Therapy platform acquisitions, asset sales, and bankruptcy: what happens to your cloud AI scribe data when the vendor sells

The VC funding model and why acquisition is the expected endpoint

Understanding the acquisition risk requires understanding how venture-backed health tech companies work. When a company raises Series A or Series B venture capital, the investors are purchasing equity in a company they expect to exit within 3–7 years — typically through a strategic acquisition by a larger company or, for the most successful, an IPO. The business model is built around this exit: grow aggressively, capture market share, and become attractive enough to a strategic acquirer that the acquirer pays a multiple of revenue.

In mental health technology, the strategic acquirers are predictable: EHR platforms (SimplePractice's parent WebPT, Therapy Brands, Valant), telehealth conglomerates (Teladoc acquired BetterHelp in 2015 for $1.125 billion), behavioral health platforms, and large health insurance carriers. Private equity rollups are also active in behavioral health practice management. The AI scribe market specifically is consolidating around EHR integration — every major EHR vendor has either acquired or partnered with an AI scribe tool, because "write the note automatically" is the single most-requested feature from practicing clinicians.

This means the question for any therapist using a cloud AI scribe is not "will my vendor be acquired?" but "when, and by whom?" The answer is almost certainly within the working life of a practice that starts using the tool today. The data the vendor is holding at the time of acquisition — verbatim session audio files, raw transcripts, note drafts, the entire session archive from every client you have ever seen with the tool — transfers to the acquirer as a business asset.

What HIPAA §164.501 actually says about business transfers

HIPAA's Privacy Rule defines "protected health information" in a way that follows the entity that holds it, not just the entity that created it. The regulations address business transfers — mergers, acquisitions, and asset sales — in the context of what a covered entity or business associate may do with PHI when the organizational structure changes.

The core HIPAA provision relevant to acquisitions is found in the framework governing permitted uses and disclosures for healthcare operations. Business associate agreements must address the handling of PHI upon termination of the BAA relationship — and an acquisition triggers a termination of the original BAA relationship, followed by the creation of a new BAA with the acquiring entity. The key regulatory requirement is that the acquiring entity must agree to be bound by the PHI obligations that bound the original business associate. The acquiring entity steps into the shoes of the original BA, assuming its retention policies, its security obligations, and its HIPAA exposure.

What HIPAA does not require — and this is the provision that matters practically — is patient authorization for the PHI transfer. The transfer of PHI in a business transaction is not a "disclosure" for purposes of the authorization requirements under 45 CFR 164.508. It is a business record transfer in which the custodian of the record changes, the obligations attached to the record follow it, but the individual's control over the record does not extend to blocking the transfer. A business associate agreement does not give the therapist, or the therapist's clients, a right to prevent the PHI from transferring to an acquirer.

The gap in this framework is significant: the acquiring entity has not been vetted by the therapist. The therapist chose the original vendor based on its privacy claims, data practices, and HIPAA documentation. The acquirer may be an entity with entirely different data practices, different security infrastructure, different commercial incentives for using the data, and different geographic presence (including international headquarters outside HIPAA's jurisdiction). The PHI transfers to this unknown entity as a matter of law, without a new consent process and without a new evaluation by the therapist.

The data asset that transfers: verbatim archives vs. formal clinical notes

The distinction between what a cloud AI scribe holds and what an EHR holds is central to understanding why acquisition risk is especially acute for AI scribe data specifically. An EHR holds the therapist's formal clinical records — the SOAP or DAP notes the therapist authored, the diagnosis codes, the treatment plan, the signed documentation. These records reflect the therapist's clinical judgment about what to document. The therapist controls what enters the formal record.

A cloud AI scribe holds something different: the raw session audio, the verbatim transcript, the intermediate note drafts (including drafts the therapist rejected), and the metadata about each session (duration, audio file size, model used, timestamp). This archive contains what the client actually said in every session — the verbatim disclosures, the names of third parties mentioned, the specific factual accounts that the therapist deliberately synthesized and omitted from the formal note. The therapist's clinical judgment about what to document is a filtering process; the vendor's archive captures everything before that filter is applied.

This makes the AI scribe vendor's data archive substantially more valuable — and substantially more sensitive — than a typical EHR vendor's data asset. From an acquirer's perspective, a verbatim session archive is valuable precisely because it contains the unfiltered content of therapy sessions: it is useful for training language models, for developing AI-assisted clinical tools, and for research purposes that EHR-note-only datasets do not support. From a patient's perspective, the verbatim archive contains the most sensitive content of any clinical record they have — and the content whose disclosure would most comprehensively violate their therapeutic confidentiality.

When the vendor is acquired, the acquirer's data scientists evaluate the archive as a training data asset. The due diligence team audits what the archive contains. The acquiring entity's privacy counsel reviews the consent language the original vendor obtained from therapists and patients. If that consent language is broad — and many AI scribe vendors' consent language is written to support model training — the acquirer may assert rights to use the verbatim archive for purposes the original vendor did not prominently disclose.

Five scenarios where acquisition events create specific adversarial risk

1. Due diligence as unauthorized disclosure

Before an acquisition closes, the acquiring company performs due diligence — a systematic review of the target company's assets, liabilities, data practices, and business records. Due diligence in a health tech acquisition includes review of the target's PHI holdings, data security practices, outstanding HIPAA violation risk, and BAA framework. This review is conducted by the acquiring company's attorneys, analysts, and technical staff — none of whom are business associates of the original vendor with respect to specific therapists' session data.

The HIPAA framework governing due diligence disclosures is ambiguous. The original vendor typically argues that disclosing the existence and structure of its PHI holdings to an acquirer is a healthcare operations disclosure permitted without patient authorization. Whether a full data access review by the acquirer's technical team — as opposed to a high-level description of data categories — constitutes an authorized disclosure is a question that has not been definitively resolved by OCR guidance.

The FTC's 2023 consent order against BetterHelp is instructive: BetterHelp was charged with sharing health data with advertisers (Facebook, Snapchat, Pinterest) in ways that users had not consented to and that the company had represented it would not do. The FTC's enforcement action was not a HIPAA enforcement action — BetterHelp is not a HIPAA covered entity — but it demonstrates the regulatory theory that health data disclosed for purposes outside what users consented to constitutes an unfair or deceptive trade practice. When an AI scribe vendor conducts due diligence sharing with a potential acquirer, the same regulatory theory applies: if the vendor's privacy policy did not disclose that session data would be reviewed by potential acquirers, the sharing may violate FTC Act Section 5 regardless of HIPAA's business transfer framework.

2. Bankruptcy and the court-supervised asset sale

Not every venture-backed company exits through a successful acquisition. Mental health technology has seen significant failures: Koko's pivot away from peer support, Brightside's layoffs and restructuring, multiple smaller therapy platforms that raised seed rounds and could not sustain the unit economics of behavioral health. When a cloud AI scribe vendor runs out of runway, the outcome may be a bankruptcy filing — and the PHI archive becomes a bankruptcy estate asset.

Bankruptcy law and HIPAA operate in different legal frameworks, and their interaction is genuinely complex. The HHS Office for Civil Rights has issued guidance stating that covered entities cannot use bankruptcy to evade HIPAA obligations — a covered entity that files bankruptcy must still comply with HIPAA during the bankruptcy proceeding. A business associate's HIPAA obligations follow it into bankruptcy. The bankruptcy trustee is bound by the HIPAA requirements that bound the debtor.

However, the trustee's ability to sell the PHI archive as an estate asset is not clearly prohibited. A bankruptcy court can approve an asset sale to a buyer who agrees to assume the original entity's HIPAA obligations — this is the same structure as a non-bankruptcy acquisition, simply under court supervision. The buyer does not need to be a company the therapist would have chosen as a business associate. The buyer does not need to have a track record in healthcare privacy. The buyer needs to agree to honor the HIPAA framework going forward, and the bankruptcy court does not independently audit whether the buyer has the infrastructure, security practices, or institutional culture to actually do so.

The notice problem in bankruptcy is particularly acute: the timeline from a vendor's financial distress becoming publicly known to a bankruptcy filing and court-approved asset sale may be weeks or months. Therapists using the platform may have no practical opportunity to download and delete their data — or may find that deletion functionality has been suspended while the bankruptcy proceeding is pending.

3. Privacy class action litigation against the acquiring entity

Acquisitions that transfer therapy session data to unexpected entities have triggered consumer class action litigation under state privacy laws. The BetterHelp FTC matter generated subsequent state AG enforcement and civil class action litigation premised on the same core theory: the platform's data practices were inconsistent with its privacy representations. When an AI scribe vendor is acquired and the verbatim session archive is transferred to an acquiring entity whose data practices are different from the original vendor's, the same class action theory applies.

Plaintiff classes in these suits include both patients whose session content was captured and, increasingly, therapists whose work product was processed by the vendor. Psychotherapy notes have special HIPAA protections — they are a separate category of PHI subject to more stringent disclosure restrictions. An AI scribe vendor's archive of the verbatim content that underlies psychotherapy notes may itself qualify as psychotherapy notes under HIPAA's definition. If the acquiring entity uses that archive in ways that go beyond the narrow permitted uses for psychotherapy notes, the therapist and patient have a private cause of action under applicable state law — and, potentially, a HIPAA complaint against the covered entity whose BAA permitted the improper use.

The discovery dynamic in these class actions creates a secondary exposure for therapists: if the acquiring entity is the defendant, and the class action seeks production of records showing what data the vendor held and how it was used, the verbatim session archive becomes the evidentiary subject of the litigation. The therapist's clients' most sensitive disclosures become the record that both plaintiff and defense counsel examine in the litigation over the acquisition's data practices.

4. State health data privacy law enforcement by the acquiring entity's new jurisdiction

HIPAA is a federal floor. Several states have enacted health data privacy laws that impose requirements significantly beyond HIPAA, and these laws apply regardless of HIPAA covered entity status. California's Confidentiality of Medical Information Act (CMIA) imposes patient-consent requirements for disclosures that HIPAA permits without consent. The Washington My Health MY Data Act, enacted in 2023 and effective in 2024, imposes consent requirements for collection, use, and sharing of consumer health data by any entity operating in Washington — not just HIPAA covered entities.

When a cloud AI scribe vendor is acquired by an entity headquartered in a state without strong health data privacy laws, or by a private equity firm that views the data asset through a purely commercial lens, the acquired entity may not recognize that it has inherited obligations under California, Washington, and other states' health data privacy frameworks. The original vendor may have had a privacy counsel who understood CMIA's requirements for AI-assisted processing of psychotherapy session content. The acquiring entity's general counsel, advised by M&A attorneys rather than health privacy specialists, may not.

State AG enforcement of health data privacy violations is accelerating. California's AG and the California Privacy Protection Agency have both announced increased focus on health data. Washington's AG has enforcement authority under the My Health MY Data Act. New York's SHIELD Act and health data amendments impose security obligations that follow the data into any entity that processes New York residents' health information. An acquisition that transfers AI scribe data to an entity that does not have robust health-data compliance infrastructure creates immediate state law exposure that the acquiring entity may not recognize until an enforcement action has already been initiated.

5. The window between announcement and close: the period of maximum uncertainty

Corporate acquisitions typically have a period of weeks to months between public announcement and closing — the time required for regulatory approvals (HSR filings for transactions above the threshold), contract assignments, system integration planning, and, in healthcare transactions, any required state regulatory notifications. During this window, the original vendor remains the data custodian, but its business operations are in a state of transition: management attention is on integration planning, employee uncertainty affects product and security operations, and the original BAA framework is under review by the acquirer's counsel.

This is the period when therapists want to exercise their rights — downloading all session data, requesting deletion, migrating to a new platform — but face the most practical obstacles. The vendor's customer support team is typically reduced or distracted during M&A transitions. Data export functionality may be deprioritized as engineering resources shift to integration work. Deletion requests submitted during the transition window may not be processed before the acquisition closes, at which point the acquiring entity has inherited the archive including the records the therapist attempted to delete.

The acquiring entity is not obligated to honor deletion requests that were submitted but not completed before closing. Under HIPAA, the covered entity or business associate that receives the deletion request is obligated to respond — but if the original vendor transfers the data to the acquirer before processing the deletion, and the BAA assignment transfers the obligations to the acquirer, the practical effect may be that no entity processes the deletion in the transition window. The HIPAA right of access and deletion framework was not designed for multi-party M&A transitions, and its protections thin considerably when the data moves from one entity to another during the transition period.

On-device processing and acquisition-proof documentation

TherapyDraft processes every session on the therapist's Mac — locally. Session audio is transcribed by whisper.cpp running on Apple Silicon. The note draft is generated by a local language model. No audio file, no transcript, no intermediate draft leaves the device. There is no cloud vendor holding a verbatim archive of your clients' sessions.

When a cloud AI scribe vendor is acquired, the acquiring entity inherits the vendor's software, contracts, and business relationships. It does not inherit an archive of your clients' session content, because that archive was never created in the first place. A bankruptcy trustee auctioning the vendor's assets has no session archive to sell, because the sessions were processed locally and the results stored on your device under your control. Due diligence review of the vendor's PHI holdings reveals no session-level verbatim data, because no session-level verbatim data was ever transmitted to the vendor.

The formal clinical note — authored by you, stored in your EHR, reflecting your clinical judgment about what to document — is the documentation record. It is not subject to acquisition by a third party you did not vet. It is not an asset in a bankruptcy estate. It is not the subject of a class action against an acquiring entity whose data practices differ from the original vendor's. What you did not send to a vendor's cloud cannot be transferred to an acquirer, sold in bankruptcy, or inherited by a company you did not choose.

This is the architectural difference between an on-device documentation tool and a cloud AI scribe service: the cloud service is a relationship with a company on a VC funding timeline. The local tool is software on your hardware. Companies get acquired; software on your Mac does not.

Frequently asked questions