Group practice liability and individual clinician AI scribe use: who owns the BAA when a contractor uses their own tool?

The typical group mental health practice in 2026 is a covered entity whose individual clinicians are independent contractors. The practice bills insurance and executes the paperwork; the clinicians see clients, write notes, and receive a percentage of collections or a per-session fee. This arrangement is common, tax-advantageous for the practice, and administratively convenient — and it creates a HIPAA liability structure that most group practice owners have not fully worked through when their contractors start using AI scribes.

The scenario that creates the problem: a contractor who sees clients under the group practice's covered entity umbrella independently subscribes to a cloud AI scribe product — Mentalyc, Upheal, Freed, or any of a dozen others. They use it during sessions because it makes their documentation faster. They have not disclosed it to the group practice. The group practice has no BAA with the vendor. The group practice may not even know the vendor exists.

When the vendor is breached — or when regulators audit the practice's BA relationships — the question of who is responsible, who needs to notify whom, and who violated HIPAA lands on the group practice's desk. This post works through how that analysis runs.

How group practices are structured under HIPAA

A group mental health practice that bills health insurance and provides treatment is a covered entity — a healthcare provider that electronically transmits health information in connection with standard transactions. As the 2026 HIPAA framework covers, HIPAA's obligations attach to the covered entity: maintaining a Notice of Privacy Practices, conducting risk analyses, executing BAAs with vendors who handle PHI, and implementing the required safeguards.

Within the covered entity, clinicians can occupy two very different legal positions. If they are employees — W-2, working under the practice's direct supervision and control — they are workforce members. Their conduct in handling PHI is attributed to the covered entity; the covered entity is responsible for training them, for the adequacy of policies they follow, and for the consequences when those policies are not followed. The covered entity does not need a BAA with a W-2 employee, because the employee is part of the covered entity itself.

If clinicians are independent contractors — 1099, controlling their own hours and methods, maintaining their own licensure independent of the practice — the analysis is more complicated, and the outcome determines whether a BAA is required and who bears liability for what.

The workforce member vs. business associate distinction

HIPAA's definition of "workforce" at 45 CFR 164.103 is broader than most people expect. It includes not just employees but also "volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such entity, whether or not they are paid by the covered entity." This is a functional test, not a tax-status test. A contractor who is a 1099 independent contractor for tax purposes may still qualify as a workforce member under HIPAA if the covered entity exercises sufficient direct control over their conduct.

HHS enforcement actions have confirmed that nominal independent contractor status does not automatically mean business associate status for HIPAA. The relevant question is operational control: does the practice set their schedule, supervise their clinical work, require them to follow the practice's policies, and integrate them into the practice's operations? If yes, they may be workforce members regardless of the 1099 tax treatment.

For a genuinely independent contractor — one who maintains their own caseload, uses their own methods, contracts with multiple practices, and operates with substantial autonomy — the more likely HIPAA analysis is that they are a business associate when they handle PHI on behalf of the covered entity. That triggers the requirement for a BAA between the group practice and the contractor.

This distinction is critical for the AI scribe scenario: whether the contractor is a workforce member or a BA determines who is responsible for the tools the contractor uses and what BAA structure is required.

The contractor-brings-their-own-tool scenario

When a contractor who is a workforce member uses a personal cloud AI scribe subscription for sessions at the group practice, that tool is being used to process PHI on behalf of the covered entity. The covered entity — the group practice — is responsible for that workforce member's conduct. As the cloud data-flow analysis covers, cloud AI scribes typically receive raw audio, generate cloud-side transcripts, draft notes via cloud language models, and retain multiple data artifacts under the vendor's own policies. When a workforce member routes group practice client PHI through a cloud AI scribe vendor, the vendor is functioning as a business associate of the group practice — regardless of whether the group practice knows about the vendor or has executed a BAA with them.

The result: the covered entity has a de facto BA relationship with a vendor it did not choose, did not vet, and has not executed a BAA with. As the BAA explainer covers, operating without a required BAA in place is itself a HIPAA violation — the covered entity is responsible for ensuring BAAs are executed with all business associates who handle PHI on its behalf.

If the contractor is an independent BA (not a workforce member), the liability chain is different but not simpler. The contractor-as-BA needs a BAA with the group practice. When the contractor uses a cloud AI scribe vendor, the vendor is a sub-contractor of the BA — and under HIPAA's Omnibus Rule, sub-contractors who receive or create PHI on behalf of a BA must also execute a BAA, this time with the BA (not directly with the covered entity). The contractor-as-BA is responsible for executing a BAA with their AI scribe vendor. If the contractor does not have that BAA — which most individual contractors do not — the contractor is in violation of their BA obligations, and the client PHI is flowing to a vendor outside the BAA chain entirely.

The Omnibus Rule sub-contractor chain

Before the 2013 Omnibus Rule, HIPAA's BA obligations applied only to direct BAs of covered entities. Sub-contractors who received PHI from BAs were not directly subject to HIPAA — their liability ran through the BA's contractual obligations, not HIPAA directly. The Omnibus Rule changed that. Under the current framework, sub-contractors of BAs who create, receive, maintain, or transmit PHI on behalf of the BA are themselves subject to HIPAA's Security and Privacy Rules and must execute BAAs with the BA.

This means the full chain — covered entity → BA → sub-contractor — requires executed BAAs at each link. A group practice that has a BAA with a contractor-as-BA is responsible for ensuring that contractor has BAAs with their own sub-contractors (including cloud AI scribe vendors). In practice, group practices rarely audit their contractors' downstream vendor relationships, and many individual contractors do not realize they need BAAs with the tools they use independently.

When a cloud AI scribe vendor is breached and the compromised data includes PHI from group practice clients, the enforcement analysis works backward through the chain. The covered entity (group practice) has notification obligations to affected clients. The question of which party violated HIPAA — and bears enforcement risk — depends on whether BAAs were in place at each link and whether the parties can demonstrate compliance with the Security Rule's administrative, physical, and technical safeguards.

Liability in a breach involving a contractor's personal vendor

The covered entity's breach notification obligations do not depend on whether the covered entity knew the vendor was holding their clients' PHI. HIPAA enforcement precedent is clear that a covered entity cannot escape notification obligations by attributing the exposure to an undisclosed contractor arrangement. If unsecured PHI attributable to the covered entity's clients is exposed in a breach, the covered entity must notify — the mechanism by which PHI reached the breached vendor is a liability question separate from the notification obligation.

This creates a specific risk profile for group practices that do not actively manage their contractors' documentation tool choices. A contractor who adopts a new cloud AI scribe product mid-year, without disclosing it to the practice, routes the next several hundred sessions through a vendor with whom neither the contractor nor the practice has a BAA. If the vendor suffers a breach, the group practice faces notification obligations for clients they may not have known were in the vendor's systems — and potentially faces enforcement for operating without required BAAs in place.

The OCR enforcement record includes settlements in which covered entities paid substantial penalties for violations traced to business associate relationships they failed to manage — including cases where a workforce member's unauthorized use of an external system created an undisclosed BA relationship. The group practice context makes this more acute: the covered entity often has limited visibility into what tools its contractors are running on their personal devices during sessions.

Risk management approaches for group practices

The practical risk management response for group practices is a combination of contractual requirements and periodic auditing. Contractor agreements should include explicit provisions requiring disclosure of any tool that processes PHI from group practice clients, requiring that approved tools be listed in the practice's HIPAA policies, and requiring contractors to notify the practice before adopting new documentation tools — including AI scribes. The practice should maintain a vendor inventory, execute BAAs with approved vendors, and review the inventory periodically.

Enforcement is the hard part. A contractor who signs an agreement committing to disclose their documentation tools has not necessarily disclosed every tool they use. Periodic audits — asking contractors to confirm their current tool set at annual contract renewals or in periodic check-ins — are the most practical ongoing mechanism. Some group practices require that documentation be completed within a practice-managed EHR, which limits the surface area for undisclosed vendor relationships — but this does not prevent a contractor from using an AI scribe to draft the note before pasting it into the EHR, which still routes PHI through the vendor even if the final note is in a managed system.

What on-device processing resolves for group practices

When a contractor uses an on-device AI scribe — a tool that transcribes audio and drafts notes entirely on their local device without transmitting any data to cloud infrastructure — the BA chain analysis collapses. There is no cloud vendor receiving PHI. No business associate relationship is created with a third party. The contractor is the sole custodian of the session record generated by their local tool, just as they would be if they took handwritten notes and typed them into the EHR directly.

The group practice still needs to ensure the contractor handles PHI appropriately — proper storage, access controls, encryption at rest, breach incident protocols. Supervision and consultation documentation carries its own PHI handling considerations. But the specific liability created by a cloud vendor independently holding PHI from the group practice's clients — without a BAA in the chain, without the practice's knowledge, subject to the vendor's own breach risk and retention policies — is eliminated.

A contractor running TherapyDraft on their Mac processes audio, transcript, and note entirely on-device. No vendor holds a parallel copy of the group practice's client sessions. The group practice does not need a BAA with TherapyDraft for the contractor's note drafting workflow, because no PHI leaves the contractor's device in connection with that workflow. The documentation liability question simplifies to the same question the practice has always had: how does the contractor store and access the notes they write?

Further reading

• What is a BAA, and what does it not cover? — the scope of a HIPAA business associate agreement and what it leaves unresolved
• What cloud AI scribes actually send to their servers — the full data pipeline from session audio to vendor infrastructure
• Can an AI therapy note be subpoenaed? — how legal process reaches vendor-held session records
• HIPAA for private-practice therapists — the 2026 rewrite — the current compliance posture for solo and small-group practices
• Supervision and consultation documentation — PHI handling in peer consultation and supervisory relationships