Therapy Session Transcription Ethics: Consent and HIPAA
ethicstherapytranscription

Therapy Session Transcription Ethics: Consent and HIPAA

BMMamane B. MoussaMay 26, 2026Updated July 2, 202612 min read

Summarize this article with:

The Ethical Questions First

Recording a therapy session without explicit informed consent is an ethics-code violation, regardless of what your state's wiretapping law permits. If that recording also contains identifiable patient information, storing or transcribing it through any service without a signed Business Associate Agreement (BAA) is a HIPAA violation in the United States. Those two facts settle the majority of questions therapists ask about transcription. Everything below fills in the shape of why, and where the edges are.

This post covers ethics and technical requirements, not therapy practice. It is not legal advice and not clinical advice. For clinical guidance, consult your licensing board. For legal questions, consult an attorney in your jurisdiction.

Why Ethics Codes Come Before Data Law

Therapists often ask "is recording legal in my state?" as the first question. That is the wrong starting point.

The APA Ethics Code Standard 4.03 (Recording) requires explicit permission from all individuals before a psychologist records their voice or image. There are no exceptions for convenience, note-taking, or supervision without client knowledge. Standard 4.02 (Discussing Limits of Confidentiality) requires therapists to address confidentiality at the outset of the relationship, which includes any recording practices. Standard 3.10 (Informed Consent) requires that consent be given in understandable language.

The NASW Code of Ethics goes further: it requires written informed consent when technology is used in service delivery, including audio recording. The NBCC Code requires consent to be documented in a counseling services agreement or other written form before recording occurs.

One-party and two-party consent laws (12 states require all-party consent as of July 2026, per recordinglaw.com) are criminal wiretapping statutes. They set a criminal liability floor, not an ethical ceiling. A therapist in a one-party consent state who records without disclosure is still in violation of their ethics code and risks licensure action, even if they face no criminal exposure.

My take: the consent question and the data-handling question are separate problems. Ethics codes govern the first. HIPAA governs the second. Both must be satisfied. Neither satisfies the other.

What HIPAA Requires for Therapy Recording

In the United States, therapy session content involving identifiable patient information is Protected Health Information (PHI). HIPAA requires:

  • A signed Business Associate Agreement with every service that creates, receives, maintains, or transmits PHI on your behalf.
  • Audit logs of who accessed what and when.
  • Encryption at rest and in transit.
  • Defined retention and deletion policies.
  • Breach notification procedures aligned with the HIPAA Security Rule (which received updated risk-management requirements in 2026).

Transcription is squarely within this scope. When you send a session recording to a transcription service, that service is receiving PHI. Without a BAA, both the practice and the vendor are out of compliance from the moment of first transmission.

A 2026-specific issue worth flagging: the updated HIPAA Security Rule places explicit risk-management practice expectations under 45 CFR 164.308. BAAs pre-dating 2025 may not reference these requirements. If your BAA is over three years old, a refresh is worth confirming with your compliance team or attorney.

Which Providers Offer a BAA for Transcription

Here is how the major transcription options sit on BAA availability, based on vendor documentation checked July 2026:

ProviderBAA AvailableModel Training on PHIBest For
AWS Transcribe Medical / HealthScribeYes (via AWS BAA)No (stateless, per AWS docs)Clinician-patient documentation at scale
Google Cloud Speech-to-TextYes (GCP BAA covers all infra)Opt-out required (data logging program)Custom clinical builds on GCP
AssemblyAIYes (BAA + explicit no-training commitment)No (per AssemblyAI BAA terms)API-based clinical applications
ConvertAudioToTextNoNot applicableNon-PHI therapy-adjacent audio only

The Google Cloud note matters: if you have a GCP BAA in place and use Cloud Speech-to-Text, you must not opt into Google's data logging program, or your BAA protections are functionally undermined.

For AWS, both Amazon Transcribe Medical and the newer AWS HealthScribe (which generates structured clinical notes from conversation audio) are HIPAA-eligible services covered under the AWS BAA. Customers must accept the BAA through the AWS account console. AWS states these services are stateless: they do not store inbound audio or output text.

For therapists who want a more purpose-built layer on top of these APIs, therapy-specific HIPAA-certified vendors (SimplePractice, TherapyNotes, and similar platforms that include documentation features) handle BAA compliance as part of the product. These are worth evaluating before building a custom workflow.

Outside the United States

International frameworks reach similar conclusions through different law:

EU: GDPR treats health data as special-category data requiring explicit consent and additional safeguards (Article 9). Some EU member states have national health data laws layered on top.

UK: UK GDPR plus the Data Protection Act 2018. NHS clinical guidance applies for NHS-adjacent work.

Canada: PIPEDA federally, with province-level health information laws. Ontario's PHIPA and Alberta's HIA have specific requirements for health record handling.

Australia: Privacy Act 1988 with the Australian Privacy Principles. Sensitive information (including health data) has heightened handling requirements.

The practical outcome is the same across jurisdictions: explicit documented consent, secure processing, defined retention limits, and patient rights to access and deletion. The transcription provider you choose must meet those requirements for the jurisdiction in which you practice.

When Recording Therapy Sessions May Be Appropriate

Recording therapy sessions is not inherently inappropriate. Several established frameworks include it:

Supervision for trainee therapists. Required for many graduate programs and licensure pathways. Recordings are reviewed by a supervising clinician. Strict consent and short retention periods are standard. This is the clearest legitimate use case per the Society for the Advancement of Psychotherapy's ethics guidance.

IRB-approved therapy research. Research that explicitly includes recording as part of the study methodology. Requires specific research-use consent separate from treatment consent.

Quality improvement programs. Some group practices or agencies record sessions for structured QI review. Patient consent is required, and retention is limited to the review cycle.

Therapist's own notes, occasionally. Some therapists request permission to record as an aid to their own clinical notes. Requires explicit client consent, clarity about storage, and defined deletion. This is the case where client hesitation should lead to abandoning the plan.

In every legitimate scenario, recording happens within an established clinical, supervisory, or research framework, with consent that covers the specific use.

Consent for recording is a conversation, not a form. The elements it must cover:

Purpose. Why is this recording being made? Supervision, research, QI review, therapist note-taking? The reason matters because it shapes storage, access, and retention.

Storage. Where does the recording live? What security protections are in place? Who is the provider, and do they have a BAA?

Retention. How long will the recording be kept? What triggers deletion?

Access. Who can listen to or read a transcript of this recording? Supervisor only? IRB members? A QI committee?

Right to withdraw. The client can revoke consent at any time. What happens to the recording if they do?

Right to access. Can the client request a copy of the recording or transcript?

Breach procedures. What happens if the storage system is compromised?

Termination. What happens to the recording when the therapeutic relationship ends?

If any part of this conversation creates visible hesitation in the client, that hesitation is clinical data. Recording probably should not proceed. The convenience to the therapist does not outweigh the client's comfort in the space.

Therapy-Adjacent Work Where Non-HIPAA Tools Fit

There is a category of work that sits near therapy but contains no patient PHI, and a standard transcription tool is appropriate there.

Therapist-produced educational content. A licensed therapist recording a podcast about anxiety management, a lecture for a continuing education course, or a YouTube series on mental health topics has created content, not clinical records. No client data, no HIPAA obligation.

Wellness and executive coaching. Coaches who are not licensed therapists and whose clients are not patients are outside HIPAA entirely. The workflow in transcription for coaching sessions applies, and a no-signup tool is often a practical fit.

Personal continuing education notes. Transcribing recorded conference talks, training videos, or supervision-of-supervision sessions for a therapist's own learning. No client data is present.

Fully de-identified research data. Where individuals cannot be re-identified and all links back to original PHI are destroyed, HIPAA's scope ends. Some research uses this pattern for aggregate analysis.

For any of these, ConvertAudioToText is appropriate: upload audio and get a clean transcript without an account, with no BAA required because no BAA is needed.

ConvertAudioToText audio upload tool for non-PHI content like educational recordings and podcasts
ConvertAudioToText audio upload tool for non-PHI content like educational recordings and podcasts

The Technical Workflow for HIPAA-Eligible Recording

If you are in a legitimate use case and using a BAA-covered provider, the sequence:

  1. Obtain documented informed consent before any recording begins.
  2. Record the session using HIPAA-compliant recording software (not a consumer app without a BAA).
  3. Transfer the recording to HIPAA-compliant storage immediately. Do not park it on a personal device or cloud folder without a BAA.
  4. Submit to your BAA-covered transcription service.
  5. Review the transcript on a device and environment meeting your security requirements.
  6. Retain only what the clinical or research purpose requires.
  7. Delete according to the retention policy defined in consent.

The transfer steps are where most breaches actually happen. A recording that lives in the right place at rest can still be sent somewhere wrong in transit.

Also relevant: HIPAA-compliant transcription covers how to evaluate whether a specific provider's BAA actually holds up, and what questions to ask about subcontractor BAAs (a common gap where a vendor's BAA is sound but they send your data to a subprocessor without one).

What This Means by Role

Licensed therapist: In most clinical settings, recording session content is not standard practice and is not necessary for documentation. If you are recording for supervision or research, a BAA-covered provider is required. If you are creating educational content, a standard tool works fine.

Trainee therapist in supervised practice: Follow your training program's data handling requirements. Their approved HIPAA-eligible provider is the right one to use, not a personal account on any tool.

Mental health researcher: Work within your IRB-approved data handling protocols. Provider selection is part of those protocols and should be specified in your IRB application.

Wellness or executive coach (not a licensed therapist): Client recordings are outside HIPAA. Use strong consent practices regardless, because they protect both you and your clients. See transcription for coaching sessions for a practical workflow.

Mental health content creator: Educational content has no patient PHI. Standard transcription tools, including this one, are appropriate. Keep the content educational, not clinical, and make sure any case examples are composite, fictionalized, or fully consented.

FAQ

Under the NASW Code of Ethics, yes: consent to record must be written. The APA Ethics Code (Standard 4.03) requires permission from all individuals before recording their voice or image, and that consent must be documented. A checkbox buried in intake paperwork is not sufficient. Consent should be a separate, specific conversation that covers purpose, storage location, retention period, who can access the recording, and the client's right to withdraw at any time.

No. One-party and two-party consent laws are criminal wiretapping statutes. They set a floor for legality, not an ethical ceiling. Professional ethics codes (APA, NASW, NBCC) require explicit informed consent to record regardless of what state law permits. Recording a client without their knowledge would be an ethics-code violation even where it is technically legal under state law.

Is HIPAA required for therapy transcription, and which providers offer a BAA?

In the United States, therapy session content containing identifiable patient information is Protected Health Information (PHI) under HIPAA. Any transcription service that processes PHI must sign a Business Associate Agreement (BAA) with your practice. Providers that offer BAAs for transcription work include AWS (covering Amazon Transcribe Medical and AWS HealthScribe), Google Cloud (Speech-to-Text covered under GCP's BAA), and AssemblyAI (BAA available, with an explicit no-model-training commitment). Per their respective vendor documentation, checked July 2026. ConvertAudioToText does not offer a BAA and is not appropriate for PHI.

What therapy-adjacent work can use a non-HIPAA transcription tool?

Any content that contains no patient PHI is outside HIPAA's scope. Examples include a therapist recording their own educational podcast, transcribing conference talks or continuing education lectures for personal notes, or producing mental health content for a public audience. Non-licensed coaches (executive, wellness, life coaches) working outside clinical practice are also outside HIPAA. Fully de-identified research data where re-identification is impossible is another valid case. For all of these, a standard transcription tool is appropriate.

Sources

Try transcription free

Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.

Related Articles