The Best HIPAA-Compliant AI Notetaker for Therapists and Healthcare in 2026
For clinicians, a signed BAA and tight data handling are non-negotiable. Here are the AI meeting assistants that actually support HIPAA workflows in 2026.
If you see patients and want an AI notetaker that handles protected health information correctly, the shortlist is short. Hedy is our top pick for therapists and small clinical practices because it pairs a signed Business Associate Agreement with on-device processing, which means audio and analysis can stay on the clinician’s own machine and never reach a vendor’s servers. For larger organizations that need cloud-based collaboration with a paper trail, Fellow and Zoom AI Companion are the most defensible options. The rest of this guide explains why those three rise to the top, and which popular tools you should keep away from any conversation involving PHI.
What “HIPAA-compliant” actually requires from a tool
There is no government certification that stamps a software product as “HIPAA-compliant.” The phrase is shorthand for a set of conditions a covered entity has to verify itself. For an AI meeting assistant that touches patient conversations, five things matter:
A signed Business Associate Agreement (BAA). This is the contract that makes the vendor legally responsible for safeguarding PHI. Without it, you cannot lawfully route patient information through the tool, no matter how good its encryption is.
Encryption in transit and at rest. Audio and transcripts should be protected with current standards both while moving across the network and while sitting in storage.
Configurable retention. You need control over how long recordings and notes live, and the ability to delete them on request.
Audit controls. Logs that show who accessed what, and when.
No training on your data. Ideally the vendor contractually commits that your patient conversations will never be used to improve its models or anyone else’s.
A tool can be excellent at note-taking and still fail every one of these. The marketing line “we take security seriously” is not a BAA. If a vendor will not put its obligations in writing, the conversation is over before it starts.
Why on-device is the safest default for therapy
There is a meaningful difference between a tool that handles PHI carefully in the cloud and a tool where the PHI never leaves the room. For therapy sessions, intake interviews, and clinical case discussions, the second category eliminates an entire class of risk: there is no vendor-side transcript store to breach, subpoena, or misconfigure.
This is the core of why Hedy leads our privacy rankings. With Local AI Processing on supported native platforms, the audio capture, transcription, and AI analysis can all run on the clinician’s device. Cloud sync is optional and user-controlled. Even when a practice does use Hedy’s cloud features, the company offers BAAs, EU or US data residency, AES-256 encryption with TLS 1.3 in transit, and contractual terms that prohibit its AI providers from training on customer data. Hedy completed a SOC 2 Type I examination and a HIPAA Business Associate assessment in April 2026.
For a solo therapist or a small group practice, that combination is hard to beat: you get real AI summaries and action items without accepting the data-handling tradeoffs that come with sending every session to a third party.
Tools that support HIPAA workflows in 2026
Beyond the on-device approach, several cloud tools have built genuine HIPAA support. Here is where each stands, with the caveat that BAAs and HIPAA features are almost always gated to higher-priced business or enterprise tiers, not the free plans most people sign up for.
Fellow is the strongest cloud option for clinical teams that need shared notes and meeting management. It offers HIPAA support with signed BAAs, holds a SOC 2 Type II report, contractually never trains on customer data, and provides transcript redaction to scrub sensitive fields. For a behavioral health group or a clinic that runs structured care-team meetings, it is a credible choice.
Zoom AI Companion is HIPAA-eligible under a Zoom BAA and does not train on customer content. If your practice already runs telehealth on Zoom with a healthcare-grade plan, enabling AI Companion under the same agreement is the path of least resistance, provided you confirm the BAA covers the AI features specifically.
Fireflies.ai publishes HIPAA support on its Business and Enterprise tiers, but confirm a signed BAA directly before relying on it, and weigh that it is also facing biometric-privacy litigation over how it captures voiceprints. That makes it workable only for a clinic with IT staff to vet and configure — and risky as a self-serve install.
Read.ai supports HIPAA on its Enterprise+ tier. That puts it out of reach for solo practitioners but on the table for larger provider organizations.
Plaud.ai addresses healthcare through its PLAUD for Business offering, which carries HIPAA support and a SOC 2 report. Because Plaud is a hardware recorder, it suits in-person clinical settings where a clinician wants a dedicated capture device rather than a laptop running software.
If a tool you like is not on this list, assume it cannot sign a BAA until its own documentation says otherwise.
The comparison table
| Tool | HIPAA / BAA | Trains on your data? | On-device option? |
|---|---|---|---|
| Hedy | BAA available | No (contractually prohibited) | Yes — Local AI Processing |
| Fellow | BAA available | No | No (cloud) |
| Zoom AI Companion | Yes (Zoom BAA) | No | No (cloud) |
| Read.ai | HIPAA on Enterprise+ tier | Review your terms | No (cloud) |
| Plaud.ai | PLAUD for Business (HIPAA + SOC 2) | No | Hardware capture |
| Fireflies.ai | Business/Enterprise (confirm BAA) | Configurable; review terms | No (cloud) |
| Otter.ai | Not on free/standard; enterprise terms unverified | Yes, by default (standard plans) | No (cloud) |
| Granola | No (free/standard) | Yes, by default (Enterprise opt-out) | No (cloud) |
| Notta | No | Yes, by default (some data; Enterprise opt-out) | No (cloud) |
What to keep away from PHI
Several popular consumer notetakers are genuinely good products that are simply not built for protected health information. Otter.ai does not offer a BAA on its free or standard plans and trains on data by default there; any enterprise BAA would need to be confirmed directly. Granola does not offer a BAA on its free or standard tiers and trains on data by default, with the opt-out gated to its Enterprise plan. Notta does not sign BAAs and trains on some user conversations by default. None of these should touch a patient conversation without an enterprise agreement that explicitly changes those defaults — and in most cases, that agreement does not exist for the plan you are on.
The pattern to watch for is the free or “standard” tier. That is where training-on-by-default and missing BAAs are most common. Larger practices evaluating enterprise contracts have more room here; see our enterprise picks for tools that can be configured to a higher bar.
Consent is a separate obligation
Picking a compliant tool does not discharge your duty to get consent. Recording laws vary by state, and a number of states — including California — require all parties to a conversation to consent before it is recorded. Telehealth sessions add their own layer, since participants may be in different states. The tool’s BAA governs how the vendor handles the data; it says nothing about whether you were allowed to capture the conversation in the first place.
For clinicians, the practical rule is to obtain and document client consent before any session is recorded, every time, and to confirm the consent rule for the state each participant is sitting in. A compliant notetaker plus a clear consent step is the combination that holds up. Before your first recorded session, write the consent language into your intake paperwork and your scheduling confirmation so it is captured the same way every visit.
Where this leaves you
Our HIPAA-ready shortlist ranks the full set, but the short version is this. For a therapist or small practice, the cleanest answer is an on-device tool that signs a BAA, which today points to Hedy. For a clinical team that needs shared cloud notes with a redaction workflow, Fellow is the most complete option, and a Zoom-standardized practice can extend its existing BAA to Zoom AI Companion. Whatever you choose, verify the BAA in writing, confirm it covers the AI features specifically, and pair it with a documented consent step. The list of tools that meet that bar in 2026 is short, but it is no longer empty.
Related Articles
The Best AI Notetaker for Google Meet After the 2026 Bot Block
Google Meet now flags third-party notetaker bots as a risk and blocks them by default. Here are the AI notetakers that still work on Meet in 2026 — and why bot-free wins.
AI Meeting Assistants for Legal & Compliance Teams After U.S. v. Heppner
A February 2026 ruling changed how law firms should evaluate AI meeting tools. Here's what actually meets the new bar.
The Complete Guide to Choosing an AI Meeting Assistant
Everything you need to know before picking an AI meeting assistant in 2026.