Eating disorder therapy notes: sensitive diagnoses, insurance disclosure, and the cloud AI scribe problem

Eating disorder therapy occupies a distinct position in the mental health documentation landscape. Therapists treating anorexia nervosa, bulimia nervosa, binge eating disorder, ARFID, and related presentations document clinical content that is simultaneously among the most intimate — specific behaviors, caloric targets, body weight, family meal dynamics — and among the most consequential in terms of downstream disclosure risk. Clients seeking eating disorder treatment are disproportionately likely to have thought carefully about their insurance record, their family's awareness, and the gap between what they disclose to a clinician and what they would consent to having appear in a permanent health record.

Into this context, cloud AI scribes introduce a documentation custody problem that operates at the intersection of sensitive diagnosis management and the architecture of cloud-stored session records. The problem is not specific to eating disorders — it applies to any cloud-scribed session — but the stakes are particularly acute for ED clinicians because of who their clients are and the specific decisions those clients make about self-pay arrangements, minor consent, and multi-provider coordination.

What eating disorder therapy sessions actually contain

An ED therapy session is not a general mental health session with an eating disorder mentioned. It is a clinically specific encounter that generates documentation unlike almost any other outpatient mental health record. A typical session with a client who has anorexia nervosa might involve: current weight and any recent change; caloric intake range for the week; restriction patterns and any behaviors around eating (cutting food, prolonged eating, food rituals); compensatory behaviors if present (exercise, laxative use, purging); the emotional context driving restriction (control, anxiety management, family dynamics); body image statements made in session — often highly specific about body parts, perceived size, or perceived changes; current meal plan targets and the client's adherence or non-adherence; safety assessment if the client's weight is medically concerning; coordination status with the treating physician and dietitian; and the client's account of interactions around food with family members, partners, or housemates.

That is a session note with clinical specificity that goes well beyond a presenting-problem summary. Cloud AI scribes capture more than the final note: they hold verbatim audio and a full transcript from which the note is drafted. In an ED session, that audio includes the client's exact weight stated aloud, the specific behaviors described in behavioral terms, the emotional valence around eating, the family member names associated with meal-time conflict, and any co-occurring presentation (depression, anxiety, suicidal ideation at low weight) that the client might discuss with no intention of having it transcribed verbatim on a third-party vendor's servers.

This is clinically sensitive content at a level that clients and clinicians both recognize. The question is whether the documentation architecture used to generate the session note reflects that recognized sensitivity — or adds a layer of verbatim retention that neither party explicitly chose.

The insurance disclosure problem: why self-pay is a deliberate choice

A significant proportion of the clients seeking eating disorder therapy have made an active decision to self-pay. The reasons are not primarily financial — many of these clients have insurance that would cover outpatient mental health services. The decision is diagnostic and strategic: an eating disorder diagnosis appearing on insurance records is an underwriting event. It appears on explanations of benefits. It may affect access to life insurance, disability insurance, or long-term care coverage. For adolescents and young adults, parents may see the EOB. For adults applying for insurance in the years following treatment, the diagnosis history is a variable in the underwriting decision.

HIPAA's Right to Request Restriction (45 CFR 164.522(a)) provides a specific mechanism: when a client pays out-of-pocket for an item or service and requests that information not be disclosed to their health plan, a covered entity must agree to that restriction. The therapist who accepts a self-pay arrangement and agrees not to disclose to the health plan is legally bound by that agreement. That is a meaningful patient right — one that therapists in ED practices understand and honor.

The restriction runs between the client and the therapist's practice. It does not run to the cloud AI scribe vendor. The vendor is a business associate, operating under a BAA that specifies HIPAA-compliant data handling. What a BAA does not cover is the enforcement of a client-specific disclosure restriction the therapist agreed to but never communicated — and structurally could not communicate — to the vendor. If the vendor receives a subpoena in insurance-related litigation, a regulatory audit directed at the vendor's data, or a court order, the vendor's obligations to the client's specific preference are not defined by the restriction agreement the client made with the therapist. The client's careful decision to self-pay and request the restriction runs into a documentation architecture that was never designed to reflect it.

Minor consent rights and the disclosure problem for adolescent ED patients

Eating disorders have the highest mortality rate of any mental health condition, and a substantial portion of the affected population is adolescent. State law in a growing number of jurisdictions permits minors to consent to outpatient mental health treatment without parental knowledge or involvement — typically at age 12 or older. California, Oregon, and a number of other states have these provisions. When a minor lawfully consents to treatment, HIPAA's Privacy Rule defers to state law on the question of parental access: where state law gives the minor the right to consent to the treatment, the parent's access to the records related to that treatment may be denied or limited at the minor's request.

For an adolescent in eating disorder treatment who has chosen to seek help without her parents' knowledge — often because family dynamics are clinically central to the eating disorder itself — the therapist manages a documentation environment where the records belong to the patient, not the parents. The therapist may be legally obligated to maintain the confidentiality of the treatment from the parents. Minor PHI raises access and disclosure questions that are distinct from adult patient records.

The cloud AI scribe does not know that the patient is a minor who consented without parental involvement. The vendor's records of those sessions exist on the vendor's infrastructure under the vendor's retention schedule. If a parent initiates legal proceedings — a custody dispute, a guardianship proceeding, or a direct subpoena to the vendor in the vendor's jurisdiction — the therapist's carefully maintained confidentiality around the minor patient's treatment does not automatically bind the vendor's response to that legal process. The vendor's BAA governs HIPAA compliance. It does not resolve what happens when a parent's attorney reaches the vendor's records through a legal pathway that bypasses the therapist entirely.

Multi-provider coordination and PHI multiplication in ED treatment

Outpatient eating disorder treatment is rarely a single-provider relationship. Standard of care for moderate-to-severe presentations involves a treatment team: the therapist managing the psychological components; a registered dietitian handling nutritional rehabilitation and meal planning; a primary care physician or internist monitoring weight, labs, and cardiac status; and often a prescribing psychiatrist managing co-occurring mood or anxiety. For clients who step up in level of care — partial hospitalization programs, intensive outpatient programs, or residential treatment — the documentation network expands further. The residential or PHP program receives the therapist's records, generates its own daily documentation, and eventually discharges back to outpatient with a discharge summary.

Each of these coordination points is a HIPAA-permissible treatment disclosure. The therapist shares records with the dietitian under the treatment exception; the dietitian shares progress notes with the physician; the PHP program receives and generates its own documentation. This is standard clinical coordination, and HIPAA's framework supports it. The cloud AI scribe's records sit in addition to this network, not instead of it. The vendor holds session-level verbatim audio that no member of the treatment team generated or requested — a record more granular than any note shared in team coordination — at a location outside the clinical network entirely.

For clients who are already navigating a complex multi-provider PHI environment and making active choices about what they disclose to whom and through what channels, the cloud scribe's records represent an additional data point in the system — one they almost certainly did not consider when signing the vendor's terms of service alongside the therapist's HIPAA notice of privacy practices.

On-device drafting and the single-custodian structure

The documentation custody argument for eating disorder therapy is the same structural argument that applies to every sensitive clinical population, but it lands with particular force here because of the deliberate choices ED clients make about their records. A client who chose self-pay to keep her diagnosis off insurance records did not also choose to have a cloud vendor retain verbatim audio of her restriction behaviors and calorie disclosures on servers in a datacenter she has no relationship with. An adolescent minor who sought therapy without parental involvement did not consent to a parallel copy of her sessions being held at a third party that a parent could reach through legal process. These are not theoretical risks layered on generic privacy concerns — they are specific mismatches between the choices clients made and the documentation architecture that resulted from the therapist's tool selection.

On-device note drafting closes the mismatch structurally. When session audio is processed on the therapist's hardware — Whisper.cpp transcribing locally, an on-device model drafting the note on Apple Silicon — the verbatim session record stays on the therapist's device. HIPAA compliance for private practice requires that the therapist maintain appropriate safeguards for PHI in their custody; on-device processing means that the most sensitive session content — the verbatim audio of an ED session — is in the therapist's custody, subject to the therapist's records management practices, and not duplicated at a third-party location with its own legal obligations and retention schedule.

For the self-paying client, the record exists in the agreed-to location: the therapist's practice. For the minor client, the record exists where the therapist's disclosure obligations run. For the multi-provider treatment team, the cloud scribe does not add an additional repository outside the clinical network. The subpoena risk that comes with cloud-held session records — a separate legal process reaching the vendor's records independently of the therapist — does not exist when the records were never held at the vendor.

TherapyDraft processes session audio on the therapist's Mac with no cloud transmission. For eating disorder clinicians managing self-pay arrangements, minor patients, and multi-provider coordination, that architectural choice is not an abstraction — it is a direct match between the documentation custody their clients expect and the documentation structure the tool creates. Solo plan starts at $49/month with a 10-session free trial and no card required.

Further reading

• The 7 things Mentalyc, Upheal, and Blueprint actually send to their servers — the verbatim-vs.-summarized distinction and what intermediate artifacts cloud scribes retain beyond the final note
• What is a BAA, actually — and what it does NOT cover — four structural limits of business associate agreements and why a signed BAA does not prevent the vendor's records from being subpoenaed in separate litigation
• Can an AI therapy note be subpoenaed? A 2026 legal-risk explainer — how civil and criminal subpoenas reach cloud AI vendors directly and what the therapist cannot control
• Play therapy documentation and minor PHI: consent, parental access, and on-device note drafting — the HIPAA and state-law framework for minor patient records, parental access rights, and the custody question when cloud scribes hold session content
• HIPAA for private-practice therapists — the 2026 rewrite — the full compliance posture for a solo private practice, including the AI scribe and subprocessor inventory sections

This post is educational commentary, not legal, clinical, or compliance advice. HIPAA, state minor consent laws, insurance underwriting regulations, psychotherapist-patient privilege, and the evidentiary treatment of cloud AI scribe records vary by jurisdiction and change over time. State minor consent provisions for mental health treatment vary significantly; the specific ages, conditions, and parental access rules described above may not apply in every state. Insurance record management, disclosure restrictions under 45 CFR 164.522, and the practical effect of self-pay arrangements involve legal considerations that depend on the specific facts of each situation. Consult a licensed healthcare attorney in your jurisdiction before making documentation or technology decisions based on this content.