The Law Just Drew a Line — and It's Actually Useful
Illinois made headlines on August 1, 2025, when the Wellness and Oversight for Psychological Resources Act (WOPR Act) took effect. The law prohibits AI from providing therapy or making therapeutic decisions. That part gets quoted everywhere.
What gets quoted less often is the other half: the WOPR Act explicitly permits AI for administrative and supplementary support when used by a licensed clinician. Utah and Nevada have enacted related provisions moving in the same direction.
Read those two sentences together and you have the clearest regulatory signal the mental health field has received in years. The line is not between "AI" and "no AI." It is between AI that does administrative work and AI that does clinical work.
What "therapeutic decision" means in practice
Regulators and legal commentators (including analysis from Holland & Knight) point to functions like risk scoring, diagnostic suggestions, and treatment recommendations as the territory where liability accumulates. A tool that listens to a session and flags "elevated suicide risk" is operating in clinical territory regardless of how it is marketed.
A tool that turns your spoken notes into structured text, generates a billing code from your notes, or reminds you that a client's invoice is overdue is doing administrative work. Different category, different rules.
The EU AI Act: 2027 Is Closer Than It Looks
The EU AI Act imposes its high-risk medical-AI obligations from 2 August 2027. If you are practising in the EEA, or if your clients are, the clock is already running.
The distinction that matters here mirrors the US one. A transcription or note-structuring tool is generally not classified as a medical device under the Medical Device Regulation (MDR) and does not trigger AI Act high-risk duties. A tool that interprets clinical content — scoring risk, suggesting diagnoses, recommending interventions — likely does trigger both MDR classification and AI Act obligations, including conformity assessments, technical documentation, and human oversight requirements.
The practical upshot: a vendor offering "AI-powered clinical insights" for your therapy practice faces a substantially higher compliance burden than a vendor offering documentation and billing support. Whether that vendor has done the compliance work is a question worth asking before you hand over session data.
GDPR and the Problem with "De-Identified" Data
Therapy session content is Article 9 special-category data under GDPR. That means the usual legal bases — including the one vendors love, "legitimate interest" — are not available. Processing requires explicit consent, and even then the conditions are narrow.
This becomes relevant the moment a cloud-based AI scribe processes a session recording on a remote server. Where is that server? Is it in the EU/EEA? Has the vendor signed a Data Processing Agreement with you? Do they hold ISO 27001 certification?
Several AI scribe vendors' terms of service reserve the right to reuse or sell de-identified session data. "De-identified" is doing a lot of work in that sentence. Re-identification risk in small therapeutic contexts — where a few demographic details combined with a described presenting problem can point to a real person — is not theoretical.
Early research published in JAMA Psychiatry in March 2026 on AI ambient scribes in clinical settings suggests reasons for caution, though the evidence base is still developing. The concern was not primarily that AI scribes make factual errors (though they can). It was that the workflow changes they introduce may subtly shift the clinical dynamic in ways that are difficult to measure and easy to underestimate.
What to Check Before Letting Any AI Tool Near Your Notes
Before connecting any tool to your session notes, recordings, or client data, run through this checklist:
- Does it make clinical suggestions? Risk scores, diagnostic hints, treatment prompts — these push the tool into regulated clinical-AI territory.
- Where does the data go? If the answer is "a cloud server," ask for the data residency location in writing.
- Is there a signed DPA? Under GDPR, processing special-category data without one is not a configuration question; it is a violation.
- Does the vendor train models on session data? Read the terms of service, not just the marketing page.
- What is the certification status? ISO 27001 is a baseline indicator of security practice, not a guarantee, but its absence is a yellow flag.
- Who has access to the data at the vendor? "Anonymised for our team" is not the same as "no human access."
- What happens to your data if you cancel? Deletion timelines and data portability matter.
- Is offline use possible? If the tool requires a live internet connection to function, every session produces data in transit.
Regulators do not expect perfection. They expect due diligence. Being able to show that you asked these questions, evaluated the answers, and made a documented decision protects you far better than assuming a polished vendor website equals compliance.
The Administrative Side Is Where You Have Room
The WOPR Act's carve-out for administrative AI support is not an accident. Legislators understood that the documentation burden on mental health professionals is real, that it pulls time and attention away from clients, and that tools helping with billing, scheduling, and record-keeping serve practitioners without entering the clinical relationship.
This is the lane where software can genuinely help without raising the legal and ethical questions that clinical-AI tools carry. Structured note-keeping, invoice generation, ICD code management, appointment tracking — none of these functions involve interpreting what a client said or suggesting what a clinician should do next.
Why Offline Note-Keeping Is the Privacy Default That Makes Sense
When your documentation tool works offline and stores notes only on your own device, the GDPR server-location question answers itself. There is no third-party server processing Article 9 data. There is no DPA to chase down. There is no terms-of-service clause reserving rights over de-identified session content.
TimeInvoicer takes this approach for its documentation and billing functions. Notes, client records, ICD codes, and invoices are stored on-device. The tool makes no diagnostic or therapeutic suggestions — it handles the administrative layer that the WOPR Act explicitly permits: billing, invoicing, record-keeping. When internet access is unavailable, it keeps working. When you close the app, your client data has not moved.
That is not a marketing position. It is a structural answer to the compliance questions listed above.
You might also like
Keep documentation on the legal side of the line.
TimeInvoicer handles billing, invoicing and electronic notes — offline, on your device, with no cloud requirement. Try it free and see how much administrative time you get back.
Try it free