PSYPACT licensure portability and cloud data custody: when your client and your server are in different states

PSYPACT — the Psychology Interjurisdictional Compact — has transformed telehealth practice for psychologists. With 38+ member states as of 2026, a psychologist licensed in one compact member can provide telehealth services to clients across the entire member state footprint on a single compact authorization, without holding individual state licenses in each state where their clients reside. The administrative burden that once made multi-state telehealth practice impractical for solo practitioners has effectively been eliminated for psychological services.

What PSYPACT has not resolved — and was not designed to address — is the data custody problem that arises when a PSYPACT practitioner uses a cloud AI scribe. Licensure portability and data portability are different things. A compact authorization lets a psychologist practice in Washington without a Washington license. It does not tell a cloud AI scribe vendor which state's breach notification law applies when that vendor is breached and the compromised records include session audio from clients in Washington, California, Texas, and twelve other PSYPACT states. That is the problem this post examines.

What PSYPACT actually covers

Understanding the gap requires first understanding what PSYPACT authorizes. The compact establishes two practice pathways: the Authority to Practice Interjurisdictional Telepsychology (APIT), for telehealth services to clients in other compact states, and the Temporary Authorization to Practice (TAP), for temporary in-person services in another compact state. The APIT is the provision most relevant to ongoing telehealth practice.

Under the APIT, a psychologist's home state — the state where they hold a full license and meet the compact's eligibility criteria — grants the compact authorization. The practitioner can then provide telepsychology services to clients in remote states (other compact members) without obtaining those states' individual licenses. The compact governs: eligibility criteria, the mechanism for compact authorization, which state retains disciplinary jurisdiction (home state for most purposes, remote state for conduct in that state), and how violations are handled across member boards.

PSYPACT does not govern: what privacy law applies to client records, what breach notification obligations a practitioner or their vendors have, what state-specific mental health privilege law applies in proceedings involving clients in different states, or whether a cloud AI scribe vendor's BAA satisfies the privacy law requirements of any particular PSYPACT member state. Those questions are resolved by HIPAA, by each state's privacy statutes, and by each state's privilege law — frameworks that operate in parallel with the compact, not under it.

The data custody map for a PSYPACT telehealth practice

For a PSYPACT practitioner who uses a cloud AI scribe, a typical session involves at minimum three geographic locations with potentially different legal significance:

• The practitioner's office. Located in the practitioner's home state. The practitioner is licensed here; this is the site of the device, the session platform, and the AI scribe software. State privacy law of the home state applies to the practitioner's own records.
• The client's location. The client is in a remote PSYPACT state — potentially a different state than the practitioner, the vendor, or the servers. Most state privacy statutes are structured around the residency of the affected individual. California's CMIA protects health information about California residents. Texas HB300 applies to entities doing business in Texas that receive, process, or store the protected health information of Texas residents. The client's home state privacy law travels with the client.
• The vendor's infrastructure. A cloud AI scribe vendor's servers may be in AWS us-east-1, in a data center in Virginia, or in a multi-region cloud deployment. As the cloud data-flow analysis covers, cloud AI scribe vendors typically upload raw audio to cloud storage, generate intermediate transcripts via cloud speech-to-text, draft notes via cloud language models, and retain multiple artifact tiers under their data retention policies. The vendor's servers are in a third jurisdiction that neither the practitioner nor the client controls.

A PSYPACT practitioner with clients spread across ten compact states has a single HIPAA business associate agreement with their cloud AI scribe vendor — but that vendor holds session data from clients in ten states, each with its own privacy regime layered on top of HIPAA's federal floor.

The breach notification patchwork

HIPAA's breach notification rule establishes a federal minimum: when unsecured protected health information is breached, covered entities must notify affected individuals within 60 days, notify HHS, and — for breaches affecting 500 or more individuals in a single state or jurisdiction — issue media notification. That rule applies to the vendor as a business associate and to the practitioner as a covered entity.

But nearly every PSYPACT state also has its own breach notification statute. These state statutes differ from HIPAA in ways that matter: definitions of "personally identifiable information" or "protected health information" vary; notice timing requirements may be shorter than HIPAA's 60-day window; required notice content differs; some states require notifying the state attorney general; some states' statutes cover categories of information not covered by HIPAA. When a cloud AI scribe vendor suffers a breach that exposes session audio from clients in California, New York, Texas, Colorado, Virginia, and six other PSYPACT states, the practitioner and vendor face breach notification obligations in each of those states — governed by each state's statute, independently of HIPAA's requirements.

A standard HIPAA BAA with a cloud AI scribe vendor addresses the vendor's federal obligations under HIPAA's breach notification rule. It typically does not allocate responsibility between the practitioner and vendor for compliance with each state's separate breach notification law. As the BAA explainer covers, a BAA is a HIPAA mechanism — it establishes that the vendor is subject to HIPAA's framework, but it does not represent the vendor's compliance with every applicable state law, and it does not contractually resolve who is responsible for California CMIA notification vs. New York notification vs. Texas HB300 notification in the event of a breach.

State privacy laws that go beyond HIPAA

For a PSYPACT practitioner with clients across the compact's member states, several states in the compact's footprint have enacted privacy statutes that impose requirements beyond HIPAA's framework.

California. California's Confidentiality of Medical Information Act (CMIA) applies to providers of health care and their business associates operating in California or with respect to California residents' records. CMIA imposes requirements regarding disclosure, consent, and the handling of medical information that differ from HIPAA's framework in specific respects — including provisions regarding electronic health records and cloud processing of medical information. California has also enacted the California Consumer Privacy Act (CCPA) and its successor the CPRA, which may apply to certain data operations depending on how a cloud vendor processes session-derived data. A PSYPACT practitioner who sees California-resident clients via compact authorization is providing services whose records are governed, from the client's side, by California's privacy framework.

New York. New York's Mental Hygiene Law imposes confidentiality obligations specific to mental health treatment records that are more protective than HIPAA in several respects, including limitations on disclosure and specific consent requirements for sharing mental health records. New York residents receiving telehealth services from an out-of-state PSYPACT practitioner carry those protections with them.

Texas. Texas HB300 (Texas Health Privacy Act) imposes requirements on covered entities and their business associates that handle the protected health information of Texas residents, including consent requirements for certain electronic disclosures and more stringent employee training obligations. It applies to entities that receive, process, or store the protected health information of Texas residents — a category that includes cloud AI scribe vendors who process session audio from Texas-resident clients.

These are not edge cases. California, New York, and Texas together account for a substantial share of the US therapist and psychologist population — and all three are PSYPACT member states. A compact authorization that enables practice across their collective client populations also subjects a PSYPACT practitioner's cloud AI vendor to the data-handling requirements of all three states simultaneously.

The privilege question across compact states

Psychotherapist-patient privilege is a creature of state law. Each state defines its own privilege: what it covers, who can assert it, what exceptions apply, and what waiver means. As the subpoena explainer covers, the psychotherapist-patient privilege recognized by the US Supreme Court in Jaffee v. Redmond (1996) established a federal privilege for federal courts, but state proceedings are governed by each state's own privilege statute.

A PSYPACT practitioner with clients in multiple compact states faces the possibility that the privilege law of the client's home state governs in proceedings brought in that state. When a cloud AI scribe vendor holds session audio from a client in a state with a narrower privilege — a state where the dangerous-patient exception is broader, or where the exception for court-ordered examinations is more permissive — the vendor's independent custody of that audio is governed by that state's law, not the practitioner's home state's law.

The practitioner can assert privilege over their own records in the jurisdiction where proceedings are brought, through the appropriate legal process. The vendor's independently-held copy of session audio is a separate analytical question — the vendor responds to legal process directed at the vendor, under the laws applicable to the vendor's records, in the jurisdiction where that process is brought. A PSYPACT practitioner cannot assert their home-state privilege over the vendor's independently-held records in another state's proceedings.

What on-device processing resolves

The multi-jurisdiction data custody problem created by cloud AI scribes for PSYPACT practitioners is structural — it is a consequence of introducing a cloud vendor as an independent record holder into a practice that spans multiple state jurisdictions. The vendor holds data from clients across the compact's member states; each state's privacy law potentially applies to those records; the vendor's compliance with each state's law is a separate question from the HIPAA BAA; and the vendor's independently-held copies of session audio are reachable by legal process in multiple states.

On-device processing eliminates the vendor's independent record. As the 2026 HIPAA compliance framework covers, the core architectural question for a solo or small-group practice is: who holds what, and what legal process can reach it? When session audio is transcribed locally on the practitioner's Mac and no audio, transcript, or draft note is transmitted to cloud infrastructure, there is no vendor independently holding a parallel record of sessions from clients in California, New York, Texas, and seven other PSYPACT states. There is one record, in one location, under one custodian — the practitioner — governed by the practitioner's own HIPAA obligations and by the privilege law applicable to the practitioner's own records in the relevant proceedings.

The multi-jurisdiction compliance question does not disappear for the practitioner. A PSYPACT practitioner still owes duties under each state's law with respect to their own records. But the layer of complexity — and the layer of legal exposure — created by a cloud vendor who independently holds session data from clients across 38 states and is subject to legal process from all of them, with its own breach notification obligations in all of them, and its own retention policies applicable to all of them — that layer is the part that on-device processing eliminates.

For a PSYPACT practitioner seeing clients across the compact's member states, the data custody question is the place where the compact's simplification of licensure has not simplified anything. The compact made it easier to practice in 38 states. It did not make it easier to manage the data a cloud AI scribe vendor holds from all 38 of those states at once.

Further reading

• Telehealth therapy notes and HIPAA: what AI scribes change when your client is in another state — the general framework for state law layering on telehealth sessions
• What is a BAA, and what does it not cover? — what a HIPAA business associate agreement actually establishes, and what it leaves unresolved
• What cloud AI scribes actually send to their servers — the full data pipeline from session audio to vendor infrastructure
• Can an AI therapy note be subpoenaed? — how legal process reaches vendor-held session records
• HIPAA for private-practice therapists — the 2026 rewrite — the current compliance posture for solo and small-group practices