HIPAA Compliant Online Record Keeping for Behavioral Health Clinicians

Managing client records is one of the most important (and most regulated) responsibilities a therapist carries. Between clinical notes, insurance claims, client communications, and now AI-assisted documentation, the surface area for a potential HIPAA violation keeps expanding. For smaller practices without dedicated compliance staff, keeping up with changing guidelines can feel like a second job.

The good news is that the right EHR software handles most of this for you. Here's what therapists need to know about HIPAA compliant online record keeping, and why My Best Practice is worth a close look to ensure all requirements are met without concern.

The Health Insurance Portability and Accountability Act (HIPAA) governs how Protected Health Information (PHI) is stored, transmitted, and accessed. For therapists, this applies to everything from clinical notes, billing records, appointment scheduling, telehealth sessions, client messages, and more.

Under HIPAA, therapists are considered covered entities when they transmit health information electronically in connection with billing or treatment. That means:

• Any electronic system used to store or share PHI must meet HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule

• Every vendor handling PHI on your behalf must sign a Business Associate Agreement (BAA)

• Violations carry penalties up to $50,000 per incident, with annual caps reaching $1.5 million for identical violations.

Beyond the fines, a breach erodes client trust in ways that are hard to recover from, especially for smaller practices where reputation is everything.

Common billing pitfalls that create HIPAA exposure:

• Using non-compliant payment tools: Platforms like PayPal, Venmo, QuickBooks, and Zelle do not meet HIPAA requirements and are inappropriate for processing client PHI in billing workflows.

• Insecure claim transmission: Insurance claims must be submitted through encrypted, HIPAA-compliant channels, not standard email.

• Missing BAAs with clearinghouses: Any third-party billing service or clearinghouse that touches your claims data is a business associate and must sign a BAA.

Inadequate audit trails: Insurers can request documentation of who accessed or modified a claim. Audit logs are paramount in this case.

My Best Practice addresses all of this in one platform. It includes integrated billing and insurance claim processing with automated CPT codes, ICD diagnoses, and Electronic Remittance Advice (ERA) support. Superbills are generated automatically, and the client portal lets patients securely access invoices for insurance submission, all within an encrypted, HIPAA-compliant environment. Because billing and clinical documentation live in the same system, PHI doesn't need to pass through multiple vendors. This is ideal, because it then reduces both risk and administrative friction.

AI-assisted documentation is rapidly becoming a standard part of therapy practice, and the HIPAA implications are real. When an AI tool processes session content, it may be receiving and interacting with PHI to provide customized output. That interaction must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule, just like any other system. For this reason, any AI tool that is not integrated within your EHR system must meet strict HIPAA compliance for assistance with professional documentation or client treatment notes.

Key concerns therapists face when using AI for notes:

• BAA requirement: Any AI platform that processes PHI must have a signed BAA in place. Consumer AI tools like ChatGPT are not designed for PHI and do not qualify.

• Minimum necessary standard: AI tools must be configured to access only the PHI required for the task, depending on what it is, it may only require: session summaries, and not full client histories.

• Data training risk: Some AI platforms use input data to train their models. PHI should never feed into an external training dataset.

• Regulatory momentum: The HHS Office for Civil Rights (OCR) proposed its first major update to the HIPAA Security Rule in 20 years in January 2025, with heightened emphasis on encryption, risk management, and AI-specific safeguards.

Therapist accountability: Even when using a compliant AI tool, the clinician remains responsible for reviewing, editing, and approving all AI-generated notes before they enter the record.

My Best Practice offers HIPAA-compliant AI Notes and AI Assist as an add-on for telehealth users. Available at $2 per note (on demand) or $60/month for unlimited progress notes and for unlimited  AI Assist, the feature generates session notes automatically during telehealth visits, whereas AI Assist then serves as an integrated guide to facilitate everything from treatment plans to ROM analysis. When used in combination with office workflows, the AI features with My Best Practice keeps the therapist present with their client rather than occupied with documentation. Because it operates inside My Best Practice's existing HIPAA-compliant infrastructure, there's no separate BAA to negotiate, no third-party data exposure, and no additional vendor relationship to audit. The AI note is generated and reviewed within the same system where the rest of the clinical record lives, and can be deleted at any time for additional reassurance.

A HIPAA-compliant EHR is not just about checking a box. Here's what genuine compliance looks like in practice:

• End-to-end encryption for all PHI in transit and at rest.

• Role-based access controls limiting who can view which records.

• Audit logging that tracks every login, edit, and deletion with timestamps.

• Signed BAAs with every vendor touching PHI, including the EHR, telehealth provider, billing clearinghouse, and AI tools.

• Secure client portal for intake forms, consent documents, messaging, and billing access.

• Regular risk assessments to identify and address vulnerabilities.

• Breach notification protocols in line with the 60-day notification requirement.

My Best Practice is built around these standards. Its encrypted client portal supports electronic intake forms, consent signatures, file sharing, and secure messaging. Clinical notes include automated CPT and ICD coding. Telehealth is seamlessly integrated. A Business Associate Agreement is incorporated directly into the Terms of Service, so new users are covered from day one.

Large hospital systems and group practices can afford dedicated compliance officers who monitor regulatory updates and audit vendor relationships. Most independent therapists and small practices cannot.

Specific benefits for smaller practices:

• No enterprise pricing: Designed to be accessible without paying for features a solo or small-group practice doesn't need.

• Evidence-based note scaffolding: Clinical note templates were shaped by expert clinicians and include built-in cues for agenda setting, outcome tracking, and treatment planning which reduces both documentation time and the risk of incomplete records.

• Automated billing workflows: Insurance claim submission, ERA processing, and superbill generation happen automatically, reducing manual errors that can create both compliance risks and claim denials.

• Compliance built in, not bolted on: The BAA is included in the Terms of Service; HIPAA-compliant infrastructure is the default, not an upgrade tier.

AI Notes designed for the platform: Because AI Notes operates within the existing system rather than as a third-party integration, the PHI never leaves the compliant environment.

Before your next session, confirm the following:

• Your EHR vendor has signed a BAA with your practice.

• Your billing software is HIPAA-compliant and covered by a BAA.

• Any AI note-taking tools operate within your EHR's compliant infrastructure or have their own signed BAA.

• Your telehealth platform is also encrypted and covered.

• You have a breach notification plan in writing.

• AI-generated notes are reviewed and approved before entering the official record.

• You are receiving updates when your EHR vendor changes its compliance posture or terms.

My Best Practice checks every one of these boxes, and its straightforward pricing and simple design mean you won't need a manual or a consultant to get started.

Ready to See It in Action?

My Best Practice offers a free trial with no credit card required, as well as small group demos where you can ask questions, see the interface, and evaluate how it fits your workflow. For practices considering AI Notes, telehealth is required as a prerequisite add-on.

Note: This post is for informational purposes only and does not constitute legal advice. For guidance specific to your practice and jurisdiction, consult a qualified healthcare attorney or compliance professional.

References:

Federal Register (HIPAA Security Rule)

U.S. Department of Health and Human Services. "HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information." Federal Register, 6 Jan. 2025, www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information.

HHS Mental Health Special Topics

U.S. Department of Health and Human Services. "Mental Health." HHS.gov, www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html. Accessed 17 Mar. 2026.