HIPAA Compliance & Business Associate Agreements
Protecting patient data with encrypted, BAA-backed infrastructure designed for mental health professionals
Our Commitment to HIPAA
Mental Note AI is built from the ground up with HIPAA compliance in mind. We know you work with sensitive patient information every day, and we've engineered our platform to protect that data at every step.
We encrypt PHI in transit and at rest and process it under Business Associate Agreements with our infrastructure providers. We minimize how long we retain data, never sell it, and never train AI models on your notes. You can request deletion at any time.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects the privacy and security of patient health information. For mental health professionals, HIPAA requires that you:
- Protect patient privacy: Keep patient health information (PHI) confidential and only use it for treatment, payment, or healthcare operations
- Maintain security: Use appropriate safeguards to prevent unauthorized access, use, or disclosure of patient data
- Notify patients: If there's ever a breach of their health information
If you're a healthcare provider or work for a covered entity, HIPAA compliance is not optional—it's a legal requirement.
How Mental Note AI Addresses HIPAA Requirements
Privacy Rule
We encrypt patient information and process it under Business Associate Agreements, minimizing how long we retain it.
Clinical content is processed by our AI service providers under BAAs and encrypted in transit and at rest. We restrict internal access and let you request deletion.
Security Rule
Our security practices include:
- Encryption: All communication between Mental Note AI and Microsoft's infrastructure uses industry-standard encryption
- Access controls: Only authorized personnel have access to system infrastructure
- Microsoft infrastructure: Mental Note AI leverages Microsoft's HIPAA-compliant cloud infrastructure. For more details, see our Security page
Breach Notification Rule
We maintain incident response procedures and protocols for investigation, impact assessment, and notification as required by HIPAA. We minimize the data we retain and encrypt it in transit and at rest to reduce breach risk.
Data Protection: Why It Matters
Our data-protection approach:
Clinical content is encrypted in transit and at rest and processed under Business Associate Agreements. We minimize retention and you can request deletion.
Here's how it works:
- You describe your clinical session in your Word document
- Mental Note AI processes that description in real-time
- The generated note is returned directly to your Word document
- Data is encrypted and retained only as needed; you can request deletion
Your data is encrypted, access-restricted, and handled under a BAA, and you retain control of your documents.
Business Associate Agreement (BAA)
A Business Associate Agreement is a contract between a covered entity (like your practice) and a business associate (like Mental Note AI). It establishes legal obligations for protecting patient health information.
If you're a HIPAA covered entity or work with one, you may need a BAA with Mental Note AI. A BAA clarifies:
- How Mental Note AI handles patient health information
- Mental Note AI's obligations to protect that information
- How to handle security incidents or breaches
- Your rights to audit and monitor Mental Note AI's practices
To request a Business Associate Agreement, please contact us at support@mentalnote.ai with details about your organization and use case.
Request our BAA
Tell us where to send our Business Associate Agreement. A signed BAA is included on every paid plan.
Request received.
We'll email our BAA to the address you provided.
Your Responsibilities
Mental Note AI supports HIPAA compliance, but you remain responsible for compliance at your practice. This includes:
- Review AI drafts: Always review notes before putting them in a patient's medical record. AI augments your judgment; it doesn't replace it
- Your own safeguards: Implement policies, training, and access controls at your practice
- Secure Microsoft: Use strong passwords, multi-factor authentication, and access controls on Word and Office 365
- Train staff: Ensure anyone using Mental Note AI understands HIPAA and your practice's information policies
- Document use: Keep audit records of how Mental Note AI is used in your practice
Microsoft's Role
Mental Note AI operates within Microsoft's ecosystem as a Word add-in. Microsoft maintains its own HIPAA compliance program and offers Business Associate Agreements for Office 365 users.
Microsoft's infrastructure supports HIPAA compliance under BAA and is used by major healthcare organizations. If you have concerns about Microsoft's compliance or need a BAA with them directly, you can review their compliance documentation and request a BAA for your Office 365 subscription.
Frequently Asked Questions
Your data is encrypted and processed under Business Associate Agreements. We minimize how long we retain it, restrict internal access, and you can request deletion at any time.
Mental Note AI is designed with HIPAA compliance as a core principle. Encryption, Business Associate Agreements, and Microsoft's HIPAA-compliant infrastructure support compliance. However, your healthcare organization bears ultimate responsibility. If you're a covered entity, we strongly recommend requesting a Business Associate Agreement to formalize our obligations.
If you are a HIPAA covered entity or business associate, we strongly recommend requesting a Business Associate Agreement. A BAA establishes legal obligations for protecting patient health information and clarifies both parties' responsibilities. To request a BAA, contact us at support@mentalnote.ai with information about your organization and use case.
Yes. Mental Note AI can be used to generate clinical notes for teletherapy sessions, provided your teletherapy platform and overall setup comply with HIPAA. The key requirement is that you generate the notes within a secure environment and ensure patient data is not transmitted through unsecured channels. Always review generated notes before including them in the patient record.
We have incident response procedures for investigation, impact assessment, and notification as required by law. We encrypt data in transit and at rest and minimize retention to reduce the risk of patient exposure.
HIPAA Questions?
If you have questions about HIPAA compliance, need a Business Associate Agreement, or have concerns about how Mental Note AI handles patient data, please contact our team:
Email: support@mentalnote.ai
We're here to help you use Mental Note AI with confidence.
Ready to generate secure clinical notes?
Start using Mental Note AI in Microsoft Word today
Try for Free in WordLast updated March 15, 2026