Yes, Berries is designed to support HIPAA compliance and operates as a Business Associate for covered entities.

We provide a Business Associate Agreement (BAA) and implement HIPAA-aligned safeguards, as it's the foundation of ethical practice and client trust. Understanding how Berries protects your clients' sensitive information is essential for confidently integrating AI documentation into your therapeutic workflow.

What HIPAA Compliance Means for Mental Health Professionals

HIPAA (Health Insurance Portability and Accountability Act) establishes national standards for protecting sensitive patient health information, known as Protected Health Information (PHI). For therapists, counselors, psychologists, and other mental health practitioners, PHI includes everything from session notes and treatment plans to audio recordings and progress documentation.

When you use any digital tool that processes clinical information—including AI documentation platforms—a vendor that has access to PHI becomes what HIPAA calls a "Business Associate."

HIPAA violations can lead to tiered civil penalties (currently up to $50,000 per violation, with annual caps), plus potential professional and reputational consequences.

How Berries Protects Client Data and Privacy

Berries AI implements comprehensive security measures specifically designed for mental health documentation.

Our platform functions as a HIPAA-compliant Business Associate, providing signed Business Associate Agreements (BAAs) to all mental health professionals who use our service. This legal framework ensures we're accountable for maintaining the same rigorous privacy standards required of your practice.

Every aspect of Berries is built with privacy protection as the core priority. Our security infrastructure includes encrypted data storage, secure transmission protocols, and strict access controls that ensure access to your clients' information is limited on a need-to-know basis.

Research demonstrates that mental health data requires particularly sensitive handling due to the intimate nature of therapeutic content, which is why we've designed our entire system around safeguarding this information.

Does Berries Store the Session Recordings?

We don’t store session recordings. This is one of our most important privacy protections for mental health professionals. Here's how our recording process works: when you conduct a session, audio is briefly processed in small chunks to produce transcripts, and each chunk is deleted immediately after it’s transcribed. No audio is retained.

This approach addresses a critical concern many therapists have about AI documentation tools. Evidence-based practice guidelines emphasize privacy minimization—keeping sensitive information only as long as necessary.

By automatically deleting recordings rather than retaining them indefinitely, Berries reduces potential privacy risks while still providing you with comprehensive, accurate clinical documentation.

Automatic note deletion for enhanced privacy control

Beyond session recordings, Berries gives you complete control over your clinical notes. You can manually delete any session notes at any time if needed for practice management or client requests. Additionally, the platform offers automatic deletion settings that allow you to configure notes to delete after 30 days if desired.

This flexibility helps mental health professionals balance clinical record-keeping requirements with privacy protection principles.

While you maintain documentation for as long as your practice requires, you're never locked into retaining information longer than necessary. Research published in Professional Psychology: Research and Practice indicates that giving practitioners granular control over data retention enhances both compliance and therapeutic trust.

HIPAA-Compliant Features Built Into Berries

Berries incorporates multiple layers of HIPAA-compliant security features that work seamlessly in the background while you focus on client care. These safeguards meet all technical, physical, and administrative requirements established by federal privacy regulations.

Secure Data Encryption

All data in Berries is protected through industry-standard encryption protocols. This means your clinical information is encrypted both "at rest" (when stored in our servers) and "in transit" (when moving between your device and our platform). According to HIPAA technical safeguard requirements, encryption renders PHI unusable to unauthorized individuals even if data is somehow intercepted.

Our data storage facilities are HIPAA compliant and maintained by trusted healthcare technology vendors, including Google, Microsoft, Amazon, and Paubox.

Each of these vendors operates under signed Business Associate Agreements and adheres to strict security protocols specifically designed for healthcare information. This vendor selection process reflects evidence-based risk management, as clinical data security depends not just on the primary platform but on the entire infrastructure chain.

Access Controls and Permissions

Berries implements strict access controls, ensuring that only authorized individuals can view clinical documentation.

You authenticate into your account using secure login credentials, and only you have access to your clients' session notes and information. The platform prevents unauthorized access through multiple authentication mechanisms and monitors for suspicious login activity.

For group practices or agencies using Berries, access permissions can be configured so each therapist sees only their own clients' documentation.

Audit Trails and Activity Logs

HIPAA requires covered entities to maintain detailed records of who accesses PHI and when. Berries automatically generates audit trails and activity logs that track access to clinical documentation. These logs provide transparency and accountability, documenting when notes are created, viewed, or modified.

For mental health professionals, audit trails serve multiple purposes beyond compliance. They provide documentation for quality assurance, help identify any unusual access patterns that might indicate security concerns, and offer evidence of proper information handling if questions arise. Clinical practice guidelines emphasize that comprehensive audit capabilities demonstrate a commitment to privacy protection and professional responsibility.

How Berries Differs from Non-HIPAA-Compliant AI Tools

Not all AI documentation tools are created equal when it comes to HIPAA compliance. Understanding these differences helps you make informed decisions about technology in your practice.

Many general-purpose AI platforms explicitly state they are not HIPAA compliant and should not be used with protected health information.

Some popular AI writing tools, for example, may use the content you input to train their algorithms—meaning your clients' therapeutic information could potentially be incorporated into the AI's learning process.

Berries takes a fundamentally different approach. We explicitly do not use Protected Health Information to train our AI models. Your clients' session content remains confidential and is never used to improve our algorithms or shared with other users.

This policy aligns with ethical guidelines from the American Counseling Association, emphasizing that informed consent for AI-assisted documentation must include clear information about data usage.

Additionally, non-compliant tools typically don't provide Business Associate Agreements, don't implement healthcare-grade encryption, and don't undergo regular security audits specific to HIPAA requirements.

Berries was built specifically for mental health professionals with HIPAA compliance as a foundational requirement from day one.

Our entire infrastructure, from vendor selection to data retention policies to AI training practices, is designed around protecting the unique privacy needs of therapeutic relationships.

This mental health specialization means you can trust that our platform understands not just general healthcare privacy but the specific confidentiality considerations central to effective therapy.

FAQs About Berries and HIPAA Compliance

Does Berries provide a Business Associate Agreement (BAA)?

Yes, Berries provides a Business Associate Agreement to all mental health professionals using our platform. This signed BAA is a legal requirement under HIPAA for any vendor that processes, stores, or transmits Protected Health Information on behalf of covered entities. The BAA establishes our legal obligation to safeguard your clients' information according to federal privacy standards and outlines our responsibilities if a security incident occurs.

Can I use Berries for telehealth sessions while staying HIPAA compliant?

Absolutely. Berries maintains HIPAA compliance whether you're conducting in-person sessions or telehealth appointments. Our security infrastructure protects clinical information with the same encryption and access controls regardless of session modality. For telehealth, simply ensure your video conferencing platform is also HIPAA compliant, then use Berries to document sessions just as you would for in-person therapy. The platform seamlessly integrates into telehealth workflows without compromising security.

What happens to my data if I stop using Berries?

You maintain complete control over your clinical documentation. If you decide to discontinue using Berries, you can export your session notes before closing your account. Because we automatically delete session recordings immediately after generating notes, no recorded audio is retained beyond the documentation process. Any remaining clinical notes can be manually deleted at your discretion. Our data retention policies ensure you're never locked into the platform and can transition your practice as needed.

How does Berries handle data breaches or security incidents?

Berries follows HIPAA-mandated breach notification protocols. In the unlikely event of a security incident involving PHI, we would immediately investigate, contain the breach, notify affected mental health professionals, and report to appropriate authorities as required by law.

Is Berries compliant with state privacy laws beyond HIPAA?

Yes, Berries complies with federal HIPAA standards as well as state-specific privacy regulations. Some states have additional requirements for mental health records, and our platform's flexible data retention and deletion features help you meet various state mandates. For mental health professionals practicing in multiple states or offering telehealth across state lines, this comprehensive compliance approach simplifies practice management while maintaining consistent privacy protection for all clients.

Can I customize Berries' security settings for my practice needs?

Berries balances robust default security with customization options for individual practice requirements. You can configure automatic note deletion timelines, manage access permissions in group practice settings, and control data retention policies based on your state regulations and practice preferences.

These customization options work within our HIPAA-compliant framework, ensuring that flexibility doesn't compromise security. Clinical practice guidelines suggest that customizable security features improve both compliance and usability by accommodating diverse practice contexts.

Final Thoughts

HIPAA compliance is not optional for mental health professionals—it's a fundamental requirement that protects both your practice and the clients you serve. As AI-powered documentation becomes increasingly integrated into therapeutic workflows, choosing platforms with genuine, comprehensive HIPAA compliance is essential for maintaining ethical practice standards.

This article is for educational purposes and professional development only. It does not constitute clinical supervision, legal advice, or replace professional judgment in therapeutic practice. Mental health professionals should consult with legal counsel regarding specific HIPAA compliance questions for their individual practice contexts.