HIPAA-Compliant Session Recording: What Therapists Actually Need to Know

Recording therapy sessions to improve documentation accuracy is one of the most practical tools available to modern clinicians. But it also triggers immediate questions: Is it legal? Do I need consent? What happens to the audio?

Let's answer all of it.

Is It Legal to Record Therapy Sessions?

Yes — with client consent. In all 50 states, you can record a therapy session with the informed consent of your client. This applies to both in-person and telehealth sessions.

The key word is informed. The client needs to understand:

• That the session may be recorded
• What the recording is used for (documentation, transcription)
• How long the recording is retained
• That they can decline without it affecting their care

What HIPAA Requires

Under HIPAA, a session recording is Protected Health Information (PHI). That means it must be:

1. Encrypted in transit — any audio transmitted over a network must use TLS 1.2 or higher
2. Encrypted at rest — stored recordings must be encrypted
3. Access-controlled — only authorized individuals can access recordings
4. Retained per your state's requirements — most states require medical records for 7–10 years for adults, longer for minors
5. Covered by a Business Associate Agreement (BAA) — any vendor handling PHI must sign a BAA with you

The BAA Requirement Is Critical

This is where most therapists make mistakes. If you're using any cloud service to store, transmit, or process session audio, that vendor must sign a BAA. No BAA = HIPAA violation, regardless of how good their security is.

Major cloud infrastructure providers (AWS, Azure, Google Cloud) offer HIPAA-eligible services and will sign BAAs for healthcare customers. Consumer-grade cloud storage and most general-purpose AI services without enterprise agreements typically do not.

Before using any tool for session recording or transcription, confirm in writing that the vendor:

• Offers a signed Business Associate Agreement
• Operates on HIPAA-eligible infrastructure
• Can document their security and access controls

What About AI Transcription?

HIPAA-eligible AI transcription services are permitted under HIPAA as long as:

1. The transcription vendor has signed a BAA
2. Audio is processed securely (encrypted in transit)
3. Audio is not retained longer than necessary

The "not retained longer than necessary" piece is important. Best practice is to delete the audio file immediately after transcription is complete — the PHI of clinical value is in the transcript and note, not the raw audio.

Key compliance point: Always verify that your transcription vendor operates on HIPAA-eligible infrastructure and will execute a Business Associate Agreement before transmitting any session audio.

Telehealth Recording: Special Considerations

For telehealth sessions, you're typically capturing audio from both sides of the call. This requires:

• Consent from the client before the session begins
• A platform or tool that captures system audio, not just your microphone
• On Mac: tools like BlackHole (free) or Loopback create a virtual audio device that captures both sides
• On Windows: VB-Cable serves the same purpose

The Consent Form

Your consent form for recording should clearly state:

• Sessions may be recorded for transcription and documentation purposes
• Audio is used solely to generate clinical notes
• Recordings are encrypted and stored securely
• Recordings are deleted after transcription is complete
• Client may decline recording at any time

Electronic consent — where the client reads and signs digitally — creates a timestamped, auditable record that protects you.

Choosing a HIPAA-Compliant Documentation Tool

When evaluating any AI-powered documentation tool, ask these questions:

• Does the vendor sign a BAA? Non-negotiable.
• Where is audio processed and stored? Look for established, HIPAA-eligible cloud infrastructure.
• Is audio deleted after transcription? The transcript is the record; raw audio should not be retained indefinitely.
• What access controls are in place? Only you (and authorized staff) should be able to access your session data.
• Is data used to train AI models? Your session content should never be used to train models without explicit consent.

Practical Bottom Line

Recording sessions for documentation is safe and HIPAA-compliant when you:

✅ Get informed consent before recording
✅ Use a HIPAA-eligible infrastructure with BAAs in place
✅ Encrypt audio in transit and at rest
✅ Delete audio promptly after transcription
✅ Use the transcript/note as the permanent record — not the audio

The documentation benefits are significant: more accurate notes, less cognitive load, and a permanent record that reflects the actual session rather than your memory of it.