Topic · HIPAA compliance architecture
HIPAA-compliant AI SOAP notes: the architecture that removes the BAA from the threat model
"HIPAA-compliant" is often shorthand for "we signed a BAA." A stronger answer exists: design the tool so there's no vendor in the data flow, and the BAA becomes unnecessary — not because we say so, but because 45 CFR 164 says so.
TL;DR
HIPAA requires a BAA whenever a covered entity shares PHI with a business associate. If the AI scribe runs exclusively on your own device, no PHI is shared with a vendor — there is no business associate in the data flow. TherapyDraft enforces this with macOS network entitlements that make it structurally impossible to transmit audio, transcripts, or drafts to any host. This is a strictly smaller attack surface than any cloud-scribe-plus-BAA model.
Why "BAA" became the default answer
For most of the last decade, running a useful LLM required a GPU farm — and the GPU farm belonged to someone else. So the only way to offer "AI SOAP notes" was to upload the session to that GPU farm and get a BAA from whoever owned it. The paperwork became the product: "we're HIPAA-compliant" meant "we have signed agreements with the right parties."
That's a reasonable compliance posture; every major cloud scribe in 2026 operates this way. But the paperwork is a contract, not a physical barrier. The BAA controls what the vendor is allowed to do with PHI after receipt; it does not prevent the PHI from being received. This distinction matters more in therapy than in many other specialties, because sessions contain higher-sensitivity narrative content than almost any other form of clinical data.
Where the threat model actually lives
A useful way to reason about compliance tools is to enumerate where the PHI lives and who can touch it. For a cloud scribe with a BAA, the answer looks roughly like this:
- Your local recording device (phone, desktop app)
- The vendor's inbound transfer pipe
- The vendor's transcription service + its subprocessors
- The vendor's LLM provider (often OpenAI, Anthropic, or Azure OpenAI as a subprocessor)
- The vendor's object storage + DB holding transcripts and drafts
- The vendor's backup and DR copies
- Any engineer or on-call responder at any of the above with access
For TherapyDraft, the list is:
- Your Mac's local storage
The second list is strictly shorter. It's also, crucially, enforced by a different mechanism — not by a vendor's policy and auditors, but by the macOS sandbox system and your own device's security posture. Both lists require trust; the first asks for trust in eight places, the second in one.
What makes a scribe "HIPAA-compliant" in the first place
HIPAA does not certify software. "HIPAA compliance" is a property of your practice as a covered entity — determined by whether you meet the Privacy Rule, Security Rule, and Breach Notification Rule obligations. A tool supports compliance if it helps you meet those obligations; it cannot be compliant by itself. With that in mind, the three things a reasonable clinician should verify for any AI SOAP-note tool are:
- Who touches the PHI? If anyone other than you touches PHI, a BAA is required. If only you touch it, no BAA is required. Read the privacy policy; look for subprocessor lists.
- How is the PHI secured in transit and at rest? For cloud scribes, this is TLS plus their encryption-at-rest claims. For an on-device scribe, it's macOS full-disk encryption (FileVault) plus OS-keychain key wrapping.
- How is access logged and audit-able? Look for a tamper-evident log you can show a client or a board auditor.
How TherapyDraft answers each of the three
Who touches the PHI? Only you. The model runs in-process inside a signed macOS app on your Mac. TherapyDraft Inc. never receives audio, transcripts, or drafts. The only server calls the app makes are (a) Stripe license activation for the subscription, and (b) an anonymous app-version ping that carries no user or session data.
How is it secured at rest? FileVault (assumed on any modern clinical Mac) provides full-disk encryption. On top of that, TherapyDraft encrypts the per-session artifacts in its Application Support folder using a key held in the macOS Keychain, so a snapshot of the folder without the keychain entry is unreadable.
How is access logged? Every inference writes a hash-chained JSONL entry: model ID, prompt hash, output hash, timestamp, device ID. Tampering with one line breaks the chain and is visible the next time the app opens. If a client, supervisor, or board investigator ever asks "prove this was drafted by your local tool on your Mac," the chain is the proof.
Where cloud scribes remain the right call
Three scenarios where cloud scribes are still the better fit:
- Windows-only practices. TherapyDraft is Mac-only until late 2026. If your practice runs on Windows, a cloud scribe with a solid BAA is more practical today.
- Multi-clinician audio review. If your group workflow depends on clinicians listening to each other's session audio (training, supervision of raw recordings), a cloud tool designed around shared audio access will be smoother than TherapyDraft's supervision feature, which is designed to keep raw audio on the supervisee's Mac.
- Absolute model-quality maxima. A cloud-70B model will occasionally produce a slightly cleaner first draft than our on-device 14B. If you don't do any post-editing and your notes need to be perfect at the first attempt, the cloud tools have an edge. Most clinicians edit anyway — this trade-off is small in practice.
How to evaluate
The fastest check: open any cloud scribe's privacy policy, find the subprocessors section, and count the subprocessors. Then read TherapyDraft's privacy policy — ours lists Stripe (payments) and nothing else. That difference is the architecture.
Related questions
Is HIPAA the only regulation that matters?
In the US, HIPAA is the floor. State mental-health privacy laws (California CMIA, New York SHIELD Act, etc.) sometimes impose stricter rules. Because TherapyDraft keeps PHI on your device, it naturally satisfies most state-level "do not share with third parties without consent" provisions — but check your state board's specific guidance for AI scribes.
What about 42 CFR Part 2 (substance-use disorder records)?
SUD records under Part 2 have an even higher bar than HIPAA — and the cloud scribe model frequently can't meet that bar without extra client-consent paperwork. An on-device scribe handles Part 2 cleanly because no third party ever receives the record.
Does "HIPAA compliant" mean anything legally?
Compliance is a practice-level determination, not a software-level certification. HHS does not certify software. Any vendor who claims their product is "certified HIPAA compliant" is using marketing language; what they can honestly claim is that their product has features compatible with HIPAA.