AI + HIPAA: Resources Hub
& Next Steps

What Therapists Need to Understand About Access, Risk, and Compliance

Use these training resources to evaluate AI tools, understand access and data-flow risk, and begin documenting the choices you make in your practice.

This page includes the exact tools and reference guides mentioned in the training.
Use these to evaluate your current setup, identify risk areas, and begin building a compliance system you can stand behind.
AI and HIPAA compliance resources for therapists displayed on laptop and organized binder with key privacy and data protection topics.

Progress Over Perfection

You don’t need to have everything figured out to start using these tools.

Most of the risk I see in practice doesn’t come from one decision.
It comes from not having a clear way to evaluate and document what you’re doing over time.

Start by understanding how your tools are set up.
Look at access, data flow, and what each system can actually reach.

Then build from there.

Compliance isn’t about getting it perfect all at once.
It’s about being able to show what you’re doing, why you made those decisions, and how you’re managing it over time.

Watch the Full AI + HIPAA Training

This 90-minute AI + HIPAA training was hosted by Kym Tolson and presented by Samantha Schalk, with a focus on AI-related HIPAA risk, access considerations, and compliance decision-making for therapists and mental health practices.

The session covered:
  • evaluating AI tools through a HIPAA lens
  • access, exposure, and data-flow considerations
  • Google Workspace and AI-related configuration concerns
  • AI agents and browser extension risks
  • documentation, defensibility, and Security Risk Analysis connections
  • practical decision-making frameworks for therapists
The resources below were referenced throughout the training and are provided here for continued learning and implementation.

Hosted by Kym Tolson, LCSW | Clinical AI Club & TheraAI Hub
Guest Expert: Samantha Schalk, LMSW | Guardian Clinical Essentials™

Watch AI + HIPAA Webinar on YouTube

AI + HIPAA: What Therapists Need to Understand About Risk, Access, and Compliance

AI + HIPAA conversations often focus too heavily on the tool itself instead of the bigger compliance picture. What matters most is understanding access, data flow, configuration, documentation, and how information moves throughout your practice. This article breaks down the core concepts therapists need to evaluate AI-related risk more clearly and make more informed, defensible decisions over time.

Read the Full Article →

The Free Downloads

✅ AI Tool Types: Features & Risk Considerations

Breaks down common categories of AI tools and how they differ in access, functionality, and risk.
Helps you understand why different types of tools carry different levels of exposure based on what they can access, how they interact with data, and where risk actually exists.
This is not a list of approved tools. It’s a way to understand the landscape.

Download Overview

✅ Should I Use This AI Tool? A Simple Decision Framework for HIPAA Risk

A step-by-step decision tool to help you evaluate whether and how an AI tool can be used in your practice.
Walks through key questions around PHI, BAA requirements, access level, data handling, and your own use of the tool so you can make informed, defensible decisions.

Access Framework

✅ AI Tools: What to Look For (Not a Safe List)

Shows real examples of commonly used tools and how to think about them in terms of BAA availability, access level, and data handling.
Reinforces that there is no universal “safe list” and that risk depends on configuration, access, and use.

Download Guide

✅ Google Workspace Configuration Guide

A structured, step-by-step system for configuring Google Workspace with controlled access, defined data flow, and appropriate security protections.
Includes two versions based on how your practice collects information.

Using Google Forms for Client Intake

Use this if you collect client information through a website form or intake link.

Access the Forms Configuration Guide

No Google Forms (Internal Use Only)

Use this if all information stays internal and no client data is collected through Google Workspace.

Access the Internal Configuration Guide

✅ Key Takeaways

A concise summary of the core concepts from the training, including how to evaluate AI tools, where risk actually comes from, and what your responsibility is as the provider.
Designed to reinforce the shift from focusing on the tool itself to understanding access, data flow, and control.

Download Summary

✅ Additional AI Resource

Kym Tolson has also created a helpful resource with practical AI prompt examples designed specifically for therapists exploring AI tools in their workflow.

100 AI Prompts for Therapists

Grab the Resource Here
Laptop sitting on a comfy chair in a therapist's office

What to Do Next

You’ve reviewed the tools. Now step back and look at how this fits into your overall compliance.

AI is not a separate issue.
It connects to your systems, your access controls, and how information moves through your practice.

Most providers don’t run into problems because of one tool.
It’s because there isn’t a clear, documented way to evaluate and manage risk across everything they’re using.

Start Here

If you’re not sure where to begin, start with your Security Risk Analysis.

That’s where you:

  • Identify where risk exists

  • Document what is in place

  • Create a structure for managing it over time

View Security Risk Analysis Tools

Not Ready for a Full Review Yet?

Start with a quick check of your current setup.

✔ See what you already have in place
✔ Identify what’s missing
✔ Get a clearer picture of your compliance gaps

Start with the free HIPAA Compliance Checklist
HIPAA compliance checklist for therapists by Guardian Clinical Essentials featuring free mental health practice compliance resources.

Continue Exploring

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy