EHR-integrated telehealth and cloud AI scribes: two concurrent vendor archives from every video session

EHR-integrated telehealth as the dominant private practice model in 2026

The private practice therapy landscape shifted decisively toward EHR-integrated telehealth during and after the COVID-19 public health emergency. Standalone telehealth platforms — Doxy.me, Zoom for Healthcare, VSee — remain in use, but the majority of solo and small-group private practices now deliver telehealth through the video feature built into their practice management platform. SimplePractice Video, TherapyNotes telehealth, TheraNest video, and comparable features offered by Therapy Brands, IntakeQ, and Jane App have become the default session delivery method for a substantial share of private practice therapy sessions.

The appeal is straightforward: EHR-integrated telehealth requires no separate vendor account, no separate BAA negotiation, and no context-switching between platforms to document a session. The clinician opens the session from the EHR scheduling interface, delivers the telehealth session, and moves directly to note documentation in the same platform. For private practitioners already invested in a particular EHR, the integrated telehealth feature eliminates a meaningful operational friction point.

The data custody implications of this integration are less widely understood. EHR-integrated telehealth is not peer-to-peer video — it routes through the EHR company's server infrastructure. The EHR company's platform provides the signaling, connection management, and in many cases the media relay that makes the video call possible. This means the EHR company is handling protected health information — specifically, the session connection data, participant records, and technical session metadata — as a business associate of the covered entity. A BAA between the covered entity and the EHR company governs this relationship. What many therapists do not consider carefully is what happens to the data custody picture when a cloud AI scribe is added to process the same session.

What EHR-integrated telehealth vendors retain when sessions route through their infrastructure

When a telehealth session routes through an EHR company's infrastructure, the EHR company retains at minimum the session connection record: the session ID, the scheduled appointment reference, the participant identities linked to the EHR's client and clinician records, the session start and end timestamps, connection quality data, device and browser type information, and — in platforms that offer optional session recording — whether recording was enabled and where any recording was stored.

This retention is operationally necessary: EHR platforms need session records to correlate telehealth connections with appointment records, to resolve technical support inquiries, to detect platform abuse, and to satisfy their own audit and compliance obligations. The BAA covers this retention as part of the EHR company's function as a business associate. The covered entity's HIPAA obligations are addressed by the BAA terms — the EHR company agrees to safeguard the PHI it handles in connection with the telehealth service.

What the BAA does not do is restrict what courts and litigants can obtain from the EHR company through legal process. The business associate agreement does not protect vendor-held records from subpoena. A party in civil litigation who directs a Rule 45 subpoena to the EHR company for its telehealth session records is directing process at a third party in the ordinary course of civil discovery — the EHR company's obligation to respond to a valid subpoena exists regardless of the BAA. Session connection metadata — which sessions occurred, when, how long, with which participants — is precisely the kind of evidence that becomes relevant in malpractice litigation, licensing board investigations, and insurance coverage disputes involving a therapist's clinical practice.

Adding a cloud AI scribe creates a second, separately retained vendor archive

When a therapist uses a cloud AI scribe during an EHR-integrated telehealth session, the AI scribe vendor enters the picture as a second, independent data custodian for the same session. The audio from the telehealth session — captured through the clinician's computer microphone as the video call proceeds — is transmitted to the AI scribe vendor's platform for processing: transcription, note drafting, and however the vendor structures its retained session data. A separate BAA governs this relationship.

The critical data custody point is that these two vendor relationships are entirely independent of each other. The EHR company's telehealth infrastructure retains session connection data under EHR BAA terms. The AI scribe vendor retains session audio, transcription output, and note drafts under the AI scribe BAA terms. These are two separate legal entities, two separate server environments, two separate retention schedules, and two separate subpoena targets. The EHR BAA says nothing about what the AI scribe vendor may retain. The AI scribe BAA says nothing about what the EHR company retains. A subpoena directed at the EHR company reaches the EHR's records — it does not reach the AI scribe vendor's archive. A subpoena directed at the AI scribe vendor reaches the scribe vendor's records — it does not reach the EHR's telehealth session data.

The aggregate picture that an adversary in litigation can construct by subpoenaing both vendors is more complete than either vendor's records alone: the EHR's telehealth metadata establishes what sessions occurred and when; the AI scribe vendor's retained content provides verbatim session audio and clinical reasoning from those sessions. What cloud AI scribes actually retain — audio recordings, processing transcripts, interim drafts — applies to telehealth sessions in exactly the same way it applies to in-person sessions. The session delivery modality does not change the AI scribe vendor's data custody obligations or retention practices.

How EHR session metadata surfaces the AI scribe vendor in discovery

In litigation involving a therapist's clinical practice, opposing counsel commonly begins discovery with interrogatories about the clinician's documentation systems: what EHR does the practice use, what telehealth platform was used for sessions with the plaintiff, what AI tools, scribing platforms, or documentation assistance tools were used during or after sessions. Interrogatory responses that accurately disclose EHR-integrated telehealth use and concurrent cloud AI scribe use immediately identify both vendors as potential third-party subpoena targets.

But even without accurate interrogatory disclosure, EHR session metadata can function as an independent discovery lead. If the EHR's telehealth session records show that sessions occurred at times and durations consistent with clinical contact, and the clinician's formal documentation was generated rapidly after each session — a pattern consistent with AI scribe use — opposing counsel has reason to inquire further about documentation workflows. Deposition testimony about how notes were drafted after telehealth sessions can surface the AI scribe vendor. Technical support records at the EHR company may reference third-party integrations the clinician used with the platform.

This cross-referencing dynamic is distinct from the in-person session context. In in-person practice, the connection between the session and the note is a matter of the clinician's own workflow. In EHR-integrated telehealth, the EHR's session record creates a corroborating timestamp against which note creation timestamps can be compared — and that comparison can surface the AI scribe vendor as an inference from the timing pattern, even before any direct disclosure. The subpoena pathway for AI scribe vendors is well established; the EHR telehealth session record gives litigants an independent path to discover that the pathway exists.

The session recording opt-in risk inside EHR telehealth platforms

Most EHR-integrated telehealth platforms offer an optional session recording feature: the clinician or client can enable recording of the video session, which is then stored in the EHR platform's storage environment. The recording feature is typically presented as a convenience for the clinician — a way to review the session later, confirm what was said, or capture a session the clinician cannot attend fully in real time. In practice, enabling session recording within an EHR platform means the session video and audio are retained as a recorded file in the EHR vendor's storage — a more complete and durable record than session connection metadata alone.

When a session recording is stored in an EHR platform, it becomes part of the vendor's retained data set, governed by the BAA but reachable by subpoena directed at the EHR company. A recorded therapy session is among the most sensitive PHI a mental health clinician can generate — verbatim audio and video of the client's disclosures, presentation, and clinical engagement, retained in a vendor's storage environment outside the clinician's own control. Psychotherapy notes receive heightened HIPAA protection, but a session recording stored in an EHR vendor's system is the vendor's own retained business record — a court order or civil subpoena directed at the EHR company is not subject to the psychotherapy notes designation rules that govern what the covered entity must produce from its own designated record set.

When a session recording exists in the EHR and the clinician also used a cloud AI scribe during the same session, the dual-vendor archive is especially complete: the EHR holds the video and audio recording; the AI scribe vendor holds a separate audio capture and transcript of the same session. Neither vendor's records are a substitute for the other's, and neither BAA restricts what litigants can obtain from the other through independent legal process.

Client portal data as a parallel PHI accumulation point

EHR-integrated telehealth exists within a broader EHR ecosystem that includes the client portal — the patient-facing interface through which clients access intake forms, complete symptom measures, view appointment records, and in some platforms exchange messages with the clinician. When a therapist uses EHR-integrated telehealth as their primary session delivery model, the client portal is typically the same platform — clients book, complete intake documentation, and attend sessions all through the EHR.

Client portal data represents a parallel PHI accumulation point at the EHR vendor. Intake questionnaires, PHQ-9 and GAD-7 symptom tracker completions, session satisfaction surveys, treatment goals entered through the portal, and the client's appointment history all accumulate in the EHR vendor's data environment as part of the client's portal record. This content is PHI covered by the EHR BAA — but it is retained by the EHR vendor as a business associate, not the covered entity, and is separately reachable by subpoena directed at the EHR company.

In litigation involving a therapist's clinical practice, portal records can be highly relevant: they document the client's self-reported symptom trajectory across the treatment relationship, the intake information the client provided, and the communication history between client and clinician through the portal messaging feature. HIPAA compliance for private practice in 2026 covers the covered entity's obligations for the designated record set — but the EHR vendor's retained portal data extends beyond what the covered entity would produce from its own records, creating a third dimension of vendor-retained PHI alongside telehealth session metadata and AI scribe session archives.

On-device AI processing for telehealth: eliminating the second vendor

For therapists who use EHR-integrated telehealth, the EHR vendor's presence in the data custody chain is an inherent feature of how integrated telehealth works — it cannot be eliminated without changing telehealth platforms. But the AI scribe vendor in the chain is not inherent to telehealth. It is a consequence of the choice to use a cloud-based AI scribe rather than an on-device one.

When transcription and note drafting run entirely on the clinician's own hardware — with the session audio captured locally, processed by a model running on the clinician's Mac, and the resulting note drafted without transmitting any audio or text to an external server — the AI scribe vendor archive does not form. The EHR telehealth infrastructure retains its session connection metadata, governed by the EHR BAA. But no second vendor independently retains verbatim session content. The dual-vendor archive is reduced to a single-vendor chain.

The operational workflow for on-device AI scribing during a telehealth session is the same as for in-person: the clinician captures session audio through the local recording path, the on-device model transcribes and drafts the note, the clinician reviews and edits, and the final documentation enters the EHR. The BAA picture is simpler: one vendor relationship (the EHR), one retention scope (session connection metadata), one subpoena target for session-related vendor records. The AI scribe vendor does not exist to be subpoenaed, because it never held session content to begin with.

Frequently asked questions