Voice Transcription for Therapy Notes: How CBT Assistant Pro Does It Privately

Writing session notes is the single largest source of administrative burden in clinical practice. Studies estimate that therapists spend 20-30% of their working hours on documentation. Voice dictation can cut this by half or more — provided the privacy model is genuinely safe for PHI.

The benefits compound:

• More accurate notes (you capture detail while the session is fresh)
• Less burnout from after-hours documentation
• More time for clinical reasoning and case formulation
• Better client engagement during sessions (less time spent typing)

The catch: most consumer voice transcription tools (including the dictation features built into common operating systems) are not safe for PHI. They retain audio, transmit it to cloud services without BAAs, and may use recordings for model improvement.

The technical flow:

1. Capture in the browser: Audio is captured locally in your browser using the standard MediaRecorder API. Nothing is uploaded yet.
2. Transmit encrypted: When you stop recording, the audio is sent over TLS 1.3 to our transcription service.
3. Transcribe and discard: The transcription service converts audio to text and immediately returns the text. The audio is deleted from the processing buffer.
4. Store text only: The transcribed text is encrypted with AES-256-GCM and stored in your client record. The audio is never written to persistent storage.
5. Confirm deletion: Within minutes, all temporary copies of the audio are securely overwritten and removed from every storage layer.

At no point does the audio touch long-term storage. At no point is it backed up. At no point is it used for training.

CBT Assistant Pro uses enterprise-grade transcription services with the following contractual requirements:

• Business Associate Agreement (BAA): Signed with every provider that processes clinical audio.
• Zero retention: Audio is deleted immediately after transcription completes; no caching, no archiving.
• No model training: Clinical audio cannot be used to train, fine-tune, or improve any AI model.
• Sub-processor restrictions: Providers may not pass audio to their own sub-processors except for the immediate transcription task.
• Geographic restrictions: Audio is processed in U.S. and EU data centers only, with EU clients processed exclusively in EU regions.
• Audit rights: We retain the right to audit provider security practices annually.

These terms are non-negotiable for any provider we use.

Once transcribed, the text becomes part of your client record and inherits the full security model:

• Encrypted at rest with AES-256-GCM
• Encrypted in transit with TLS 1.3
• Access-controlled (only you, and clinic colleagues you explicitly grant access)
• Audit-logged (every read and write is recorded)
• Subject to your right of access, edit, and deletion at any time

If you later edit or delete the note, the change propagates through production within 24 hours and through backups within 30 days.

Even with strong technical protections, clinicians should follow these practices:

• Get explicit client consent to record any portion of a session. Recording without consent violates clinical ethics regardless of platform.
• Prefer dictating summaries to recording the full session. Summarize key points after the client leaves rather than recording the entire conversation.
• Use pseudonyms when dictating. Say "the client" or use the client code rather than the real name.
• Check the transcribed text for accuracy before saving. Voice transcription is good but not perfect, especially with clinical terminology.
• Avoid public spaces. Do not dictate session notes in a coffee shop or open office.

Following these practices combined with the platform's technical safeguards gives you a defensible voice transcription workflow.