Intensive outpatient programs, independent contractor therapists, and cloud AI scribes: the vendor archive facility discovery and insurance audits can reach

What IOP and PHP programs look like — and where 1099 contractors bring their own tools

Intensive outpatient programs (IOP) provide structured behavioral health treatment at a level of care between weekly outpatient therapy and inpatient hospitalization. A typical IOP involves nine or more hours per week of programming: group therapy sessions, psychoeducation groups, skills training, and individual therapy. Partial hospitalization programs (PHP) are more intensive — typically twenty or more hours per week — and are often used as a step-down from inpatient admission or as an alternative to inpatient care for clients who can be safely managed in a structured day program.

Both levels of care require a clinical team. Group therapy facilitators, case managers, prescribers, and individual therapists all contribute to a client's treatment within the IOP or PHP structure. Many programs staff individual therapy sessions through 1099 independent contractors rather than W-2 employees. A licensed clinical social worker, a licensed professional counselor, or a licensed marriage and family therapist who has built a private practice may also contract with a local IOP or PHP to provide one or two days per week of individual therapy sessions. The arrangement provides the contractor with predictable revenue and the facility with credentialed clinical staff without the overhead of employment.

The 1099 contractor in this arrangement is functioning in two distinct professional contexts simultaneously. In their private practice, they use their own EHR, their own documentation tools, and their own clinical infrastructure. When they step into the IOP or PHP setting, they may document in the facility's EHR system — but they may also bring their own supplementary tools, including a cloud AI scribe, to assist with session transcription and draft note generation before entering the final note into the facility's system. The session audio captured by the AI scribe is processed by the vendor's infrastructure. A vendor archive of those IOP individual therapy sessions now exists — under the contractor's account, with the contractor's BAA — in a system the facility has never seen and cannot control.

The three-layer documentation structure

Client treatment within an IOP or PHP program generates documentation across multiple systems and multiple authors. The facility's EHR holds the master treatment plan, group therapy notes, nursing assessments, medication management records, utilization review documentation, and discharge summaries. The individual therapist — whether employed or contracted — contributes their individual session notes to the facility's system as part of the clinical record. The facility's records represent the official treatment record and are the primary target of any records request directed at the IOP or PHP.

When a 1099 contractor uses a cloud AI scribe for their individual therapy sessions, a third documentation layer appears outside the facility's systems entirely. The vendor receives the session audio, processes it, generates a draft note, and retains the session content under the terms of its data retention policy and its business associate agreement with the contractor. The facility's EHR may contain the contractor's final clinical note — a structured professional document capturing what the contractor judged to be clinically significant. The vendor holds something different: the verbatim session recording and transcript, including everything said in the session that the contractor did not select for inclusion in the formal note.

The distinction matters in the same way it matters in any professional documentation context. As the technical breakdown of what cloud AI scribes actually retain makes clear, the vendor's archive is not a copy of the progress note — it is a verbatim record of the session content that the progress note summarizes and selects from. In individual therapy sessions within an IOP structure, where clients are often in acute distress and working through recent hospitalizations, crisis events, and complex trauma histories, the gap between what appears in the progress note and what appears in the full session transcript can be substantial.

The covered entity question and the independent BAA

A 1099 independent contractor providing individual therapy sessions within an IOP or PHP is likely a HIPAA-covered entity in their own right. The threshold question is whether the contractor conducts covered electronic transactions — billing insurance under their own NPI, submitting electronic claims, or receiving electronic remittances. Many IOP contractors bill under their own NPI for the individual therapy sessions they provide, even within a facility contract. Others bill the facility, which bills the insurer. The billing structure determines whether the contractor independently qualifies as a covered entity.

A contractor who is an independent covered entity has independent HIPAA obligations. The BAA framework requires that a covered entity execute a business associate agreement with any vendor who creates, receives, maintains, or transmits protected health information on the covered entity's behalf. A cloud AI scribe processes session audio — which is PHI — and falls squarely within the business associate definition. The contractor must have a BAA with the vendor covering their use of the AI scribe for IOP sessions.

That BAA is between the contractor and the vendor. The facility is not a party to it. The facility's own BAA with its EHR vendor, its telehealth platform, or any other business associate does not cover the contractor's independent AI scribe vendor relationship. From the facility's perspective, the contractor's vendor does not exist within its compliance architecture. The facility has not assessed the vendor, has not reviewed the vendor's security posture, and has not incorporated the vendor into its HIPAA risk analysis. If the contractor's vendor experiences a breach of session audio from IOP sessions, the breach notification obligation runs from the contractor to the contractor's covered entity — not from the facility to anyone.

Insurance audit exposure — utilization review, post-payment audits, and False Claims Act investigations

IOP and PHP are among the most intensively audited levels of behavioral health care. Insurance companies, including commercial insurers, Medicaid managed care organizations, and Medicare Advantage plans, scrutinize IOP and PHP claims because these are high-cost services requiring clinical justification for each unit of service. Utilization review during active treatment involves concurrent review of whether the client's clinical presentation supports the level of care. Post-payment audits occur after claims are paid and involve retrospective review of documentation to determine whether the paid claims were supported by the clinical record.

In a post-payment audit, the insurer requests clinical records from the facility. The facility produces what it has: its EHR, its group notes, its treatment plans, its individual therapy session notes as documented by the contracted therapist. The auditor reviews those records against the submitted claims. If the individual therapy notes appear sparse, undifferentiated, or inconsistent with the level-of-care justification, the auditor may expand the audit — requesting additional documentation, deposing clinical staff, or referring the matter for fraud investigation.

If an expanded investigation identifies that the 1099 contractor used a cloud AI scribe for the individual therapy sessions, the vendor's archive becomes a relevant document source. The session transcripts may be sought to determine whether the sessions actually occurred as documented, what the clinical content of the sessions was, whether the client's documented progress notes accurately reflected the session content, and whether the contractor's documentation was sufficient to support the claims. In a federal False Claims Act investigation involving Medicare or Medicaid claims submitted by the facility, federal grand jury subpoena authority can reach third-party document custodians including the contractor's cloud AI scribe vendor — without the contractor's participation or consent.

Insurance utilization review is already a pressure point for therapist documentation. The IOP context amplifies that pressure by combining high-frequency claims, intensive level-of-care scrutiny, and a multi-party documentation structure in which a 1099 contractor's separately held vendor archive can become a critical document in proceedings the contractor did not anticipate and the facility did not know to disclose.

Legal proceedings where the vendor archive reaches adverse parties

Client litigation against the IOP facility. When a client brings a malpractice claim, improper-discharge claim, or other civil action against the IOP or PHP facility, the facility's defense counsel will seek to reconstruct the full picture of the client's treatment. Discovery in that litigation will include requests for all records relating to the client's care, depositions of all treating clinicians — including 1099 contractors — and requests for any documentation those clinicians maintained. A contractor deposed in the client's litigation may be asked whether they used a cloud AI scribe for their individual therapy sessions. That disclosure opens the vendor archive to a third-party subpoena by the plaintiff's attorney under Federal Rule of Civil Procedure 45 or its state analog. The vendor is not a party to the lawsuit, has no relationship to the facility or the plaintiff, and responds to valid subpoena authority. The facility may have no records of the contractor's vendor relationship; the plaintiff's attorney locates it through contractor discovery and proceeds independently.

Licensure board investigations of the contractor. State licensure boards investigate complaints against licensed therapists, including complaints arising from treatment provided in IOP or PHP settings. A board investigating a complaint about the quality of care provided by a 1099 contractor in an IOP program has authority to compel production of records from the licensee — and may issue subpoenas or administrative demands for records held by the licensee's business associates, including their AI scribe vendor. If the client who filed the complaint alleges that the contractor misrepresented the content of sessions in their progress notes, the board may seek the vendor's verbatim session records as evidence of what actually occurred in the sessions versus what was documented. The subpoena pathways available for therapy-related records extend broadly to third-party custodians once a proceeding identifies them as relevant document holders.

Facility bankruptcy and records transfer proceedings. IOP and PHP programs operate in a financially volatile sector of behavioral health. When a facility enters bankruptcy or is acquired, the treatment records it holds are assets or liabilities in the proceeding. A 1099 contractor's AI scribe vendor records are not within the facility's records — they are not subject to the facility's retention schedule, not part of the bankruptcy estate, and not transferred in an asset sale. But clients treated at the facility may contact the contractor years later seeking access to records of their IOP treatment. The contractor's vendor may hold the only detailed record of the sessions — outside any framework the facility established for long-term record access and retrieval.

What on-device processing changes for IOP contractors

The clinical work the contractor does is unchanged. They still provide individual therapy sessions, generate clinical notes, and contribute to the facility's treatment record in the facility's EHR. What changes is whether a parallel vendor archive of those sessions exists outside any compliance framework either the contractor or the facility has established.

When a 1099 contractor uses TherapyDraft for individual therapy sessions in an IOP or PHP setting, the session audio is captured, transcribed, and processed entirely on the contractor's Mac. No audio, transcript, or draft note text is transmitted to vendor infrastructure. The contractor's own clinical records remain the sole documentation of the session outside the facility's system. There is no vendor archive to subpoena in client litigation against the facility, no vendor records to produce in an insurance post-payment audit, no third-party document custodian for a False Claims Act grand jury to reach.

The contractor's final progress note enters the facility's EHR. The contractor's own clinical records — maintained under the contractor's own HIPAA obligations — exist as the contractor has always maintained them. The vendor holds nothing from the session, because no content left the device. The invisible third layer of the documentation structure — the one that could become an adversarial target in proceedings neither the contractor nor the facility anticipated — simply does not exist.

Frequently asked questions