician retains full responsibility for all clinical work product
• That no clinical decisions are made by AI without clinical review

Adapt to your state's informed consent requirements and your professional licensing board's guidance.

“[Practice] uses certain artificial intelligence (AI) tools to assist with documentation, administrative writing, and clinical research. These tools operate either entirely on local devices controlled by [Practice] or under written Business Associate Agreements with the AI vendor consistent with HIPAA. AI tools assist with formatting, drafting, and summarization; they do not make clinical decisions. The treating clinician reviews all AI-generated work product and retains full clinical responsibility for your care.”

The 42 CFR Part 2 Consideration

For practices treating substance use disorders, federal 42 CFR Part 2 requirements impose additional confidentiality protections beyond HIPAA. Disclosures of substance use treatment information generally require specific patient consent.

This regulatory layer makes on-device AI particularly valuable — the consent requirement is for disclosure to third parties, and no third party receives information when AI runs locally.

Part of our AI by Profession cluster: See the pillar guide. For the broader compliance framework, see the step-by-step compliance guide. For the architectural foundation, see the On-Device AI pillarand our Therapists landing page.