Transcription for Therapy Sessions: The Ethics of Recording

What This Post Is and Is Not

This post is about the ethics of recording therapy and the technical questions around transcribing that recording. It is not therapy advice. It does not address whether therapy itself is recorded or transcribed. The clinical practice of therapy is governed by ethics codes, licensing requirements, and clinical judgment that this guide does not address.

What we cover here:

• Whether to record at all (consent, jurisdictional rules, clinical considerations).
• If you do record, where the recording lives and how long.
• The technical workflow if transcription is appropriate.
• The specific reason we, ConvertAudioToText, are not the right tool for actual therapy session recordings.

If you are a therapist evaluating transcription tools, the recommendation up front is: use a HIPAA-certified provider, not us. We are not HIPAA-certified. The rest of this post covers why that matters, and the edge cases where transcription tools might appropriately come into therapy-adjacent work.

Why HIPAA Certification Matters Here

In the United States, therapy session content involving identifiable patient information is Protected Health Information (PHI) under HIPAA. Storing, processing, or transmitting PHI requires:

• A Business Associate Agreement (BAA) with every service that touches the data.
• Audit logs of who accessed what when.
• Encryption at rest and in transit (we have this; many providers do).
• Defined retention and deletion policies.
• Breach notification procedures.

We provide TLS encryption, account-level access controls, and reasonable retention defaults. We do not provide a BAA. We are not on HIPAA's compliance pathway.

For therapy session recordings, use a HIPAA-certified provider with a BAA. Options include AWS Transcribe Medical (with proper AWS BAA setup), Google Cloud Speech-to-Text (with GCP BAA), or therapy-specific transcription services that market HIPAA compliance.

This is not a marketing dodge. It is the correct answer. If you put unencrypted PHI through a non-BAA service and have a breach, the legal exposure is yours, not ours.

Outside the United States

Other jurisdictions have their own frameworks:

EU: GDPR applies. Special category data (health data) requires explicit consent and additional safeguards. Some EU countries have additional protections beyond GDPR.

UK: UK GDPR plus the Data Protection Act 2018. NHS-specific guidance for clinical work.

Canada: PIPEDA federally, with province-level health information laws (PHIPA in Ontario, HIA in Alberta).

Australia: Privacy Act with health-specific principles.

Most jurisdictions land in roughly the same place: explicit informed consent, secure storage, defined retention, and patient rights to access and deletion. The transcription provider you use needs to meet those requirements.

When Recording Therapy Sessions Might Be Appropriate

Some scenarios where therapists or therapy-adjacent practitioners legitimately record sessions:

Supervision for trainee therapists. Required for many graduate programs and licensure paths. Recordings are reviewed by supervising clinicians. Strict consent and limited retention.

Therapy research. IRB-approved studies that explicitly include recording as part of the methodology. Specific consent for research purposes.

Quality improvement programs. Some agencies record sessions for internal QI review. Patient consent required.

Therapist's own notes (rare). Some therapists request to record for their own session notes. Requires explicit patient consent and clear understanding of where the recording goes.

In all of these, the recording is part of an established clinical, supervisory, or research framework with explicit consent and defined data handling.

When It Is Not Appropriate

A few patterns that are clearly out of bounds:

Recording without consent. Illegal in most jurisdictions for two-party consent states/countries. Ethically problematic in all jurisdictions.

Transcribing for "convenience" without clinical reason. If the recording would not survive review by an ethics board, it should not happen.

Using consumer transcription tools (us included) for PHI. Even with consent, using non-BAA tools for PHI violates HIPAA in the US.

Retaining recordings indefinitely without justification. Therapy recordings should have defined retention aligned with clinical necessity.

Using session content for marketing. Even anonymized, this requires specific additional consent beyond clinical consent and is widely considered inappropriate.

Therapy-Adjacent Use Cases Where We Can Help

There are some workflows that are not therapy itself but touch the same space, where our tool is appropriate:

Therapist's own podcast or educational content. A therapist recording educational content about mental health (no client data involved). This is content creation, not clinical work. Our tool fits.

Coach (non-therapist) working in adjacent space. Wellness coaches, executive coaches, and life coaches are not therapists and their sessions are not PHI. The workflow in transcription for coaching sessions applies.

Therapist's own training and study notes. Transcribing recorded lectures, conference talks, or training videos for the therapist's own learning. No client data involved.

Aggregated, fully de-identified research data. Where individuals cannot be re-identified and all linking to original PHI is destroyed. Some research uses this pattern.

For all of these, the content does not include patient PHI, so HIPAA is not the binding constraint.

The Consent Conversation

If you are a therapy practitioner considering whether to record sessions, the consent conversation is the foundational work. Some elements:

Purpose. Why is the recording being made? Supervision, research, QI, therapist's own notes? Be specific.

Storage location. Where will the recording live? What protections are in place?

Retention. How long will it be kept? When and how will it be deleted?

Access. Who can listen to it? Supervisor only? IRB members? Researchers?

Right to withdraw. Patient can revoke consent at any time, with recordings deleted.

Right to access. Patient can request a copy of the recording or transcript at any time.

Breach procedures. What happens if data is compromised?

Termination. What happens to the recording when the therapeutic relationship ends?

This is a conversation, not a checkbox in an intake form. If the patient has hesitation, recording probably should not happen.

The Technical Workflow (If Appropriate)

If you are in one of the legitimate use cases above and using a HIPAA-eligible provider (not us for PHI), the workflow:

1. Record the session with informed consent in place.
2. Transfer the recording to your HIPAA-compliant storage immediately.
3. Submit to a BAA-covered transcription service.
4. Review the transcript on a HIPAA-compliant device.
5. Retain only what the purpose requires.
6. Delete according to the retention policy.

Every step has security implications. The transfer between steps is often where breaches happen.

What We Recommend

Our actual position:

For PHI-containing therapy session recordings: Do not use us. Use a HIPAA-certified provider with a signed BAA. Examples include AWS Transcribe Medical (BAA available with AWS), Google Cloud Speech-to-Text (BAA available with GCP), or therapy-specific HIPAA-certified vendors.

For therapy-adjacent content without PHI: Our tool is fine for the workflows described above (educational podcasts, training notes, coaching sessions, research with fully de-identified data).

For coaches and adjacent practitioners who are not licensed therapists: Use the coaching session workflow and follow the same consent principles that good therapists follow even though you are not bound by HIPAA.

For research with PHI: Work within your IRB-approved data handling protocols, which will dictate the right provider.

The Boundaries That Matter

A few non-negotiables in this space:

Consent is foundational. No exception for any purpose.

The minimum-necessary principle. Record only what serves the agreed purpose. Transcribe only what needs transcribing. Retain only as long as required.

Provider selection matters. Choose providers whose compliance posture matches the data type. For PHI, that means HIPAA. For EU citizens, GDPR. For research, IRB-approved.

Patient interests come first. Any practice that prioritizes the therapist's convenience over patient interests is wrong.

What This Looks Like for Different Roles

Licensed therapist: Probably do not record session content at all unless required for supervision or research. If you do, use a HIPAA-certified provider with a BAA. We are not it.

Coaching practitioner (not licensed therapist): Use the coaching workflow with strong consent practices. Our tool fits.

Research administrator: Work within IRB protocols. Provider selection is part of those protocols.

Trainee therapist in supervision: Follow your training program's data handling requirements. Their HIPAA-eligible provider is what you should use.

Mental health content creator (podcast, lectures): Educational content without client data can use our tool. Just keep it educational, not clinical.

The Practical Next Step

If you are evaluating transcription for any therapy-related use case, start with a clear question: does the recording contain PHI? If yes, use a HIPAA-certified provider, not us. If no, the workflow in coaching session transcription is the right reference.

Either way, the consent conversation is what protects both the patient and you. Get that right; the technology is the smaller part.