What Happens to YourClient Data?
Most AI tools are "HIPAA compliant." But compliant doesn't mean your data isn't stored on their servers. See the difference between tools that store your data vs. tools with zero-retention architecture.
Key insight: HIPAA compliance means a tool has safeguards. It does NOT mean your data isn't stored. Stored data = breach risk.
Understanding Privacy Tiers
Zero Retention
Data never stored. Processed in-memory, immediately discarded.
HIPAA Compliant
BAA signed. Data stored with encryption. Not used for AI training.
Conditional
May be compliant with proper setup. Often requires separate BAA request.
Not Compliant
No BAA. Data may be used for AI training. Do not use with PHI.
Popular tools:
All tools ranked by privacy architecture
Sorted from most private (zero-retention) to least private. Green = your data is never stored. Blue = compliant but data is stored. Red = not compliant.
| Tool | Privacy Tier | Data Stored | BAA | AI Training | Breach Risk |
|---|---|---|---|---|---|
Reframe Practice Therapy AI Worksheets | Zero Retention | No | Opt-out | Zero | |
ChatGPT Enterprise General AI | HIPAA Compliant | Yes | Opt-out | low | |
ChatGPT for Healthcare Healthcare AI | HIPAA Compliant | Yes | Opt-out | low | |
Claude Enterprise Healthcare AI | HIPAA Compliant | Yes | Opt-out | low | |
Mentalyc Therapy AI Notes | HIPAA Compliant | Yes | Opt-out | low | |
Upheal Therapy AI Notes | HIPAA Compliant | Yes | Opt-out | low | |
SimplePractice Practice Management | HIPAA Compliant | Yes | Opt-out | low | |
Quenza Client Engagement | HIPAA Compliant | Yes | Opt-out | low | |
Google Workspace + Gemini Healthcare AI | Conditionally Compliant | Yes | Opt-out | medium | |
Therapist Aid Worksheet Library | Conditionally Compliant | No | Opt-out | Zero | |
ChatGPT (Free/Plus) General AI | NOT Compliant | Yes | May train | high | |
Claude (Free/Pro) General AI | NOT Compliant | Yes | May train | high | |
Google Gemini (Consumer) General AI | NOT Compliant | Yes | May train | high |
Click any row to see detailed information. Data researched January 2026.
Common Questions
What does "zero-retention" actually mean?
Zero-retention means your data is processed entirely in memory and immediately discarded. Nothing is ever written to a database or log file. This is different from "HIPAA compliant" which typically means data is stored with encryption and safeguards.
Why does stored data = breach risk?
If data exists, it can be breached. Even with encryption, stored data is vulnerable to: database breaches, insider threats, subpoenas, misconfigured access controls, and backup exposure. Zero-retention eliminates all these risks because there is nothing to breach.
Is HIPAA compliance not enough?
HIPAA compliance means a vendor has implemented required safeguards and will sign a BAA. It does NOT mean your data is not stored. Most compliant tools store your data on their servers. This is safe enough for many use cases, but some therapists prefer zero-retention for maximum privacy.
Can I trust this comparison?
We research each tool using official documentation and vendor statements. However, policies change frequently. Always verify directly with the vendor and review their current privacy policy before using any tool with PHI.
Want true privacy for your clients?
Reframe Practice is the only AI worksheet generator with zero-retention architecture. Your client's data goes in, the worksheet comes out, and everything is immediately discarded. No databases. No logs. No breach risk.