Can Therapists Paste Client Information Into AI Tools?

If you’ve spent any time in therapist Facebook groups, attended an AI webinar, or talked with colleagues about documentation lately, you’ve probably seen some version of this question come up:

Can I put client information into AI?

Sometimes the question is specifically about ChatGPT. Other times it’s about BastionGPT, ChatGPT for Clinicians, Berries, or one of the growing number of AI tools being marketed to healthcare professionals. The platform changes, but the underlying concern is usually the same. Therapists are trying to figure out where the line is between using technology to make practice operations more manageable and protecting client information appropriately.

What makes the conversation difficult is that there are often very confident answers coming from both directions.

One person says you should never put any client information into an AI system under any circumstances. Another says that removing a client’s name makes everything fine. A third points to a healthcare-focused AI platform and assumes the answer must be different because the tool was built specifically for clinicians.

The reality is that none of those answers fully captures the question therapists are actually trying to answer.

In my experience, therapists are rarely asking whether they can upload an entire client chart into an AI platform. They’re usually asking something much more practical. They want to know whether they can use AI to help organize clinical thoughts, improve documentation language, brainstorm interventions, draft treatment plan ideas, or work through administrative tasks more efficiently. They are trying to determine how AI fits into the realities of day-to-day practice.

That is why this conversation can become confusing so quickly. The question sounds simple on the surface, but it sits at the intersection of privacy, technology, workflow design, and professional judgment. Once those pieces start interacting with each other, the answer becomes more nuanced than most therapists expect.

Why Do Therapists Get Different Answers About Using AI?

The answer depends on what information is being entered, how identifiable that information is, and what type of AI system is being used.

That may sound frustratingly vague, but it is also why therapists often receive conflicting information online. “AI” is not a single thing. A therapist using a general-purpose chatbot is operating in a different environment than a therapist using an AI feature built into an electronic health record. Likewise, a therapist using healthcare-focused platforms such as BastionGPT, ChatGPT for Clinicians, Berries, Upheal, Blueprint, Mentalyc, or other AI documentation and clinical support tools may be interacting with a very different workflow than someone using a public-facing AI system designed for general consumers.

One of the observations that comes up repeatedly when evaluating technology is that the same tool can create different levels of risk depending on how it is implemented. The operational reality matters more than the label attached to the software. Two therapists could be using similar technology and arrive at very different conclusions depending on what information is being entered, what safeguards are in place, and how the workflow functions.

That is why broad statements such as “AI is HIPAA compliant” or “AI is not HIPAA compliant” rarely provide enough information to be useful. The more helpful question is usually what information is being shared and whether that information could identify a specific client. The HIPAA Security Rule overview from the U.S. Department of Health and Human Services reflects this broader approach by focusing on the safeguards surrounding information rather than evaluating technology in isolation.

Can I Use AI if I Remove a Client’s Name?

This is often where therapists start the analysis, and that makes sense. Names are among the most obvious identifiers we encounter in clinical practice. If a therapist removes a client’s name, date of birth, address, and contact information before entering information into an AI system, it can feel as though the connection to a specific individual has been removed.

Sometimes that may significantly reduce identifiability. Sometimes it may not.

What often gets overlooked is that people are not identified only by names. They can also become identifiable through context, circumstances, and combinations of details that seem harmless when viewed individually. In fact, HIPAA’s concept of identifiable information extends far beyond a person’s name and includes numerous categories of information that may be used to identify an individual. The HIPAA Privacy Rule guidance from HHS provides additional information about how protected health information is defined and protected.

Imagine a therapist practicing in a small rural community who enters information about a local school superintendent who recently became involved in a highly publicized controversy and is navigating a very public divorce. Even if no name appears anywhere in the prompt, many people in that community would likely know exactly who is being described.

The challenge is that identifiability is often contextual. Information that feels anonymous in one setting may be highly recognizable in another. A detail that seems insignificant in a large city may point directly to a specific individual in a small community. That is why focusing exclusively on names can create a false sense of security. The larger question is whether the information, taken as a whole, could reasonably identify the person being discussed.

Why Removing a Name Doesn't Remove Identifiability graphic

What Information Can Identify a Client Even Without Their Name?

One reason therapists struggle with this question is that identifying information is often more complicated than it initially appears.

Most people immediately think about names, phone numbers, email addresses, Social Security numbers, and dates of birth. Those examples are important, but they are not the only pieces of information that can make a person identifiable.

A person’s occupation, community role, family circumstances, highly specific medical history, legal involvement, or unique life events may also contribute to identifiability. The more unique the circumstances, the easier it may become to connect information back to a specific individual.

This is particularly important in smaller communities, specialized professional environments, schools, universities, religious organizations, and other settings where people may already know one another. A description that feels anonymous to the therapist writing it may look very different to someone familiar with the circumstances.

That is one reason the HHS guidance on de-identification of protected health information emphasizes that evaluating identifiability involves more than simply removing direct identifiers. Context often matters just as much as the information itself.

Download: The 18 HIPAA Identifiers for Therapists

Many therapists naturally focus on names when thinking about whether information is identifiable. HIPAA’s definition of identifiable information extends much further than many clinicians realize.

Download our free guide:

The 18 HIPAA Identifiers: A Therapist’s Quick Reference Guide

Use it as a quick reference when evaluating documentation, AI workflows, consultation scenarios, and other situations involving client information.

Download Guide

A Practical Observation

Many therapists assume that if they remove a client’s name, the information is no longer identifiable. That assumption is understandable because names are among the most obvious identifiers we encounter in practice. The challenge is that identifiability often depends on the entire picture rather than a single detail. Context, circumstances, and combinations of information can sometimes identify a person even when no direct identifier appears in the text.

Related Resource: The 18 HIPAA Identifiers: A Therapist’s Quick Reference Guide

Does It Matter Which AI Tool a Therapist Uses?

Many therapists are asking this question because the AI landscape has changed rapidly over the past few years. A therapist considering ChatGPT may be evaluating a very different type of platform than someone using BastionGPT, ChatGPT for Clinicians, Berries, or an AI feature embedded within an electronic health record.

That does not automatically mean one category of tool is appropriate and another is not. It does mean that therapists should be cautious about treating all AI systems as though they operate in exactly the same way.

Technology does not operate in isolation. Access controls, permissions, vendor agreements, storage practices, workflow design, and system configuration can all influence how information is handled. The same platform may create different considerations depending on how it is implemented within a practice.

This is one reason conversations about AI often become more nuanced than simple online discussions suggest. The question is frequently less about whether a tool uses artificial intelligence and more about how information moves through the larger workflow surrounding that tool.

What Should Therapists Consider Before Entering Information Into AI?

When therapists ask whether they can paste client information into AI, they are often looking for a clear rule. The reality is that thoughtful decision-making usually involves asking a different set of questions.

Could the information identify a specific client?

Would someone familiar with the circumstances recognize the person being described?

Am I including details that are unique enough to point back to an individual?

Could I accomplish the same goal without sharing information connected to an actual client?

These questions do not answer every compliance consideration associated with AI, but they help therapists begin evaluating the information itself before focusing on the technology. In many situations, that is the most useful place to start.

How Does This Fit Into the Larger AI Compliance Conversation?

The question of whether therapists can paste client information into AI tools is only one part of a much broader conversation.

Questions about vendor agreements, information storage, AI governance, documentation practices, Security Risk Analyses, and organizational policies all deserve careful consideration. Those topics become particularly important as AI moves from experimentation into everyday practice operations.

At the same time, those are separate questions.

Before evaluating how information is stored, who can access it, or what safeguards exist, therapists first need to understand whether the information being entered could identify a client in the first place.

Everything else builds from there.

Stay Updated on Compliance Changes

Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.

If you want clear, practical updates you can actually use, you can join my email list below.

Final Thoughts

When therapists ask whether they can paste client information into AI tools, they are often looking for certainty in a conversation that can feel increasingly complicated.

That is understandable. AI is evolving quickly, new platforms appear regularly, and therapists are being asked to make decisions about technology that did not exist even a few years ago.

Whether a therapist is considering ChatGPT, BastionGPT, ChatGPT for Clinicians, Berries, Upheal, Blueprint, Mentalyc, or another AI platform entirely, the starting point remains the same.
Before focusing on the software, it is worth taking a closer look at the information itself.

Removing a client’s name may reduce identifiability, but it does not automatically eliminate it. The more useful question is often whether the information, taken as a whole, could still identify a specific individual.

That shift in thinking creates a stronger foundation for evaluating AI tools, protecting client privacy, and making thoughtful decisions about how new technology fits into clinical practice.

FAQs

Can therapists use ChatGPT with client information?

It depends.

The answer depends on the information being entered, how identifiable that information is, and the safeguards surrounding the workflow. Simply removing a client’s name does not automatically mean the information is no longer identifiable. Therapists should evaluate both the information being shared and the system being used before entering client-related information into any AI platform.

Can therapists paste client information into AI tools?

It depends.

Whether client information can be entered into an AI tool depends on factors such as identifiability, the type of AI system being used, and the surrounding workflow. The question is often less about the technology itself and more about how client information is being handled.

Is removing a client's name enough to make information safe to enter into AI?

No, not necessarily.

A person may still be identifiable through a combination of circumstances, life events, professional roles, family situations, or other contextual details. The larger question is whether the information, taken as a whole, could reasonably identify a specific individual.

Can therapists enter de-identified information into AI tools?

Potentially.

De-identification is more complex than simply removing a name or replacing identifying details with initials. Therapists should consider whether the remaining information could still point to a specific person when viewed within its broader context.

What information does HIPAA consider identifiable?

More information than many therapists realize.

Names are only one category of identifying information. Depending on the circumstances, dates, locations, contact information, professional roles, unique life events, and other details may contribute to identifiability. Therapists should evaluate both direct identifiers and contextual information when considering whether information could identify a client.

Are healthcare-focused AI tools different from ChatGPT?

Yes, they may be.

Therapists may encounter healthcare-focused platforms such as BastionGPT, ChatGPT for Clinicians, Berries, Upheal, Blueprint, and Mentalyc, as well as AI features embedded within electronic health records and documentation systems. These tools may operate differently than general-purpose AI platforms, which is one reason AI questions often require a workflow-specific analysis rather than a simple yes-or-no answer.

Does HIPAA allow therapists to use AI?

Yes.

HIPAA does not specifically prohibit the use of artificial intelligence. However, therapists remain responsible for protecting client information and evaluating how technology is implemented within their practice. Compliance considerations often extend beyond the technology itself and include safeguards, policies, workflows, and risk management processes.

What happens if AI stores protected health information (PHI)?

It depends on the system and workflow involved.

Questions about storage, retention, access, permissions, and vendor responsibilities are important parts of the broader AI compliance conversation. Therapists should understand how information is handled within any system that may receive protected health information.

Can therapists use AI for treatment plans?

Potentially.

Many therapists are exploring ways AI may assist with treatment planning, documentation, and administrative workflows. Whether a particular use is appropriate depends on the information being entered, the AI system being used, and the safeguards surrounding that workflow.

Can therapists use AI for progress notes?

Potentially.

Many therapists are evaluating AI-assisted documentation tools and note-writing systems. Whether those tools can be used appropriately depends on the platform, the information being processed, and the safeguards in place to protect client information.

Related Articles in This AI + HIPAA Series

Therapists exploring AI documentation often have additional questions that extend beyond progress notes alone.

Related topics include:

Other Compliance Articles Coming Soon…

  • Can Therapists Use AI for Treatment Plans?
  • How Should Therapists Document AI Use in Practice?

Sources

HHS Guidance Regarding Methods for De-Identification of Protected Health Information
https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html

HIPAA Privacy Rule Summary
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

HIPAA Security Rule Overview
https://www.hhs.gov/hipaa/for-professionals/security/index.html

About the Author

Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™.

She helps therapists and group practices understand how compliance, documentation, privacy, technology, and practice operations work together in real-world clinical settings. Her work focuses on turning complex requirements into practical systems, policies, workflows, and implementation strategies that providers can actually use.

Drawing from experience in both clinical practice and compliance consulting, Samantha specializes in helping mental health professionals build defensible, sustainable systems that support both quality care and regulatory compliance.

Learn more about Samantha and Guardian Clinical Essentials™.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials

Continue Exploring Guardian Clinical Essentials™

Looking for additional compliance, privacy, AI, documentation, and practice operations resources?

Explore the Guardian Clinical Essentials™ Resource Library for educational articles, implementation guidance, training opportunities, and practical resources designed specifically for mental health professionals.

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy