Compliance built for therapy

HIPAA-Compliant Therapy Notes Software

HIPAA compliant therapy notes that go beyond the baseline, with the therapy-specific layer most platforms skip: separate handling of psychotherapy notes vs progress notes, 42 CFR Part 2 support for SUD records, and AHPRA-aligned record-keeping for Australian practices.

See pricing Read security posture

The distinction most software gets wrong

Psychotherapy notes are not progress notes, and HIPAA treats them differently.

A lot of HIPAA compliant therapy notes apps treat the therapist’s private process notes the same as the clinical record. HIPAA does not. The distinction matters in audits, in client right-of-access requests, and in subpoenas. Genuinely HIPAA compliant therapy notes software stores them separately, and Emosapien does so by default.

A locked lavender folder labelled 'Psychotherapy notes' on the left and an open blue folder labelled 'Progress notes' on the right, separated by a dotted line and the caption 'Stored separately by default'

Aspect	Psychotherapy notes	Progress notes
Definition	Therapist’s personal process notes: analysis, hypotheses, countertransference, working impressions kept separate from the medical record.	The clinical record itself: what was discussed, the intervention used, the response, the plan.
HIPAA treatment	Defined at 45 CFR § 164.501; specific authorisation required for disclosure under 45 CFR § 164.508(a)(2); excluded from client right of access under 45 CFR § 164.524(a)(1)(i).	Standard PHI under HIPAA. Subject to right of access, breach-notification rules, and minimum-necessary disclosure.
Storage requirement	Must be physically or logically separated from the rest of the chart, with separate access controls.	Lives inside the medical record. Available to other treating clinicians on a need-to-know basis.
How Emosapien handles it	Stored in a separate, access-restricted vault by default. Never auto-included in EHR exports. Never used in caseload analytics or model training.	Standard PHI handling: encrypted at rest and in transit, audit-trailed, exportable to EHR, BAA in place on Professional and Enterprise.

For the full clinical reference on each note type, see the psychotherapy notes sample and the clinical documentation hub.

What HIPAA actually requires, and how Emosapien delivers it

Six controls HIPAA requires. Here is how Emosapien delivers each.

The six HIPAA Security Rule controls below are the floor for any HIPAA compliant therapy notes platform. Emosapien meets each one by default, no configuration required.

Encryption everywhere

AES-256 at rest, TLS 1.3 in transit. Session audio is encrypted from the moment your microphone captures it through to long-term cold storage.

Business Associate Agreement (BAA)

Signed BAA included on the Professional and Enterprise plans, no extra step. Required for any covered entity sending PHI through Emosapien.

Audit trail, immutable

Every record access, edit, export, and deletion is timestamped, attributed, and write-once. Available on request for OCR audits.

Minimum-necessary access

Clinicians see only their own caseload by default. Practice owners and supervisors get scoped access. Roles are configurable on Enterprise.

No model training on client data

Session content is never used to train public models. Period. Your client data does not leave your tenant.

Right of access + deletion

Clients can request access to their progress notes, and you can fulfil it through the platform. One-click deletion propagates across backups within 30 days, beyond HIPAA’s minimum.

Beyond HIPAA

HIPAA is the floor, not the ceiling.

HIPAA covers the federal baseline. The professional bodies you are accountable to expect more, and so do the state-specific and international rules that apply to therapy specifically.

APA Code of Ethics 4.05: Disclosures

The platform supports the documentation rigour the APA Code expects: separate handling of psychotherapy notes, consent capture for recording, and clear disclosure controls.
AHPRA / PSY-BOA professional standards (Australia)

For Australian practices, the platform aligns with the Psychology Board of Australia record-keeping requirements and APS Code of Ethics A.5, including the seven-year retention floor for adult records and separate handling of psychotherapy notes.
State-specific therapy laws (US)

Several US states have stricter rules than HIPAA on minor consent, parental access, and SUD records (42 CFR Part 2). The platform supports state-specific record-handling rules on the Professional and Enterprise plans.
GDPR-aware architecture

Data residency, right to erasure, and data-portability requirements are surfaced at the practice level. Relevant for EU clients seen via telehealth.

Honest comparison

How Emosapien’s compliance posture compares to Upheal, Mentalyc, and Blueprint.

All four are HIPAA-aligned therapy tools. The differentiation is in the layers that sit on top.

Compliance capability	Emosapien	Upheal	Mentalyc	Blueprint
Separate vault for psychotherapy notes Process notes stored separately by default with their own access controls	Fully supported	Not available	Not available	Not available
SOC 2 Type II + ISO 27001 Both audit standards layered on top of HIPAA	Fully supported	Partially supported	Partially supported	Partially supported
Immutable audit trail surfaced to clinicians Every access, edit, and export visible in the UI, not just backend logs	Fully supported	Partially supported	Partially supported	Partially supported
42 CFR Part 2 (SUD) record-handling support Separate consent and access flags for substance-use records (competitor support not publicly documented)	Fully supported	Partially supported	Partially supported	Partially supported
AHPRA / PsyBA record-keeping defaults Australian seven-year retention floor and separate professional notes	Fully supported	Not available	Not available	Not available
No model training on client data, contractual Written into the BAA, not just a marketing statement	Fully supported	Partially supported	Partially supported	Partially supported

Fully supported Partially supported Not available

Comparison data verified March 2026

Why this list excludes general medical scribes. Heidi, Nuance DAX, Suki, Abridge, and Freed are HIPAA-aligned and SOC 2 audited, but they are designed around medical PHI, not the psychotherapy-notes / progress-notes split. Their access-control models, audit trails, and vendor BAAs assume a hospital workflow, not a therapist’s caseload. Different compliance shape.

The psychotherapy-notes vault was the deciding factor. Two of our supervisees produce notes that have been subpoenaed in custody cases. Having a clean separation built into the platform, not bolted on, gave us peace of mind we did not have on the previous tool.

Daniel Brennan, LCSW

Clinical director, group practice

97%

Therapist satisfaction

140k+

Hours saved on admin

10k+

Therapists using Emosapien

Frequently asked questions

What is the difference between psychotherapy notes and progress notes under HIPAA? +

Progress notes are the clinical record: what was discussed, the intervention used, the response, the plan. They are standard PHI. Psychotherapy notes are the therapist’s personal process notes (analysis, hypotheses, countertransference). HIPAA defines them at 45 CFR § 164.501, requires specific authorisation for disclosure under 45 CFR § 164.508(a)(2), and excludes them from client right of access under 45 CFR § 164.524(a)(1)(i). They have to be stored separately. Emosapien does that by default.

Do you sign a BAA? +

Yes. BAA is included on the Professional and Enterprise plans. No legal back-and-forth, no extra fee. The free plan does not include a BAA, so it is not appropriate for use with PHI in covered-entity practice.

Is the audio of sessions stored? +

Only as long as you need it. Default retention is 30 days, configurable on Professional and Enterprise. Audio is encrypted at rest and in transit. You can switch off audio storage entirely and keep only the structured note.

Can clients request access to their notes? +

Yes. Right of access under HIPAA applies to progress notes, and Emosapien supports the workflow. Psychotherapy notes are handled separately and are typically excluded from access requests, consistent with HIPAA.

How does Emosapien handle 42 CFR Part 2 (SUD records) in the US? +

Records identified as SUD-related are flagged and routed through a separate consent + access workflow that supports Part 2 disclosure rules. Available on Professional and Enterprise. Confirm with your compliance officer that the configuration matches your programme’s 42 CFR Part 2 designation.

Does Emosapien work for Australian practices under AHPRA? +

Yes. The platform aligns with the Psychology Board of Australia record-keeping requirements and the APS Code of Ethics A.5, including the seven-year retention floor for adult records and separate handling of psychotherapy notes. Professional and Enterprise plans include AHPRA-aligned defaults.

Is the free plan HIPAA compliant therapy notes software? +

The free plan uses the same encryption, infrastructure, and security controls. However, it does not include a BAA, so it is not suitable for handling PHI in a covered-entity practice. For private-pay practice or solo clinicians not subject to HIPAA, the free plan is a reasonable place to evaluate. Start free or see Professional pricing.

Compliance you can hand to the auditor.

HIPAA-aligned, SOC 2 Type II, ISO 27001. With the therapy-specific layer no scribe gives you. See pricing and BAA terms on Professional.

See pricing