HIPAA-Compliant AI Scribe for Therapists. Your Client Data, Safe by Design

HIPAA, PHIPA, PIPEDA & SOC 2 Type II compliant. Anonymized transcripts. No recordings stored. Your sessions never train our AI. BAA included.

Start Free - No Credit Card
Therapist using secure HIPAA compliant Mentalyc platform

Private by design. Compliant by requirement.

Notes that are accurate, ethical, and compliant - and data that stays private.

Verified clinical documentation with quality badge

HIPAA, PHIPA & SOC 2 Compliant

Mentalyc meets the requirements of HIPAA, PHIPA, and SOC 2. Your clinical data is handled in accordance with healthcare privacy law.

HIPAA-compliant data transmission security diagram

AES-256 Encryption on AWS

All data is encrypted at rest and in transit. Hosted on AWS with enterprise-grade security controls.

Multi-layer security architecture for therapy data protection

No Data Stored. Never Trained On.

Transcripts are anonymized before processing. Recordings are deleted immediately after your note is generated. You are in full control - delete any session data at any time. Your data is never used to train AI models.

Encrypted data protection illustration showing secure cloud storage

Ready for Client Records Requests

Notes include only what is clinically relevant. Sensitive disclosures outside the treatment focus are not captured. Written in clear, respectful language - safe to share if a client requests their records.

Therapist reviewing AI-generated clinical notes Mentalyc

Ready for Insurance Audit

Notes include medical necessity language, clinically relevant detail, and CPT code alignment - built to hold up if a payer requests documentation.

Therapist using Mentalyc mobile app for therapy documentation

Business Associate Agreement (BAA) & Informed Consent Template Included

A client AI consent template is included - ready to customize and share before the first session. Your BAA is generated automatically inside the app. No paperwork, no waiting.

Try for Free

From Session to Note - What Happens to Your Data

There are no secrets to how we handle data.

Mentalyc secure HIPAA-compliant platform with encryption and data protection
Therapist testimonial about Mentalyc data security and transparency
"Radical data transparency is what healthcare needs at this point to build trust and reduce misinformation. With the development of new technologies, such as AI, it is even more important to keep everyone informed. I appreciate that Mentalyc is trying to elevate industry standards with high visibility for all."
Clinical leader in Digital Health, Quality, Compliance, and Patient Safety

Benefits For Your Clients

Using Ai in therapy helps them too

Therapist fully engaged during client therapy session

Undivided Therapist Attention

Therapists do not need to worry about memorizing all of the important session details. Instead, they can devote their full attention to the client and let Mentalyc focus on the notes.

Therapy team collaboration and client engagement Mentalyc

Better Outcomes

Mentalyc captures interesting quotes and insight which help the therapists to better conceptualize the case and come up with better solutions.

Therapist verifying insurance eligibility documentation

Happy Insurance

Mentalyc takes care that the notes are written in a way that complies with payer requirements. This lowers the chances of further treatment being denied by payers.

FAQs

Is Mentalyc a trusted HIPAA-compliant platform for behavioral health?

Yes. Mentalyc is a trusted HIPAA-compliant AI platform for behavioral health and mental health therapists, used by over 30,000 therapists. As one of the most trusted HIPAA-compliant medical transcription and note-taking tools for therapy, trust is backed by SOC 2 Type II, PHIPA and PIPEDA compliance, a signed BAA, 3-day recording auto-delete, and anonymized transcripts.

How do I verify if an AI scribe is actually HIPAA compliant?

Verify four things. (1) The vendor will sign a Business Associate Agreement (BAA). (2) The vendor is independently SOC 2 Type II audited. (3) There is a written data-retention policy that states how long recordings and transcripts are kept. (4) The vendor confirms in writing that your data is not used to train AI models. Mentalyc meets all four.

What security and compliance reviews does Mentalyc pass for enterprise and group practices?

Mentalyc passes HIPAA, SOC 2 Type II, PHIPA, PIPEDA, and Australian Privacy Principles reviews, and provides a BAA that every account can generate and sign. Session recordings auto-delete within 3 days, transcripts are anonymized, and client data is never used to train AI. These are the controls enterprise and group-practice buyers review during AI notetaker security and compliance reviews, vendor security assessments, and compliance auditing documentation.

What’s the difference between HIPAA compliance and SOC 2 Type II for an AI scribe?

HIPAA is a U.S. law that governs how Protected Health Information must be handled by healthcare providers and their vendors. SOC 2 Type II is an independent audit that verifies a vendor’s security controls operate effectively over time. Mentalyc meets both. HIPAA defines the rules, SOC 2 Type II proves they are enforced, and together they are what buyers of AI platforms for behavioral health expect.

How does Mentalyc secure data as an AI medical scribe?

Mentalyc secures AI medical scribe data through four layers. First, HIPAA and SOC 2 Type II compliance. Second, encrypted connections. Third, automatic deletion of session recordings within 3 days. Fourth, anonymized transcripts that are never used to train AI models. A signed BAA defines how protected health information is handled.

Is an AI scribe a Business Associate under HIPAA, and does Mentalyc sign a BAA?

Yes. Any AI scribe or AI meeting notetaker that processes Protected Health Information (PHI) on behalf of a therapist is a Business Associate under HIPAA and must sign a Business Associate Agreement (BAA). Mentalyc signs a BAA with every account, and you can generate and sign it inside your profile.

Is Mentalyc a PHIPA-compliant platform for documenting sessions?

Yes. Mentalyc is a PHIPA-compliant platform and software for therapists documenting therapy sessions in Ontario and across Canada. It also meets PIPEDA, PHIA, and PIPA requirements, and provides PHIPA-aligned consent forms (informed consent template and BAA) that Canadian therapists can generate inside their account.

If a patient revokes consent under Part 2, what happens?

Under Part 2, consent/authorization handling matters; generally, revocation affects future disclosures, not actions already taken based on valid consent.

Our agency treats SUD clients. What do we need to do?

Confirm whether you handle Part 2-protected records, and if yes, use a Part 2-compliant consent/authorization process (with the required elements).

Do you provide a form/certificate that “confirms Part 2 compliance”?

No. Part 2 compliance depends on whether Part 2 applies to the provider and whether the provider has obtained Part 2-compliant consent/authorization and follows Part 2 disclosure rules. Part 2 consent has required elements set by regulation.

Is Mentalyc compliant with 42 CFR Part 2?

Mentalyc provides HIPAA-aligned safeguards under a BAA. If a provider is subject to Part 2, the provider is responsible for obtaining any Part 2-required patient consent/authorization before using Mentalyc to process Part 2-protected SUD records. Part 2 governs when/how SUD records may be disclosed. You can download a template here.

Will my boss be aware that I am using Mentalyc?

If you purchased the plan yourself, your supervisor or practice manager won't know you're using the app unless you choose to share that information.

However, if your practice purchased the plan for you, they may be able to see the clients linked to your account. If you're working with clients who aren't part of the group practice, we recommend using a separate personal account to ensure client confidentiality.

Do you use my data for AI training purposes?

No. We do not use your data to train AI models.

Our platform is HIPAA, PHIPA, PHIA, PIPEDA, and SOC 2 Type II compliant and built to the highest security standards, so your data is always protected, private, and only accessible to you.

We also do not sell or share your data with others. You have full control over what you store in Mentalyc, and you can delete it at any time.

Does Mentalyc provide a BAA?

Yes! When you create an account, you agree to our BAA. You can review it anytime in your profile and download a signed version if needed, just click [Generate BAA].

What does Mentalyc do with my session recordings?

Mentalyc temporarily uses your session recording to create a transcript. We securely store the audio for up to 3 days, just in case something needs to be fixed or retried with your note. After that, the audio is automatically deleted.

The transcript we create is fully anonymized: it never includes names or personal details. Anonymizing means removing identifying details from transcripts to keep sessions private. We don’t require identifiable client data to generate notes, and we store only the minimum necessary information to provide value to clinicians, nothing more.

For those who prefer a balance, we also offer partial anonymization: we keep limited details like first names while removing sensitive identifiers. This is especially helpful for therapists who need clearer context, like in family sessions, without compromising security.

Everything is handled with care and stays fully HIPAA- and SOC 2 Type II-compliant.

Are session transcripts created in Mentalyc considered medical records?

In Mentalyc, session transcripts are fully anonymized, they don’t include names or any information that could identify a specific client or therapist. Because of this, they are not considered medical records. However, if you choose to keep transcripts linked to a client's name in your own records, those could be treated as part of their medical file, depending on your local regulations.

Is Mentalyc compliant with the data protection regulations in Canada, namely PIPEDA, PHIPA, PIPA, and PHIA

Mentalyc is fully compliant with the data protection regulations in Canada, including PIPEDA, PIPA, PHIA and PHIPA. It adheres to the highest standards of confidentiality and privacy to ensure the safety of our clients' data. 

Will my clients know if I'm using Mentalyc or recording our sessions?

Will my clients know I’m using Mentalyc?
Not automatically. It’s up to you whether to share that you’re using Mentalyc, but we recommend being transparent to support trust and a strong therapeutic relationship.

Will clients know if their session is being recorded?
It depends on how you record:
- using external recorders: e.g. Zoom’s built-in recording: Clients are typically notified automatically when recording begins.
- using Mentalyc’s recorder (also during a Zoom call): Clients are not notified (only audio is recorded).

What if a client doesn’t want to be recorded?
That's okay - you can still use Mentalyc by summarizing the session afterward using our simple dictation feature.

Need help getting consent?
We provide a customizable Client Consent Form along with helpful talking points to make the process clear and smooth.

Is Mentalyc compliant with New Zealand's Privacy Act?

Yes, Mentalyc complies with New Zealand’s Privacy Act. You have the right to access, correct, and control your personal information, including opting out of marketing. For full details, check out our Privacy Policy

Can my clients access the notes on Mentalyc?

No, your clients do not have direct access to your notes in Mentalyc. Only you can view them. If you choose to share notes, you can do so by downloading them and sending them via email or printing them out. Your notes are private, secure, and accessible only by you or someone you’ve specifically authorized.

Can I use ChatGPT to write therapy notes?

No. ChatGPT (or similar platforms) is not HIPAA-compliant and must not be used to write or store clinical notes. It lacks the required security measures (like a BAA), and entering client data into it puts privacy at risk, even if de-identified. To stay HIPAA-compliant, always use trusted, secure platforms, like Mentalyc, that are designed for clinical use.

Is there a client consent form available for use on Mentalyc?

Yes! Mentalyc provides a ready-to-use client consent form designed by industry experts to ensure privacy and compliance. You can easily download, customize, and share it with your clients while keeping a copy for your records. We also offer helpful talking points to guide your discussions about consent. And if a client prefers not to be recorded, you can still use Mentalyc’s dictation feature to document sessions smoothly.

Could Mentalyc notes be requested in court?

Whether Mentalyc notes may be requested in court depends on how you use the app. If you create progress notes with client info, they can become part of the medical record and might be disclosed. But if you use the app just for reference or education without including client details, it’s unlikely these notes will be requested.

Keep in mind, courts can request information if needed, though this is extremely rare. To reduce the chance of your notes being requested, you can delete transcripts after recording, carefully review and finalize your notes, and sign them, so no extra data stays in the app.

Is Mentalyc secure and compliant with privacy regulations?

Yes. Mentalyc is fully HIPAA-compliant and SOC 2 Type II certified in the U.S., and also meets Australian Privacy Principles and Canada's PIPEDA, PHIPA, PIPA, and PHIA standards. Mentalyc is trusted by 30,000+ therapists for HIPAA compliant AI therapy notes with full end-to-end encryption and US-based data residency.

Beyond compliance, Mentalyc offers full data anonymization, session audio is processed and immediately deleted, and transcripts are stripped of identifying details. Your data is never used to train AI models. You can download a signed Business Associate Agreement (BAA) directly from your account settings.

View All FAQs ->