HIPAA Compliance & Business Associate Agreements
Protecting patient data with secure, zero-retention architecture designed for mental health professionals
Our Commitment to HIPAA
Mental Note AI is built from the ground up with HIPAA compliance in mind. We know you work with sensitive patient information every day, and we've engineered our platform to protect that data at every step.
We go further than compliance checkboxes: we use zero-data retention architecture. Patient information never leaves your control. Every clinical note stays in your Microsoft Word environment. You have complete visibility and control. We never store, retain, or have access to your patient data.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects the privacy and security of patient health information. For mental health professionals, HIPAA requires that you:
- Protect patient privacy: Keep patient health information (PHI) confidential and only use it for treatment, payment, or healthcare operations
- Maintain security: Use appropriate safeguards to prevent unauthorized access, use, or disclosure of patient data
- Notify patients: If there's ever a breach of their health information
If you're a healthcare provider or work for a covered entity, HIPAA compliance is not optional—it's a legal requirement.
How Mental Note AI Addresses HIPAA Requirements
Privacy Rule
We never store patient information on our servers. This eliminates the biggest compliance risk for healthcare software.
All processing happens in real-time within your Microsoft Word environment. Clinical content never touches our infrastructure. Once you generate and insert a note, you maintain complete control. Mental Note AI has no ongoing access to patient data.
Security Rule
Our security practices include:
- Encryption: All communication between Mental Note AI and Microsoft's infrastructure uses industry-standard encryption
- Access controls: Only authorized personnel have access to system infrastructure
- Microsoft infrastructure: Mental Note AI leverages Microsoft's HIPAA-compliant cloud infrastructure. For more details, see our Security page
Breach Notification Rule
We maintain incident response procedures and protocols for investigation, impact assessment, and notification as required by HIPAA. However, since we don't store patient data, the risk of patient exposure through our platform is dramatically lower than systems that retain data on servers.
Zero Data Retention: Why It Matters
This is Mental Note AI's core security advantage:
Clinical content is processed in real-time within Microsoft Word. We never store, retain, or access patient information.
Here's how it works:
- You describe your clinical session in your Word document
- Mental Note AI processes that description in real-time
- The generated note is returned directly to your Word document
- We delete the interaction immediately—no record, no storage
You don't worry about data sitting on our servers, being accessed by our team, or exposed in a breach. Your patient data stays in your control. Period.
Business Associate Agreement (BAA)
A Business Associate Agreement is a contract between a covered entity (like your practice) and a business associate (like Mental Note AI). It establishes legal obligations for protecting patient health information.
If you're a HIPAA covered entity or work with one, you may need a BAA with Mental Note AI. A BAA clarifies:
- How Mental Note AI handles patient health information
- Mental Note AI's obligations to protect that information
- How to handle security incidents or breaches
- Your rights to audit and monitor Mental Note AI's practices
To request a Business Associate Agreement, please contact us at support@mentalnote.ai with details about your organization and use case.
Your Responsibilities
Mental Note AI supports HIPAA compliance, but you remain responsible for compliance at your practice. This includes:
- Review AI drafts: Always review notes before putting them in a patient's medical record. AI augments your judgment; it doesn't replace it
- Your own safeguards: Implement policies, training, and access controls at your practice
- Secure Microsoft: Use strong passwords, multi-factor authentication, and access controls on Word and Office 365
- Train staff: Ensure anyone using Mental Note AI understands HIPAA and your practice's information policies
- Document use: Keep audit records of how Mental Note AI is used in your practice
Microsoft's Role
Mental Note AI operates within Microsoft's ecosystem as a Word add-in. Microsoft maintains its own HIPAA compliance program and offers Business Associate Agreements for Office 365 users.
Microsoft's infrastructure is certified for HIPAA compliance and used by major healthcare organizations. If you have concerns about Microsoft's compliance or need a BAA with them directly, you can review their compliance documentation and request a BAA for your Office 365 subscription.
Frequently Asked Questions
No. We use zero-data retention architecture: all processing happens in real-time within Microsoft Word. We don't store, retain, or have ongoing access to patient information. Once you generate and insert a note, Mental Note AI has no further access to that data.
Mental Note AI is designed with HIPAA compliance as a core principle. Zero-data retention architecture, encryption, and Microsoft's HIPAA-certified infrastructure support compliance. However, your healthcare organization bears ultimate responsibility. If you're a covered entity, we strongly recommend requesting a Business Associate Agreement to formalize our obligations.
If you are a HIPAA covered entity or business associate, we strongly recommend requesting a Business Associate Agreement. A BAA establishes legal obligations for protecting patient health information and clarifies both parties' responsibilities. To request a BAA, contact us at support@mentalnote.ai with information about your organization and use case.
Yes. Mental Note AI can be used to generate clinical notes for teletherapy sessions, provided your teletherapy platform and overall setup comply with HIPAA. The key requirement is that you generate the notes within a secure environment and ensure patient data is not transmitted through unsecured channels. Always review generated notes before including them in the patient record.
We have incident response procedures for investigation, impact assessment, and notification as required by law. However, because we don't store patient data persistently, the risk of patient exposure through Mental Note AI is significantly lower than systems that keep data on their servers.
HIPAA Questions?
If you have questions about HIPAA compliance, need a Business Associate Agreement, or have concerns about how Mental Note AI handles patient data, please contact our team:
Email: support@mentalnote.ai
We're here to help you use Mental Note AI with confidence.
Ready to generate secure clinical notes?
Start using Mental Note AI in Microsoft Word today
Try for Free in WordLast updated March 15, 2026