Blueprint is designed to support clinical documentation while keeping providers in control. AI-generated content starts as draft material. Providers decide what to review, edit, approve, retain, delete, and incorporate into the client record.

Providers can choose whether to retain transcripts and other AI-generated documentation in Blueprint or delete them according to their organization’s retention policy, subject to applicable legal, security, and operational requirements.

This FAQ is general information, not legal advice. Requirements can vary by state, practice type, client population, payer, court process, and organization policy. Providers should consult legal counsel when responding to subpoenas, attorney requests, court orders, or other legal requests.

Blueprint’s AI Scribe can generate a transcript and draft clinical documentation from a therapy session. These materials are used to help providers prepare clinical notes and related documentation.

When recording is used, audio is used only to support documentation and is deleted and non-recoverable after processing.

Transcripts are not automatically part of the official medical record.

AI-generated transcripts and draft documentation remain separate from the finalized clinical note unless the provider reviews, approves, or incorporates content into the client record. The provider’s finalized note is the clinician-approved record.

That said, transcripts may still contain Protected Health Information and may be subject to the provider’s retention policies, legal obligations, and valid legal requests if they are retained.

Yes. Transcripts may contain Protected Health Information and are protected under HIPAA when maintained by Blueprint on behalf of a covered entity.

Blueprint protects transcripts and other PHI through HIPAA-compliant safeguards, access controls, encryption, audit logging, and related privacy and security practices.

Clients may have rights to access PHI maintained by or for their provider, depending on the provider’s record policies and applicable law.

If a client requests a transcript, the provider should review whether the transcript is part of the applicable record set, whether any exceptions apply, and whether state law or other privacy rules affect disclosure.

Joint sessions require extra care because the transcript may include information about more than one person.

Before releasing a transcript from a couples, family, or group session, providers should consider who the client is, whose PHI is included, whether authorizations are required, and whether any state-specific confidentiality rules apply. Providers should consult legal counsel before releasing these materials.

Not without proper legal authority.

A request from an attorney is not, by itself, always enough to disclose PHI. Before sharing transcripts or other records with an attorney, providers should confirm that there is a valid HIPAA-compliant authorization, court order, subpoena that satisfies applicable legal requirements, or another lawful basis for disclosure.

No. Blueprint does not retain session audio after processing.

When recording is used, audio is used only to support documentation and is deleted after processing. Blueprint does not retain session audio recordings, copies, or backups. Because Blueprint does not retain session audio, Blueprint cannot produce session audio in response to a subpoena, court order, or other legal request.

Do not release records immediately.

Send the subpoena to your legal counsel for review. Counsel should assess whether the subpoena is valid, whether it satisfies HIPAA and applicable state-law requirements, whether the request is too broad, whether any special protections apply, and whether a court order, client authorization, notice, or qualified protective order is required.

Blueprint can coordinate with you and your legal team as needed.

This depends on the type of legal request, the client population, applicable state law, and the scope of the request.

In general, transcripts should only be released after the provider or the provider’s counsel confirms that the request is legally valid and that HIPAA and other applicable privacy requirements have been satisfied.

Examples may include a valid court order, a valid client authorization, or a subpoena/discovery request that satisfies HIPAA’s requirements for notice or a qualified protective order.

Even when disclosure is required, providers should disclose only the information required by the request and should consider whether redactions, objections, narrowing, or protective treatment are appropriate.

Blueprint does not treat a legal request as automatic permission to disclose PHI.

If Blueprint receives a subpoena, court order, or other legal request directly, Blueprint reviews the request, notifies the provider where permitted, preserves relevant data if required, and responds only as required by applicable law.

Where appropriate, Blueprint may object to, narrow, or seek clarification of a request before producing information. Blueprint’s goal is to coordinate with the provider while protecting client privacy and complying with applicable law.

If a transcript is retained and is responsive to a valid legal request, it may need to be preserved and, in some cases, produced.

A transcript should be understood as an AI-generated artifact. It is separate from the finalized clinician-approved note unless the provider has incorporated it into the client record. If a transcript is produced, it should be identified as an AI-generated transcript rather than a clinician-finalized clinical note.

AI-generated transcripts may contain errors, omissions, speaker-labeling mistakes, or language that lacks clinical context. The transcript is a source artifact created to help generate documentation. It is not the clinician’s final clinical record.

The finalized clinical note is the provider-reviewed record. Providers are expected to review, edit, and approve clinical notes before they become part of the client record.

If there is a difference between a transcript and the finalized note, the finalized note is the record the provider reviewed and approved. The transcript may help explain how documentation was generated, but it should not be treated as a substitute for the provider’s finalized clinical note.

If an inaccurate transcript is subject to a legal request, providers should consult counsel before editing, deleting, or producing it.

Providers control whether transcripts are retained in Blueprint or deleted.

By default, Blueprint retains transcripts unless the provider deletes them or configures transcript retention settings to delete them automatically, subject to applicable legal, security, and operational requirements.

Providers are responsible for determining the retention policy that is appropriate for their practice and legal obligations.

Yes. Providers can delete transcripts and other documentation from Blueprint, or configure transcript retention settings where available.

Deletion should be handled according to the provider’s record-retention policy. If litigation, a subpoena, a legal hold, an investigation, or another preservation obligation exists or is reasonably anticipated, providers should consult counsel before deleting potentially relevant records.

Auto-deleting transcripts reduces the amount of session-level data retained in Blueprint.

Some Blueprint functionality may be limited or unavailable when transcripts are deleted, including features that rely on prior transcript context to generate documentation, treatment-plan content, Magic Edit outputs, Blueprint Memory, Pre-Session Prep, or other AI Assistant suggestions.

Blueprint uses privacy and security safeguards designed to protect PHI, including:

Blueprint does not retain session audio after processing and does not use client data to train AI models.

Yes. Providers should be transparent with clients about the use of AI-assisted documentation tools.

Providers should consider including disclosures in intake forms, consent forms, privacy notices, or other client-facing materials explaining that AI may be used to support documentation, what data is created, how it is used, and how it is retained or deleted.

Providers should consider adopting internal policies that address:

Review Blueprint’s Privacy & Security page for additional information: https://www.blueprint.ai/privacy-security

You can also contact Blueprint Customer Support at help@blueprint.ai.