Telehealth therapy notes and HIPAA: what AI scribes change when your client is in another state

Telehealth delivery has become the default mode for a large share of therapy practice. The convenience is obvious — no commute, expanded geographic reach, better retention for clients with mobility constraints. But telehealth creates a documentation and privacy complexity that in-person practice does not: your client is in one state, you are in another, and the audio you record of that session has to go somewhere before it becomes a note in your chart.

When that "somewhere" is a cloud AI scribe, the question of which state's law governs the session recording — and whether the vendor's Business Associate Agreement actually covers the client's privacy rights — is more complicated than most clinicians realize. This post works through the layered problem: federal HIPAA, state law, the telehealth audio chain, and where on-device processing changes the calculus.

Federal HIPAA is uniform — state privacy law is not

Start with the federal baseline. HIPAA — the Health Insurance Portability and Accountability Act and its implementing regulations under 45 CFR Parts 160 and 164 — is federal law. It applies to covered entities (therapists in private practice who submit claims electronically, or who work for covered entities) regardless of which states are involved in a session. A therapist in Oregon seeing a client in Florida via video has the same federal HIPAA obligations as if the session were in person in a single state.

What changes at the state level is the floor. HIPAA was designed as a minimum national standard with an explicit preemption rule: state law that is more protective of patients than HIPAA is not preempted — it supplements HIPAA and the more protective rule controls. Several states have enacted health privacy statutes that are meaningfully stricter than federal HIPAA in ways that matter for telehealth AI-scribe workflows:

• California — The Confidentiality of Medical Information Act (CMIA) gives California residents broader rights over their medical information than federal HIPAA provides, including stricter consent requirements for certain disclosures and requirements that apply to vendors who handle California residents' data regardless of where the vendor is located.
• New York — The Mental Hygiene Law establishes confidentiality standards for mental health records that interact with HIPAA's psychotherapy notes provisions and, in some respects, impose obligations the federal statute does not.
• Texas — HB300 (2012, amended since) created patient notification and training requirements for entities handling Texans' health information that go beyond federal HIPAA in specific ways, with a broader definition of covered entities.

The practical implication: if your client is a California resident, California's CMI law may impose additional obligations on how their health information is handled — and those obligations may follow the data, not just the vendor's location. A cloud AI scribe vendor headquartered in Georgia, processing session audio for a California client at the therapist's request, may face California law obligations. Whether the vendor's BAA accounts for this is a question worth asking.

The telehealth audio chain is longer than you may realize

In an in-person session, the audio chain is short. The therapist records the session (or processes it live), and the audio goes directly to the AI scribe tool — one hop, one data handler, one BAA to review.

In a telehealth session, the chain is typically longer — and each step is a distinct custody question:

1. The telehealth platform — Services like Doxy.me, SimplePractice Telehealth, Zoom for Healthcare, and Therapy Brands platforms all have their own privacy posture, BAA requirements, and data handling practices. Most offer platform-level recording, which stores a copy on the platform's own servers before the therapist downloads it.
2. The local recording or download — If the therapist downloads the recording, the file lands on whatever device the therapist was using during the session. If the session was on a work laptop, that is one device. If it was on a personal iPad, that may be a different device entirely — one that may not be covered by the practice's security policies.
3. The transfer to the AI scribe — The therapist now has to get the audio file into the AI scribe workflow. For cloud scribes, this typically means uploading the file to the vendor's portal or app, which transmits it to the vendor's servers over the public internet.
4. The vendor's processing infrastructure — The cloud scribe's servers receive the audio, run it through a speech-to-text model to produce a transcript, and then run the transcript through a language model to produce the note draft. Both the audio and the intermediate transcript may be retained on the vendor's servers for a period defined by their privacy policy.

In steps 1 and 4, the data is on servers in locations you did not choose and may not know. The telehealth platform's servers may be in one state. The cloud AI scribe's servers may be in another. Your client, in a third state, has privacy rights under their home state's law. None of these jurisdictions necessarily align.

What the cloud AI scribe actually receives from a telehealth session

The output the cloud AI scribe delivers is a structured SOAP, DAP, or BIRP note. That output is straightforward — it is the clinical documentation you review, edit, and paste into your EHR. But the input the vendor received to produce that output is the full session audio.

For a telehealth session, that audio may contain considerably more than a typical in-person session recording. Video telehealth platforms capture both audio channels — therapist and client — often at higher audio quality than in-person recordings taken on a room microphone. Background environment cues, family member voices that drift into frame, the client's home context — all of this is captured and transmitted to the cloud scribe's servers as part of the audio file.

The detailed breakdown of what cloud AI scribes transmit covers the full category-by-category data flow. For telehealth specifically, the relevant categories include: the raw session audio (full recording), the intermediate transcript (complete verbatim text generated before the note draft), and any metadata attached to the file (session timestamp, duration, platform of origin, device identifier).

All of this is governed by the vendor's privacy policy and their Business Associate Agreement with the therapist. But as the next section explains, the BAA may cover less than clinicians assume.

What a BAA does — and does not — cover across state lines

A Business Associate Agreement is a federal HIPAA instrument. It establishes the vendor's obligations under 45 CFR 164.504(e): permitted uses and disclosures, safeguards, breach notification timelines, and return or destruction of PHI at the end of the relationship. These are federal requirements, and a well-drafted BAA satisfies them.

What a BAA does not do:

• It does not create state-law compliance. If California's CMIA imposes additional consent requirements for a vendor handling California residents' health data, the BAA — which is a federal HIPAA construct — does not satisfy those requirements. The vendor needs to comply separately with state law, or not handle California residents' data at all.
• It does not bind the vendor's subprocessors to state law. Cloud AI scribes routinely use subprocessors: cloud hosting providers (AWS, Azure, GCP), speech-to-text API vendors, and sometimes third-party LLM APIs. The BAA with the primary vendor does not automatically flow down to bind subprocessors to stricter state-law requirements.
• It does not prevent a subpoena. If a legal proceeding in the client's home state issues a subpoena to the cloud scribe vendor, the vendor's BAA with the therapist does not constitute a privilege or basis for withholding the recording. For the full analysis, see the subpoena risk explainer.

The gap between "we have a BAA" and "we are compliant with the client's home state's law" is real and underappreciated. Understanding what a BAA actually covers is the starting point for evaluating any vendor in a multi-state telehealth practice.

PSYPACT and multi-state practice: licensure simplification ≠ data simplification

The Psychology Interjurisdictional Compact (PSYPACT) has made it significantly easier for licensed psychologists to practice telepsychology across member states. As of 2026, the majority of US states participate in PSYPACT, and similar compacts for counselors and social workers are at various stages of adoption. These compacts solve the licensure problem — they allow clinicians to see clients across state lines without obtaining a separate license in each state.

But PSYPACT and similar compacts do not address the data-custody problem. Practicing under PSYPACT authorization in a client's home state means the client's state licensing board has jurisdiction over your clinical practice. It does not mean the client's home state's privacy law is somehow relaxed for your vendor relationships. If anything, practicing under a compact arguably makes it clearer that the client's home state law applies to that client's health information — because the compact exists precisely to acknowledge that the client's state has jurisdiction over their care.

Clinicians expanding into multi-state telehealth practice through PSYPACT or counselor compacts should therefore treat each new client's home state as a distinct privacy-law jurisdiction to evaluate. The vendor BAA that was adequate for in-state clients may not be adequate for clients in states with more protective health privacy laws.

The on-device argument for telehealth AI notes

When a therapist uses TherapyDraft for telehealth session notes, the audio processing chain collapses to one step. After the telehealth session ends, the therapist saves the session recording locally and drags it into TherapyDraft. Whisper.cpp transcribes the audio directly on the therapist's Mac using Apple Silicon. The local language model drafts the SOAP or DAP note. Nothing — not the audio file, not the transcript, not the draft — is sent to any server.

This changes the cross-state question entirely. There is no vendor server in a third state receiving the client's session audio. There is no cloud infrastructure whose jurisdiction needs to be evaluated. There is no BAA gap to assess with respect to the client's home-state privacy law. The audio processed on the Mac stays on the Mac — it is never transmitted anywhere as part of the note-drafting workflow.

The therapist still uses a telehealth platform (with its own BAA and data-handling policies). But the AI-assisted note drafting layer is removed from the cross-state custody chain entirely. The note-drafting step has no external data handler because there is no external data handler — the model runs locally on hardware the therapist already owns.

Practical workflow: telehealth session to on-device note draft

The practical workflow for telehealth documentation with TherapyDraft:

1. Session ends. Download the session recording from your telehealth platform's local recording feature, or record a separate audio track locally (some therapists use QuickTime's audio recording alongside their video session as a cleaner audio capture).
2. Open TherapyDraft. Drag the audio file into the app. The file stays on your machine — TherapyDraft reads it from your local file system and processes it in-place.
3. Transcription and draft generation. Whisper.cpp runs on Apple Silicon (M1–M4). For a 50-minute session, transcription typically completes in under 5 minutes. The local language model then generates a structured SOAP, DAP, BIRP, or GIRP draft in the format you've calibrated with your own sample notes.
4. Review and paste. The draft appears in the app. You review it, make edits, and copy it to your clipboard. Paste into SimplePractice, TheraNest, TherapyNotes, or whichever EHR you use. The note is in the chart; the audio stays on your Mac.

The telehealth platform still holds a copy of the session video if you use platform-side recording — you should review the platform's retention policies and BAA separately. But the AI-scribe step is completely decoupled from the cloud. The vendor who processes your note draft is TherapyDraft running on your own machine, which means the vendor is you.

What to ask any cloud AI scribe vendor you evaluate for telehealth practice

If you are evaluating cloud AI scribes for a telehealth practice that serves clients in multiple states, the questions below surface the gaps a standard BAA review may miss:

• "Where are your servers located, and do you have data residency options by state?" Audio processed on servers in a state other than the client's home state may have different legal implications than audio processed in-state.
• "Does your BAA cover California CMIA / New York Mental Hygiene Law / Texas HB300 compliance for clients in those states, or only federal HIPAA?" Most cloud vendors will say federal HIPAA only — which is the right answer to require follow-up on.
• "Who are your subprocessors for speech-to-text and LLM inference, and are they listed in your BAA addendum?" Subprocessors with their own cloud infrastructure add another jurisdiction to the chain.
• "What is your audio retention policy? Is the retention period configurable by the covered entity?" Shorter retention is better. Instant deletion after note delivery is ideal. Most vendors retain audio for a period defined in their privacy policy, not by default at zero.

The answers to these questions define the real privacy posture of the vendor relationship — not the existence of a signed BAA, which is a necessary but insufficient condition for cross-state telehealth privacy compliance. For the complete framework, see the 2026 HIPAA compliance guide for private-practice therapists.

Further reading

• What is a BAA, actually — and what it does NOT cover — the limits of a Business Associate Agreement as a privacy instrument
• Can an AI therapy note be subpoenaed? A 2026 legal-risk explainer — how subpoenas reach cloud AI vendors across state lines
• The 7 things Mentalyc, Upheal, and Blueprint actually send to their servers — a category-by-category breakdown of cloud scribe data flows
• HIPAA for private-practice therapists — the 2026 rewrite — full compliance posture for solo and small-group practice

This post is educational commentary, not legal advice. Telehealth licensure and privacy law varies by state and changes frequently. Consult a licensed health care attorney and your state licensing board for guidance specific to your practice.