A licensed therapist on X earlier this month: “Entering PHI into ChatGPT for healthcare or therapy notes is a straight HIPAA violation.” Forty-four thousand likes and counting. The comments are a mix of “yes, obviously” and “wait, really?” — which tells you how muddled this has become.
The muddled part is real. ChatGPT Enterprise does offer a signed Business Associate Agreement, and in that specific configuration, with the right settings, it can be HIPAA-compliant. But Free, Plus, Go, and Team — the versions 95% of therapists actually use — do not. Anything a therapist pastes into those tiers with identifying client information is a violation, full stop.
The good news: the dedicated AI note-taking tools built for therapists have matured fast. Mentalyc, Upheal, and Blueprint are all BAA-signed, priced between $19 and $69 per month, and save a clinician roughly 12–15 hours per month on documentation. If you’re spending your weekends writing SOAP notes, the cost-benefit is not close.
This is the 2026 version of the conversation — what to use, how to pick, and the specific HIPAA trap to avoid.
Why ChatGPT Free/Plus/Team Are Not HIPAA-Compliant
HIPAA compliance requires three things:
- The vendor signs a Business Associate Agreement (BAA) — a legal contract that obligates them to protect Protected Health Information (PHI) to HIPAA standards.
- The vendor implements technical safeguards (encryption at rest and in transit, access controls, audit logs).
- The product is configured so that PHI stays within the BAA’s scope (no third-party logging, no training on your data, no cross-account sharing).
ChatGPT Free, Plus ($20/mo), Go ($4/mo), and Team ($25/user/mo) fail at step 1. OpenAI does not sign BAAs at those tiers. That means the moment you paste client-identifying information into the chat, you’ve shared PHI with a vendor who has no HIPAA obligation to you. The privacy risk is real, but the regulatory risk is worse: an OCR audit sees that as a textbook HIPAA violation, regardless of whether anything “bad” happened with the data.
ChatGPT Enterprise does sign BAAs (at about $60/user/month, with a minimum seat commitment that most small practices won’t meet). Reframe Practice’s breakdown lays out the tier-by-tier specifics. For a solo therapist or a 5-clinician group, ChatGPT Enterprise is usually overkill in both cost and configuration effort. Purpose-built tools are the right answer.
The “I Just De-Identify First” Rationalization (Don’t)
On therapist forums and in agency trainings, a common argument runs: “I don’t use client names. I just describe the case — a 32-year-old woman with anxiety, first session, CBT approach. That’s de-identified. That’s safe.”
It isn’t.
HIPAA’s definition of de-identification is specific. The “Safe Harbor” method requires removing 18 specific identifiers including name, geographic subdivisions smaller than a state, dates more granular than year, contact info, and any other data that, in combination, could re-identify the person. Writing “32-year-old woman, first session on Tuesday, lives in Brooklyn, works as a teacher at PS 138” fails the test. Even without a name, the quasi-identifiers narrow the possible people to a small enough set that re-identification becomes plausible — and under HIPAA, that’s the standard.
This is where therapists get tripped up. The intuition that “no name = no PHI” is wrong under the actual regulation. Don’t rely on it.
What “AI for Therapy Notes” Actually Replaces
The documentation burden is real, measurable, and getting worse.
- 93% of behavioral health clinicians report burnout symptoms, per multi-year industry surveys.
- Clinical documentation consumes roughly 30% of a therapist’s workday, averaging 13.5 hours per week — a 25% increase over seven years.
- A typical progress note takes 12–15 minutes to write. Six to eight sessions a day adds 1.5–2 hours of nightly charting.
- Most therapists report saving 2–3 hours per week after adopting a dedicated AI note tool — and 12–15 hours per month is a frequently cited number in vendor case studies and independent Reddit threads.
Source: PIMSY EHR’s documentation burnout analysis and Healos’ 2026 AI DAP note guide.
That weekly saving is the practical reason this category exists. It’s not about AI replacing clinical judgment. It’s about AI replacing the evening where you write seven SOAP notes at your kitchen table while your family eats dinner without you.
Mentalyc vs Upheal vs Blueprint: The Honest Comparison
Three platforms dominate the 2026 AI-for-therapy-notes market. Each has a distinct profile. Pick the one that matches your practice, not the one with the loudest marketing.
| Platform | Starting price | Best for | Key strength | Key weakness |
|---|---|---|---|---|
| Mentalyc | $19.99/mo | Solo / small practice, <10 clients/week | Widest template library (SOAP, DAP, BIRP, GIRP, narrative) + structured clinical output | Slower generation for some uploads; higher tiers get pricey |
| Upheal | $29/mo (free tier exists, no live capture) | Therapists who want session analytics alongside notes | Talk-time tracking, emotional tone analysis, “Golden Thread” treatment plans + free unlimited dictation tier | Less template flexibility than Mentalyc |
| Blueprint | Tiered (starts low, insurance-billing focus) | Measurement-based care practices | PHQ-9 / GAD-7 integration + outcomes tracking, EHR integrations | Less flexible on data-training opt-out vs Upheal |
Sources: Mentalyc’s own Upheal comparison (vendor but specific pricing), Supanote’s 7-tool comparison, and DeepCura’s 2026 rankings.
All three sign BAAs. All three encrypt session recordings in transit and at rest. All three publicly commit not to train their models on your client data. Those are table stakes for 2026.
Mentalyc — The Template Maximalist
Who it’s for: solo therapists and small group practices (under 10 clinicians), especially those with varied note formats across different payers or supervisors. If one of your supervisors wants BIRP notes, one payer requires DAP format, and you personally prefer narrative progress notes, Mentalyc’s template library covers all three without reconfiguration.
The real-user feedback: strong clinical accuracy, output that “sounds like you” after a few sessions of calibration, structured output that holds up on audit review. Reddit r/therapists users report that Mentalyc’s note quality requires the least post-generation editing compared to other tools. The main complaint is slower generation time (sometimes 1–3 minutes per note after upload).
The honest caveat: Mentalyc is vendor-owned marketing for this category. Their blog and resource pages consistently rank at the top of search results. That’s not a criticism — the content is genuinely useful — but know that every comparison article you find hosted on mentalyc.com ends with “Mentalyc wins.” Triangulate.
Upheal — The Session Analytics Play
Who it’s for: therapists who want more than a transcript-to-note tool — specifically, insight into their own clinical patterns. Upheal tracks talk-time ratios (were you talking 60% of the session? 40%?), emotional tone across the conversation, and themes across sessions over weeks.
The real-user feedback: often called a “godsend” for staying present with clients because the note-taking burden disappears. The free tier (unlimited dictation-based notes without live session capture) is meaningful — it’s the only major tool offering real free-tier use beyond a two-week trial. Privacy-first design is explicit: Upheal does not sell data, does not train on your data, and makes opt-out settings prominent.
The honest caveat: the session analytics feature is genuinely valuable but takes about 4–6 weeks of use to surface patterns worth acting on. If you try Upheal for two weeks and write it off, you missed the point. The depth is on the other side of habituation.
Blueprint — The Measurement-Based Care Workflow
Who it’s for: practices that bill insurance heavily and operate in measurement-based care (MBC) models. Blueprint’s core differentiator is integrated outcome measurement — PHQ-9 (depression), GAD-7 (anxiety), PCL-5 (PTSD), and others — auto-administered, auto-scored, and plugged into your progress notes as tracked data.
The real-user feedback: excellent for insurance-heavy practices where MBC documentation matters for reimbursement. EHR integrations (especially with SimplePractice) are a strength. The auto-generated notes are solid if somewhat rigid — less style flexibility than Upheal or Mentalyc, but formatted tightly for payer review.
The honest caveat: data-training opt-out is less flexible than Upheal’s. For MBC-heavy practices this tradeoff is usually worth it. For cash-pay private practice it often isn’t.
The Decision Tree
Four questions. Follow the answers.
1. Is your practice primarily insurance-billed with MBC measures? → Yes: Blueprint. → No: continue.
2. Do you write more than one format of notes across different supervisors, payers, or settings (SOAP + DAP + narrative + BIRP)? → Yes: Mentalyc. → No: continue.
3. Do you want session pattern analytics (talk-time, emotional tone, themes over weeks) alongside your notes? → Yes: Upheal. → No: continue.
4. Are you a solo therapist seeing fewer than 10 clients per week, price-sensitive, with standard SOAP/DAP needs? → Mentalyc at $19.99/mo or Upheal free tier (no live capture) or $29/mo paid.
Most solo private-practice therapists end up on Mentalyc or Upheal within a month of trial. Blueprint finds its audience in group practices with payer-heavy MBC workflows.
What This Means for You
If you’ve been using ChatGPT for therapy notes and paste client details: stop today. The risk isn’t “might.” It’s a structural HIPAA violation every time the chat contains PHI. Switch to Mentalyc, Upheal, or Blueprint by end of week. All three have free trials; the migration friction is low.
If you’ve been avoiding AI entirely out of caution: the BAA-signed category is designed exactly for you. Start with Upheal’s free tier (unlimited dictation-based notes, no live capture) — zero incremental cost, full BAA coverage, and you can test workflow fit against your actual caseload before committing to a paid plan.
If your agency is pressuring you to use ChatGPT or a non-BAA tool: say no in writing. An agency directive to violate HIPAA is not a defense in a compliance audit. Document the ask, escalate to your compliance officer, and if necessary, your state licensing board has a duty-to-report channel for supervisors pushing violations. Therapists on X have reported quitting over exactly this pressure — it’s a real trend, not a hypothetical.
If you supervise other clinicians: your practice needs a written AI use policy by Q2 2026. It should list approved tools, explicitly prohibit PHI in non-BAA tools, and include an annual acknowledgment every clinician signs. Most state licensing boards will expect this within the next 12–18 months.
If you’re in California, New York, Washington, or Colorado: watch for state-level AI-in-mental-health legislation in 2026–2027. California’s California Consumer Privacy Act (CCPA) and proposed therapy-specific AI bills will likely require additional disclosure beyond federal HIPAA. Nothing urgent today, but don’t sign long-term contracts without an exit clause.
The Ethical Layer HIPAA Doesn’t Cover
Even with a BAA-signed tool, the ethical questions in clinical AI are not settled.
A Brown University study published in 2025, and widely referenced in a ScienceDaily summary from March 2026, identified 15 distinct ethical risks when AI is used in mental health contexts. The risks most relevant to note-taking (as opposed to AI-as-therapist use cases):
- Deceptive empathy — AI-generated notes can use language that sounds like clinical understanding without it actually being present. Over time, this can subtly flatten your own clinical voice.
- Deskilling drift — clinicians who rely heavily on AI notes report, months in, that their unaided SOAP writing has degraded. Maintain an unaided writing muscle; you’ll need it in audits and court.
- Consent fragility — even when a tool is BAA-compliant, the client consent for session recording or transcription is a separate legal and ethical matter. Revisit your intake paperwork.
- Training-data downstream use — the vendor says today that they don’t train on your data. Contracts change. Read the fine print on any contract renewal. Opt out explicitly where possible.
These are not reasons to avoid AI note-taking. They are reasons to stay thoughtful about how you use it. The Brown researchers’ overall stance: AI can augment clinical workflow safely when used inside a careful framework. It should not replace clinical judgment.
A Quick Note on Consent
Every client recording requires consent. Every tool you use (Mentalyc, Upheal, Blueprint) ships with template consent language. Use it, and update your intake paperwork accordingly. Specifically, your consent form should disclose:
- That session audio will be recorded.
- The specific vendor handling the recording and note generation.
- Whether the vendor trains AI on your data (answer: should be “no” for BAA-signed tools).
- How long recordings are retained and how clients can request deletion.
- The client’s right to decline recording without affecting their care.
Most state licensing boards require at least points 1, 4, and 5 explicitly. Check your state-specific language.
The Bottom Line
ChatGPT Free, Plus, Go, and Team are not HIPAA-compliant. Don’t paste client details into those tiers — not even with “de-identification” handwaving. The purpose-built category (Mentalyc, Upheal, Blueprint) is mature, affordable, and designed for exactly the workflow you’re trying to automate.
If you save two hours a week on documentation and bill those hours clinically, the ROI math is roughly 15x on any of these tools. If you save those two hours and reclaim them for your life, the ROI is different but real.
Either way, the 2026 answer isn’t “avoid AI for clinical work.” It’s “use the right AI, configured the right way, with the consent and disclosure layer intact.”
Sources:
- Mentalyc — Using ChatGPT for Therapy Notes: Benefits, Limitations, HIPAA Concerns
- Reframe Practice — Is ChatGPT HIPAA Compliant in 2026? No. Here’s What Therapists Should Use Instead
- Mentalyc — Mentalyc vs Upheal Comparison (2026)
- Upheal — AI-native EHR for therapists
- Supanote — Best AI for Therapy Notes: 7 Top Tools Compared (2026)
- DeepCura — Best AI for Therapy Notes in 2026 — Ranked & Reviewed
- Trytwofold — HIPAA-Compliant AI Note Apps Ranked (2026)
- PIMSY EHR — Therapist Documentation Burnout Is a Structural Problem
- Healos — Best AI DAP Note Generator for Therapists in 2026
- HHS.gov — HIPAA De-Identification Guidance (Safe Harbor)
- Brown University — AI chatbots systematically violate mental health ethics standards (October 2025)
- ScienceDaily — ChatGPT as a therapist? New study reveals serious ethical risks (March 2026)
- Galenie — Best AI Tools for Therapy Notes (2026)
