{ "@context": "https://schema.org", "@type": "BlogPosting", "headline": "HIPAA Compliance for AI in Psychology: What "Verified" Actually Means", "description": "Most AI tools claim HIPAA compliance but only sign a BAA. Learn what third-party verified HIPAA compliance means for psychological assessment data.", "datePublished": "2026-02-27T02:07:13.162Z", "image": "https://cdn.prod.website-files.com/6862accee39d85b23d759a55/69a0ee0e32f531401d22911d_Gemini_Generated_Image_grl776grl776grl7.jpeg", "author": { "@type": "Organization", "name": "Psynth", "url": "https://psynth.ai" }, "publisher": { "@type": "Organization", "name": "Psynth", "url": "https://psynth.ai", "logo": { "@type": "ImageObject", "url": "https://cdn.prod.website-files.com/685c0eaa5a941a2791848ef4/685c316c137b23892623ccff_Horizontal%20Logo%20Navy.svg" } }, "mainEntityOfPage": { "@type": "WebPage", "@id": "https://psynth.ai/articles/hipaa-compliance-ai-psychology-what-verified-means" } }

February 27, 2026

HIPAA Compliance for AI in Psychology: What "Verified" Actually Means

A BAA is a promise. A third-party audit is proof. Here is what psychologists should verify before trusting any AI tool with patient data.

By Stephen Stearman, CEO, Psynth

The BAA Problem

If you have evaluated any AI tool for your psychology practice, you have probably seen the phrase "HIPAA compliant" on the vendor's website. In most cases, that claim is backed by exactly one thing: a Business Associate Agreement.

A BAA is a legal contract. It states that the vendor agrees to handle Protected Health Information according to HIPAA's requirements. What it does not do is verify that the vendor has actually implemented the technical safeguards, administrative procedures, and physical controls that HIPAA demands. A BAA without an audit is like a contractor signing a building code agreement without anyone inspecting the building.

For therapy notes or appointment scheduling, this gap might feel manageable. For psychological assessment data, it is not.

Why Assessment Data Is Different

Psychological assessments produce some of the most sensitive PHI in healthcare. A single evaluation file can contain full-scale IQ scores, behavioral observations, trauma histories, diagnostic formulations, and qualitative clinical impressions. This data can directly affect custody decisions, educational placements, disability determinations, and forensic proceedings.

When this information enters an AI system for report drafting, you need to know more than "we signed a BAA." You need to know the answers to specific questions:

Where is the data processed? Is it encrypted in transit and at rest? Does the AI model retain any patient data after processing? Are there role-based access controls? Is there an audit log? Has any of this been independently verified?

Most vendors cannot answer these questions with documentation. Psynth can.

What Third-Party Verified Means

When Psynth says "HIPAA verified," we mean that an accredited third-party auditor (Glocert) examined our infrastructure, policies, and technical controls against HIPAA's Security Rule and Privacy Rule requirements, and confirmed compliance.

This includes verification of:

  • Encryption standards — AES-256 at rest, TLS 1.2+ in transit
  • Access controls — Role-based permissions with multi-factor authentication
  • Audit logging — Every action on patient data is recorded and traceable
  • Zero-retention AI models — No patient data is stored, cached, or used for model training by any LLM provider
  • Downstream BAAs — Signed agreements with every subprocessor, not just the primary vendor
  • Incident response procedures — Documented breach notification and remediation protocols

Every policy and control is documented and publicly accessible at trust.psynth.ai.

The Zero-Retention Architecture

One of the most common concerns psychologists raise in our conversations is straightforward: "Does the AI learn from my patients' data?"

The answer is no. Psynth operates on a zero-retention architecture. When you upload test scores, clinical observations, or handwritten notes, the data is tokenized during processing and streamed through our AI models. Nothing is stored on AI provider servers. Nothing is cached for future training. Each report operates as an isolated environment with no cross-contamination between patients.

We hold commercial healthcare-grade agreements with every LLM provider we use, each with explicit zero-retention and no-training clauses. This is not a default setting we toggled on. It is a contractual and architectural requirement we built the platform around.

What to Ask Any AI Vendor

If you are evaluating AI tools for your practice, here are the questions that separate verified compliance from marketing claims:

  • Can you show me a third-party audit report? A BAA alone is not evidence of compliance.
  • Do you have a public trust center? If a vendor cannot show you their security policies, ask why.
  • What is your data retention policy? Specifically for PHI processed through AI models.
  • Do you have BAAs with your downstream AI providers? Your BAA with the vendor is meaningless if they do not have agreements with their subprocessors.
  • Where is my data processed and stored? Data residency matters, especially for practices operating across state lines or internationally.
  • What happens if there is a breach? Ask to see their incident response plan.

These are not unreasonable questions. Any vendor that treats your psychological assessment data with the seriousness it deserves should be able to answer every one of them with documentation, not reassurances.

Beyond HIPAA: The Full Picture

HIPAA compliance is the floor, not the ceiling. Psynth has also achieved third-party verified compliance with PIPEDA (Canada) and GDPR (EU/UK), with SOC 2 Type 2 and ISO 27001 certifications in progress. We maintain regional data residency in the United States, Ontario (Canada), and Dublin (Ireland).

We did not pursue these certifications because a customer asked. We pursued them because psychological assessment data demands the highest standard of protection available, regardless of where your patients are located.

For the full picture of our compliance strategy, read Security as Strategy: Why Psynth Pursued Five Compliance Certifications.

Frequently Asked Questions

Is a BAA the same as HIPAA compliance?

No. A BAA is a contract stating a vendor agrees to comply with HIPAA. It does not verify that the vendor has implemented the required safeguards. Third-party verification through an accredited auditor confirms that actual controls are in place.

Does Psynth's AI store patient data?

No. Psynth uses a zero-retention architecture. Patient data is tokenized during processing and is not stored, cached, or used for model training. Each report operates in an isolated environment.

What LLM providers does Psynth use, and are they HIPAA compliant?

Psynth holds commercial healthcare-grade agreements with Claude (Anthropic), Gemini (Google), and OpenAI. Each agreement includes explicit zero-retention and no-training clauses, with signed BAAs.

Can I use Psynth for forensic or court-involved evaluations?

Yes. Psynth maintains audit logging that records every action taken on patient data. Reports are defensible in court and insurance audit contexts. The clinician retains full control over all clinical conclusions.

Where can I review Psynth's security policies?

All policies, controls, and certification documentation are publicly available at trust.psynth.ai.

Psynth, Inc.
301 E. Archer St.
Tulsa, OK 74120
support@psynth.ai
Menu
CareersTrust CenterGlossary
LegalPrivacy PolicyBusiness Associate AgreementData Processing AgreementCookie PolicySubprocessorsTerms of Service