Sovereignty Maturity Assessment for Behavioral Health

The therapeutic alliance is built
on confidentiality.

And your vendor stack just violated it.

Behavioral health practice has always rested on a single load-bearing commitment. The person in the room can say what they have not said anywhere else, because what they say stays in the room. Therapeutic alliance is not metaphor. It is the mechanism by which the work works. Clinicians knew this before HIPAA existed. The APA, NASW, and ACA ethics codes name it as a foundational obligation, not a procedural one.

Then the AI scribe started listening. Abridge, Suki, DAX Copilot, plus the side-channel use of ChatGPT, Claude, and Gemini for note-drafting and case formulation. Session content is now flowing into vendor systems whose default terms permit retention, processing, and in some cases training on the underlying data. Most practices have never asked whether the AI vendor signed a HIPAA Business Associate Agreement. Many vendors offer one only on annual contracts above a price floor a solo or small group practice cannot reach. The vendors that do execute a BAA frequently carve out the training-data clause separately, so the BAA you signed protects PHI but not the inferences drawn from PHI.

And the patient is not in the room with the vendor's lawyers. The patient is in the room with you, and the alliance is your responsibility regardless of what the vendor's Terms of Service say. Your ethics code does not have an exception for "the vendor was supposed to handle it."

Layer the rest of the stack on top. Your EHR vendor holds the chart. Your practice management vendor holds the schedule and the billing. Your telehealth platform held every session for the last four years. Your patient portal vendor holds the messages. Each one signed a BAA at some point. Whether any of those BAAs still match what the vendor is actually doing in 2026, with the AI features they have quietly activated by default, is a separate question. It is the question OCR is now asking on breach investigations.

This page exists to give you a written, sourced, clinically- grounded evaluation of where your sovereignty posture stands today. Free. Scope-selectable on the discovery call: a short cycle for narrow questions, a longer cycle for a full HIPAA + 42 CFR Part 2 + AI-vendor review. Built around the people in your caseload, not around our sales calendar.

Skip ahead, book the call now → What's in the assessment ↓

What the assessment actually delivers.

A written sovereignty-posture document, organized the way a HIPAA compliance auditor or a state mental health authority surveyor would organize their findings. Three to six pages on the short cycle, six to twelve pages on the long cycle. Named observations, sourced to your practice's actual vendor stack, with a remediation order written for a clinical practice's procurement reality (small ops team, the owner reading vendor contracts on a Sunday, board oversight if you are a CMHC) and not a sales-cycle reality.

Lens 1: HIPAA, 42 CFR Part 2, and state-law exam-readiness posture.

What document trails exist today for your Notice of Privacy Practices, your Business Associate Agreements, your security risk analysis (the 45 CFR 164.308(a)(1)(ii)(A) one your auditor will ask for first), your breach response procedures, and your minimum-necessary access reviews? For SUD-touching practices, what is your 42 CFR Part 2 posture under the 2024 final rule, especially around consent for care coordination and the relationship between Part 2 records and your EHR? For practices treating minors, what is your stack against state-by-state minor consent and parental access law? Where are the gaps a surveyor or an OCR investigator would find?

This lens reads your environment the way an auditor would, with the HIPAA Security Rule's safeguard categories as the organizing frame and the 42 CFR Part 2 layer called out separately when applicable. The output names the specific artifacts that would land on a corrective action plan.

Lens 2: AI vendor and clinical-stack sovereignty.

What do your EHR, your practice management vendor, your telehealth platform, your AI scribe (if any), your patient portal, your billing service, and any clinical decision support tool actually claim in their current Business Associate Agreements, data processing addenda, AI feature activation defaults, and retention terms? Where does your clinical data live, who has subpoena authority over it, and can you produce a clean export of the chart, the appointment history, and the billing record without the vendor's active cooperation? Which AI features have been quietly turned on since your BAA was signed?

This lens names every named vendor in your stack, surfaces the contractual reality (not the salesperson's reassurance), and flags where the AI clauses introduced in the last 18 months have changed what you signed up for. For practices using consumer AI tools outside a BAA (the unspoken ChatGPT or Claude tab open during note drafting), it names that as the exposure it is.

The deliverable is yours. Keep it, share it with your compliance officer, file it with your next OCR risk analysis, hand it to your board's quality committee if you are a CMHC, or work the remediation yourself. There is no obligation to engage Sterling for any work beyond the assessment. If we can help, you will know. If you do the work in-house from the assessment alone, that is also a good outcome.

The threat surface, named.

Four exposures sized specifically for behavioral health practices and clinics, from solo group practices through community mental health centers. None of these are hypothetical. All of them are showing up in current OCR enforcement actions, state mental health authority surveys, malpractice carrier renewal questionnaires, and the trade press.

Threat 1: AI scribes and consumer AI tools are recording therapy with terms most clinicians never read.

Abridge, Suki, DAX Copilot, and the broader category of clinical AI scribes vary widely in their HIPAA posture. Some sign a Business Associate Agreement by default; others only on annual enterprise contracts above a price floor most behavioral health practices in this segment do not reach. Some carve the training-data clause out of the BAA entirely, so PHI is protected but the inferences drawn from PHI are vendor property. Then there is the side-channel use: the consumer ChatGPT, Claude, and Gemini tabs clinicians have open for note-drafting, case formulation, or treatment-planning queries. Those have no BAA, no opt-out from training, and no documentation in the practice's compliance record. Your ethics code (APA Standard 4, NASW 1.07, ACA B.1, AAMFT 2) does not distinguish between PHI in an EHR and PHI typed into a consumer chatbot.

Sources: OpenAI Enterprise Terms 2026; Anthropic Acceptable Use Policy 2026; vendor BAA published policies for Abridge, Suki, and Microsoft DAX Copilot; APA Ethics Code (2017 revision, Standard 4: Privacy and Confidentiality); NASW Code of Ethics 1.07; ACA Code of Ethics Section B; ABA Formal Opinion 512 on generative AI tools (the parallel cross-professional precedent on confidentiality obligations under AI vendor terms).

Threat 2: Your existing Business Associate Agreements likely do not match what your vendors are now doing.

A BAA signed in 2019 with your EHR vendor named a specific set of data uses. The same vendor in 2026 has activated AI summarization, predictive scheduling, automated billing review, and clinical decision support features by default. The BAA almost certainly was not amended. OCR has signaled in recent guidance and enforcement that BAA scope is a covered entity's responsibility to monitor, not a one-time signing. The HIPAA Security Rule notice of proposed rulemaking from late 2024 (HHS published the NPRM with significant proposed strengthening of the Security Rule) signals where the enforcement floor is heading. The practical question is whether your current BAA portfolio reflects what your vendors are actually doing today.

Sources: 45 CFR Part 164 Subparts C and E; HHS OCR Resolution Agreements and Civil Monetary Penalties 2022 to 2025 (multiple cases citing inadequate BAA monitoring); HHS HIPAA Security Rule NPRM published December 2024; HHS guidance on tracking technologies and online tracking (2023, revised 2024).

Threat 3: 42 CFR Part 2 was modernized in 2024, and most SUD-touching practices have not updated their consent flow.

The 2024 final rule on 42 CFR Part 2 aligned more closely with HIPAA on care coordination but preserved Part 2's higher baseline of protection for substance use disorder records. The practical change: a single patient consent can now authorize broader uses for care coordination, but the requirements around redisclosure prohibition, segregation of Part 2 records inside an EHR, and the form of the consent itself were tightened. Any behavioral health practice providing medication-assisted treatment (MAT), addiction therapy, co-occurring disorder treatment, or operating a program that receives federal funding for SUD services is in Part 2 scope. Most practices in scope are still operating on pre-2024 consent forms and EHR configurations.

Sources: 42 CFR Part 2 Final Rule, published February 16, 2024, effective April 16, 2024 (compliance date February 16, 2026); SAMHSA Part 2 implementation guidance 2024 to 2025; ASAM and AATOD practice advisories on Part 2 compliance.

Threat 4: Your malpractice carrier is reading your AI vendor terms before they pay your next claim.

Behavioral health malpractice carriers (CPH and Associates, HPSO, The Trust, ACA-endorsed carriers, NASW Assurance Services) have begun adding AI-use questions to renewal applications. A breach, a confidentiality complaint, or a board action traceable to a non-compliant AI vendor relationship can affect coverage. The exposure runs both ways: if you did not disclose AI vendor use on the renewal, the carrier has a coverage argument; if you did disclose and the vendor was non-compliant, the carrier still has a coverage argument. The question is whether your practice's vendor posture would survive that carrier conversation today.

Sources: published renewal questionnaires from major behavioral health malpractice carriers 2024 to 2025; APA Trust Risk Management advisories on AI use; NASW Assurance Services practice updates; industry observation, trade press coverage of carrier AI-clause evolution.

The hybrid cycle, sized to your practice.

The general success.build/risk evaluation runs a two-hour cycle. Most solo and small-group behavioral health practices fit that shape. Group practices with multiple clinicians, complex EHR configurations, or 42 CFR Part 2 obligations often need more depth. Community mental health centers with HRSA reporting, state mental health authority oversight, and multiple federal funding streams typically need the longer cycle.

So the behavioral health assessment is scope-selectable on the discovery call. Both options are free. We help you size the cycle to the practice's actual surface area.

Short cycle (about two hours of your time, roughly one week elapsed). Thirty-minute discovery call. Homework on your side: vendor list, BAA copies if available, current Notice of Privacy Practices, a quick description of the AI tools in actual use (named, not generic). One sixty-minute evaluation session. A three-to-six page written sovereignty-posture document delivered within five business days. Best fit for solo practitioners, small group practices, and any practice with a focused question ("is our AI scribe vendor BAA sufficient," "what is our Part 2 exposure," "what would OCR ask about our telehealth stack").
Long cycle (about ten business days, surveyor-shaped deliverable). Forty-five-minute discovery call. One week of homework on our side: we read every BAA you can share, pull the current published terms for every named vendor, check for AI feature activation defaults across the stack, and structure the evaluation around the HIPAA safeguard categories that apply to your size and the Part 2 layer if applicable. One ninety-minute evaluation session with the practice owner or clinical director, the compliance officer or privacy officer if separate, and the IT lead. A six-to-twelve page written deliverable within five business days of the evaluation session. Best fit for group practices ten clinicians and up, community mental health centers, FQHC behavioral health programs, and practices preparing for a known upcoming audit or survey.

The choice is made on the discovery call, not before. Bring the question, we will help size the cycle. Either option is free. Either option produces a written deliverable that is yours to keep, share, or file.

Who this is for.

The fit is clearest for behavioral health group practices in the $1M to $15M revenue band with ten to one hundred clinicians, and for community mental health centers and FQHC behavioral health programs where the regulatory surface is larger and the cycle is longer. Smaller solo and small-group practices fit the short cycle and the same instrument, just at a tighter scope.

Outpatient mental health and counseling group practices with multiple clinicians, an integrated EHR, and increasingly an AI scribe or AI documentation tool in active use.
Substance use disorder treatment programs (outpatient, residential, MAT-providing, intensive outpatient) subject to 42 CFR Part 2 in addition to HIPAA.
Community mental health centers (CMHCs) under state mental health authority oversight, often Medicaid-heavy, often with multi-program structure (outpatient, crisis, school-based, peer support).
FQHC behavioral health programs where the behavioral health line is integrated into a larger Federally Qualified Health Center under HRSA oversight.
Psychiatric medication management practices with a clinical decision support layer and prescribing data flowing into telehealth platforms.
Child and adolescent behavioral health practices handling minor consent, parental access, school-based records, and increasingly state-specific minor data protection law (NY Child Data Protection Act and adjacent).

Adjacent practice types we also work with

Solo and small-firm therapists and counselors (under ten clinicians) where the short cycle is the right scope most of the time, with focus typically on AI scribe and consumer AI tool exposure.
Psychological testing and assessment practices where the data is denser per patient and the EHR may not be the central repository.
Applied behavior analysis (ABA) practices serving children with autism, with telehealth-supervised in-home services and a distinct payer mix (TRICARE, state Medicaid, commercial).
Eating disorder treatment programs with multi-disciplinary teams, residential or partial hospitalization settings, and overlapping medical and behavioral health records.
Home-care-adjacent behavioral health programs (in-home psychiatric care, home-based ABA, behavioral home health) where the agency reaches into the patient's home and the caregiver-family-patient trust frame stacks on top of clinical confidentiality. The clinical framing is held here; the home-care vendor stack (EVV, clinical documentation, caregiver workflow) routes to the home care assessment.
Pastoral counseling and faith-based behavioral health programs where the ethics frame layers a tradition-specific obligation on top of HIPAA where HIPAA applies, or stands alone where the program operates outside HIPAA. The clinical-confidentiality framing is held here; the tradition-specific stewardship framing routes to the religious institutions and diaspora community organizations assessment.
Community mental health centers and SUD-treatment 501c3s operated as nonprofit clusters where the operating charity sits alongside a 501c2 holding the facility and sometimes a 501c4 advocacy arm. The clinical framing is held here; the cluster-stewardship questions across the related 501c entities route to the nonprofits and tax-exempt organizations assessment.
Telehealth-only behavioral health platforms where the platform itself is the vendor relationship and the practice's leverage is correspondingly thinner.
Employee assistance program (EAP) providers with employer-side data flow obligations layered on clinical confidentiality.

Why us.

Sterling Solutions is a Westchester-based small firm. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and a written anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are not an EHR vendor and we are not pitching one. The assessment is not a stalking horse for a system conversion engagement. If the conclusion is "your AI scribe vendor BAA is fine, here is the one consent-flow gap to close," that is the conclusion. If the conclusion is "your EHR contract is much worse than you realized and the remediation path is renegotiation at the next renewal," that is the conclusion. We have no commission structure with any of the vendors we evaluate.

The therapeutic alliance is the asset. Everything else in this stack exists to serve it. We take that seriously because the same logic applies to our own work: the people we serve are not products, and the data we hold is in trust. The vendor stack you operate should reflect the same standard you hold yourself to in the room with a patient.

The same duty-shape repeats next door. At solo and small-firm attorneys, the privilege belongs to the client and the lawyer holds it in trust; Model Rule 1.6 names the obligation the way every behavioral health profession's code names clinical confidentiality. At home care agencies, the aide is in the bathroom and the nurse is in the bedroom, with the same caregiver-family-patient trust at the most intimate distance the healthcare system reaches; the AI scribe and EHR vendor stack carry the same exposure shape this audience will recognize. When the practice is a community mental health center, FQHC behavioral health program, or SUD-treatment 501c3 operated as a nonprofit cluster, the cluster-stewardship questions across the related entities route to the nonprofits and tax-exempt organizations assessment. When the practice operates as a ministry of a religious institution, the tradition-specific stewardship framing is held at the religious institutions and diaspora community organizations assessment.

What this page is not.

This is not a pitch for a six-figure modernization engagement disguised as a free assessment. The assessment is the deliverable. If you read it, file it, do the work in-house, and never speak to us again, that is a good outcome and we are not chasing you for a sales call.

This is not a HIPAA compliance audit from a big-four firm. Those exist and they cost five figures and they are shaped for institutions with internal compliance teams large enough to receive them. This assessment is shaped for the practice owner or clinical director who is reading their own AI vendor terms on a Sunday because no one else will.

This is not legal advice. Sterling Solutions is a technology firm, not a law firm. The written deliverable identifies sovereignty and compliance posture gaps and names the regulatory categories they sit under. Decisions about specific remediation paths that have legal consequence (contract renegotiation, breach reporting, board communications, regulator interaction) should run through your practice's healthcare attorney. We are happy to coordinate with them.

Tire-kickers, briefly.

The evaluation is honest work. We do the homework on our end. We read the BAAs you can share. We pull the current public terms for every vendor you name. We come to the evaluation session prepared. We ask the same of you: bring the person who actually owns the vendor relationships (practice owner, clinical director, or compliance officer, depending on practice structure), and bring a real intent to read what we deliver. Curiosity is fine. Performative curiosity is not what this offer is for.

One discovery call.

Forty-five minutes for the long cycle, thirty for the short cycle. The AI vendor your practice is using today is going to be the subject of an OCR enforcement question, a malpractice carrier renewal question, or a state board ethics question whether or not you have a written posture document on the shelf. The asymmetry between "having a written assessment ready before the question comes" and "scrambling once it does" is large, and it is not in your favor by default. Sterling is happy to help close it.

Book the discovery call →

Heads-up on the booking page: the booking widget currently shows 30-minute slots. For the short cycle, thirty minutes is the right length. For the long cycle, once you pick a time we will extend it to forty-five minutes on our end, provided the fifteen minutes before or after your selected slot are open on our calendar. If the adjustment does not work for you, email [email protected] and we will find a slot that fits.

success.build/risk/behavioral-health · [email protected] · scope-selectable on the discovery call

The therapeutic alliance is builton confidentiality.