HIPAA-Compliant
Therapy Note Software
Notelyx is built to meet HIPAA requirements for handling protected health information — not as an afterthought, but as a design constraint from day one.
What HIPAA requires
The compliance checklist — and how Notelyx meets it
Encryption at rest and in transit
All data stored in Notelyx is encrypted using AES-256. All data in transit is encrypted using TLS. Your notes never travel or sit unencrypted.
Business Associate Agreement (BAA)
Every Notelyx account includes a signed BAA — accepted during signup. You can read the full BAA at any time from your account or at easysoapnote.com/legal/baa.
Minimum necessary standard
Notelyx only collects what is needed to generate your note. Raw session observations are automatically and permanently deleted 24 hours after note generation — the minimum retention necessary.
No use of PHI for vendor benefit
Your session observations and notes are never used to train AI models, improve Notelyx's systems, or shared with third parties. What you write stays yours.
Access controls
Each account is protected by email/password authentication. Notes are scoped to your account — no other user can access your records.
Notelyx never records or transcribes your sessions.
Many AI note tools require audio access. Notelyx does not. You write brief bullet-point observations after the session, and the AI structures them into a complete note. Nothing your client didn't already consent to in your standard disclosure form.
Data lifecycle
What happens to your data
Nothing collected
Notelyx has no access to your session. No microphone, no video, no ambient listening. The session is between you and your client.
Bullet points entered
You enter 4–8 short observations into Notelyx. These are transmitted over encrypted TLS and stored encrypted at rest. The AI generates your note.
Raw input deleted
Your bullet-point observations — the raw PHI — are automatically and permanently purged. The generated and signed note is retained until you delete it.
AI and HIPAA
Is AI for therapy notes HIPAA compliant?
The short answer: yes — if the vendor has taken the right steps. Here is what to check before using any AI tool for therapy documentation.
Does the vendor sign a BAA?
This is non-negotiable. Without a BAA, you cannot legally share PHI with a vendor. Notelyx provides a signed BAA to every user at signup.
Is data encrypted?
Encryption at rest and in transit is required. Notelyx uses AES-256 at rest and TLS in transit. Your data is never unprotected.
Does the AI train on your data?
Many consumer AI tools use your data to improve their models. Notelyx's AI never trains on your session observations or notes.
Is raw PHI deleted?
Retaining raw session observations indefinitely is unnecessary and increases risk. Notelyx automatically deletes raw observations 24 hours after note generation — the minimum necessary retention.
FAQ
HIPAA and therapy notes
Does therapy note software need to be HIPAA compliant?
Yes. Any software that stores, processes, or transmits protected health information (PHI) — including therapy notes — must meet HIPAA requirements. The vendor must also sign a Business Associate Agreement (BAA) with you before you can legally use their product to handle client information.
What makes therapy note software HIPAA compliant?
HIPAA-compliant software must: encrypt data at rest and in transit, implement access controls, maintain audit logs, have a breach notification policy, and sign a Business Associate Agreement (BAA) with each covered entity. Notelyx meets all of these requirements.
What is a Business Associate Agreement (BAA)?
A BAA is a legally binding contract required by HIPAA between you (the covered entity) and any vendor that handles PHI on your behalf. It specifies how the vendor will safeguard your clients' data. Notelyx provides a signed BAA to every user — review it at easysoapnote.com/legal/baa.
Is using AI for therapy notes a HIPAA violation?
Not if the AI tool is HIPAA compliant and you have a signed BAA. Notelyx meets HIPAA requirements: data is encrypted, raw observations are deleted after 24 hours, the AI never trains on your data, and every user receives a signed BAA. Using Notelyx is consistent with your HIPAA obligations.
How long must therapists keep progress notes?
HIPAA defers to state law on retention periods. Most US states require therapy records to be retained 6–10 years after last client contact, or until the client turns 18 for minors. Notelyx retains your generated and signed notes until you delete them, and automatically purges only the raw session observations after 24 hours.
HIPAA-compliant notes.
Ready in seconds.
BAA included. No audio. No training on your data. Free during beta.