Implementation Guide: Generate treatment plan documents, psychoeducation materials, and progress reports
Step-by-step implementation guide for deploying AI to generate treatment plan documents, psychoeducation materials, and progress reports for Allied & Mental Health clients.
Hardware Procurement
Business Laptop - Clinician Workstation
$1,059 per unit MSP cost / $1,299 suggested resale per unit
Primary clinician workstation for accessing AI documentation tools, EHR, and telehealth. TPM 2.0 chip enables BitLocker full-disk encryption required for HIPAA compliance. Windows 11 Pro required for Intune MDM enrollment and group policy management. 16GB RAM handles concurrent browser tabs for EHR, AI tool, and telehealth without performance issues.
USB-C Bluetooth Speakerphone
$199 per unit MSP cost / $249 suggested resale per unit
In-office session audio capture for AI transcription and note generation. Features 4 noise-cancelling microphones optimized for capturing both clinician and client speech in therapy room settings. 360-degree pickup pattern supports standard therapy room layouts. USB-C and Bluetooth dual connectivity. Certified for Microsoft Teams for telehealth integration.
Wireless Headset for Telehealth
$159 per unit MSP cost / $199 suggested resale per unit
Individual clinician headset for telehealth sessions where speakerphone is not appropriate (shared office spaces, confidential remote sessions). Active noise cancellation ensures clean audio input for AI transcription. Required for clinicians who conduct telehealth from non-private spaces.
Tablet for Field/Mobile Clinicians
$1,099 per unit MSP cost / $1,349 suggested resale per unit
For clinicians providing in-home therapy, school-based services, or other field-based allied health work. Apple Business Manager enables zero-touch MDM enrollment and remote wipe. Supports browser-based AI documentation tools and EHR access. Pair with Apple Pencil Pro for handwritten note capture if preferred.
Encrypted External Backup Drive
$329 per unit MSP cost / $429 suggested resale per unit
FIPS 140-2 Level 2 validated hardware-encrypted external drive for local backup of exported treatment plans, progress reports, and psychoeducation documents. Provides air-gapped backup independent of cloud services. PIN-authenticated access prevents unauthorized data exposure if physically stolen.
Software Procurement
AutoNotes AI Clinical Documentation
$49/month per clinician (Premium tier - 300 notes/mo) or $99/month per clinician (Ultimate tier - unlimited). MSP bulk pricing available on request.
Primary AI documentation engine for generating progress notes (SOAP, DAP, BIRP formats), treatment plans, and session summaries. Integrates with major EHRs via browser extension. Supports audio session capture with real-time transcription and AI-generated clinical documentation. Selected for balance of features, pricing, and broad EHR compatibility.
$39.99–$69.99/month per clinician depending on tier. Group practice discounts available.
Alternative primary AI documentation platform if practice requires modality-specific templates (CBT, DBT, EMDR, trauma-informed). Generates SMART goals for treatment plans, tracks progress automatically, and supports supervisor collaboration. SOC 2 Type II certified. Preferred for practices with specialized therapeutic modalities.
Azure OpenAI Service (GPT-4.1-mini)
$0.40 per 1M input tokens / $1.60 per 1M output tokens. Estimated $15–$50/month for a 5-clinician practice generating psychoeducation materials. Azure subscription required (Pay-As-You-Go).
Powers the custom psychoeducation content generator component. GPT-4.1-mini provides excellent quality-to-cost ratio for generating patient-facing educational materials on topics like anxiety management, grief coping strategies, CBT worksheets, and mindfulness exercises. Azure OpenAI chosen over direct OpenAI API for Microsoft HIPAA BAA coverage and integration with existing Microsoft 365 infrastructure.
Microsoft 365 Business Premium
$22/user/month retail. MSP CSP cost ~$17.60/user/month (~20% margin).
Foundation identity and endpoint management platform. Provides Entra ID for SSO/MFA across all AI tools and EHR, Microsoft Intune for MDM (BitLocker enforcement, remote wipe, compliance policies), Exchange Online for HIPAA-compliant email, and Microsoft Defender for endpoint protection. Required for HIPAA-grade identity management.
Wasabi Hot Cloud Storage with BAA
$7.99/TB/month with no egress fees. Estimated $8–$16/month for document backup. BAA available at no additional cost.
HIPAA-compliant cloud backup for exported treatment plans, progress reports, and psychoeducation materials. Supplements EHR vendor backup with independent document archive. S3-compatible API enables automated backup scripts. No egress fees make restore operations cost-predictable.
Doxy.me Telehealth Platform
Free tier available. Professional at $35/month per provider for HD video and waiting room customization. Clinic tier at $50/month per provider.
HIPAA-compliant telehealth platform for remote therapy sessions. BAA included. Browser-based (no client software installation needed). Integrates with AI documentation tools that capture session audio from telehealth calls. Only needed if practice does not already have telehealth built into their EHR.
JotForm HIPAA
$34/month
Creates digital patient consent forms for AI-assisted documentation, including specific consent for session recording/transcription and AI processing of clinical data. Submissions encrypted and stored in HIPAA-compliant environment. Integrates with practice intake workflows. BAA included.
Prerequisites
- Active EHR/Practice Management subscription (SimplePractice, TherapyNotes, Jane App, TheraNest, or equivalent) with admin-level access for integration configuration
- Reliable internet connection: minimum 25 Mbps download / 10 Mbps upload per concurrent clinician, with latency under 100ms to US cloud regions
- Google Chrome browser (latest stable version) installed on all clinician workstations — required for browser extension-based EHR integrations
- Microsoft 365 Business Premium tenant configured with all clinician user accounts, MFA enforced, and Intune enrolled devices (or equivalent MDM solution)
- Executed Business Associate Agreements (BAAs) with: AI documentation vendor (AutoNotes or Mentalyc), Azure/Microsoft (for OpenAI API and M365), cloud backup provider (Wasabi), telehealth vendor, and any other sub-processors handling PHI
- Updated HIPAA Risk Assessment that includes AI documentation tools as information systems processing ePHI — must be completed before go-live per HHS 2025 proposed regulation
- Patient consent form for AI-assisted documentation approved by practice's legal counsel, covering: session recording consent, AI transcription disclosure, data storage and retention policies, and patient right to opt out
- Wi-Fi network secured with WPA2-AES minimum (WPA3 Enterprise recommended), with separate guest/patient network SSID isolated from clinical network
- Practice administrator or clinical champion identified who will serve as internal point of contact, template customizer, and first-line trainer for clinical staff
- State-specific recording consent law compliance verified: confirm whether practice operates in a one-party or two-party consent state, and adjust consent procedures accordingly
- Firewall configured to allow outbound HTTPS (port 443) to AI vendor domains, Azure endpoints, and EHR cloud services — no special inbound port requirements
- Current HIPAA policies and procedures manual available for update, including Notice of Privacy Practices that will need amendment to disclose AI-assisted documentation
Installation Steps
...
Step 1: Execute Business Associate Agreements and Update Compliance Documentation
Before any technical work begins, ensure all BAAs are executed with every vendor that will process PHI. This is a legal prerequisite for HIPAA compliance. Contact each vendor's compliance team to initiate the BAA process. Simultaneously, update the practice's HIPAA Risk Assessment to include the new AI documentation systems as information assets, and amend the Notice of Privacy Practices to disclose AI-assisted documentation to patients.
BAA execution can take 1–5 business days depending on vendor. AutoNotes and Mentalyc provide self-serve BAA signing during account creation. Azure BAA is accepted through the Microsoft Trust Center within the Azure portal. Do NOT proceed with any PHI-touching configuration until all BAAs are fully executed. Keep signed BAA copies in the practice's HIPAA compliance file.
Step 2: Configure Microsoft 365 Business Premium and Entra ID
Set up the Microsoft 365 tenant as the identity foundation. Create user accounts for all clinicians and administrative staff. Configure Entra ID (formerly Azure AD) with Conditional Access policies requiring MFA for all cloud application access. Create a Security Group called 'AI-Documentation-Users' for managing access to AI tools. Enable Intune auto-enrollment for Windows and iOS devices.
# PowerShell - Connect to Microsoft Graph
Connect-MgGraph -Scopes 'User.ReadWrite.All','Group.ReadWrite.All','Policy.ReadWrite.ConditionalAccess'
# Create Security Group for AI Documentation Users
New-MgGroup -DisplayName 'AI-Documentation-Users' -MailEnabled:$false -SecurityEnabled:$true -MailNickname 'ai-doc-users' -Description 'Clinicians authorized to use AI documentation tools'
# Add clinician users to group (repeat for each user)
$userId = (Get-MgUser -Filter "userPrincipalName eq 'clinician1@practicedomain.com'").Id
New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
# Enable MFA via Conditional Access (verify in Entra Portal > Security > Conditional Access)
# Create policy: 'Require MFA for AI Documentation Apps'
# Assignments: AI-Documentation-Users group
# Target: All cloud apps (or specific app registrations)
# Grant: Require multifactor authenticationIf the practice already has Microsoft 365, skip tenant creation but audit existing security settings. Ensure MFA is enforced for ALL users, not just AI tool users — this is a HIPAA Security Rule requirement. If the practice uses Google Workspace instead of M365, adapt identity management accordingly but ensure equivalent MFA and device management capabilities.
Step 3: Provision and Configure Clinician Workstations
Unbox and configure Dell Latitude 5550 laptops (or existing client hardware meeting specs). Enable BitLocker full-disk encryption, enroll in Intune MDM, install Google Chrome, and apply baseline security policies. Each workstation should be labeled with an asset tag and recorded in the MSP's RMM tool.
# Enable BitLocker via PowerShell (run as Administrator)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -RecoveryPasswordProtector
# Verify BitLocker status
Get-BitLockerVolume -MountPoint "C:"
# Install Google Chrome via winget
winget install Google.Chrome --accept-package-agreements --accept-source-agreements
# Set Chrome as default browser for EHR extension compatibility
# Configure via Intune Configuration Profile > Device Restrictions > Default Browser
# Join device to Entra ID (Settings > Accounts > Access work or school > Connect)
# This triggers Intune auto-enrollment if configured in Step 2
# Verify Intune enrollment
dsregcmd /status
# Look for: AzureAdJoined: YES, MdmUrl: https://enrollment.manage.microsoft.comBitLocker recovery keys are automatically escrowed to Entra ID when device is Entra-joined. Verify this in the Entra Portal under Devices > BitLocker Keys. For iPads: enroll via Apple Business Manager > assign to Intune MDM profile > push managed browser (Chrome or Edge) and require device passcode + Face ID. For existing client hardware, verify TPM 2.0 presence before BitLocker enablement: Get-Tpm | Select-Object TpmPresent,TpmReady
Step 4: Set Up AI Documentation Platform Accounts (AutoNotes)
Create the practice's AutoNotes organization account. Provision individual clinician accounts under the organization. Configure SSO via Entra ID if available, or enforce strong unique passwords with MFA. Accept the BAA during account setup. Configure default note formats based on practice preferences (SOAP, DAP, BIRP, or custom). Set data retention policies according to practice policy and state law.
If using Mentalyc instead: navigate to https://app.mentalyc.com, follow similar org setup, and configure modality-specific templates (CBT, DBT, EMDR, etc.) under Settings > Clinical Templates. Mentalyc requires selecting the therapeutic modality per clinician profile for optimal AI output. Ensure the admin account uses a practice administrator email, NOT a personal clinician email, for proper organizational control.
Step 5: Install Browser Extensions and Configure EHR Integration
Install the AI documentation tool's Chrome browser extension on each clinician workstation. This extension bridges the AI tool and the EHR, enabling one-click note transfer. Configure the extension to connect to the practice's EHR instance. Test the connection by creating a sample note and transferring it to a test client record in the EHR.
- Option A: Manual per-device — Open Chrome > Navigate to Chrome Web Store > Search 'AutoNotes' or navigate to the direct extension URL > Click 'Add to Chrome' > Confirm installation > Sign in to AutoNotes via extension popup > Grant necessary permissions (page access for EHR domain)
- Option B: Push via Intune (recommended for managed deployment) — In Intune Admin Center: Devices > Configuration profiles > Create profile > Platform: Windows 10 and later > Profile type: Settings catalog > Search: 'Configure the list of force-installed apps and extensions' > Add AutoNotes extension ID from Chrome Web Store > Assign to 'AI-Documentation-Users' device group
- Configure EHR connection: Open EHR in Chrome (e.g., SimplePractice, TherapyNotes) > Click AutoNotes extension icon in toolbar > Select 'Connect to EHR' > Choose EHR platform > Follow authorization flow to grant read/write access > Verify connection status shows 'Connected'
Browser extension force-installation via Intune ensures consistent deployment and prevents clinicians from accidentally removing the extension. If the EHR does not support direct browser extension integration, configure for copy/paste workflow: AI tool generates note in its own interface, clinician reviews and copies into EHR manually. This is still significantly faster than writing from scratch. For Jane App specifically: use the Chrome extension to populate charting template fields.
Step 6: Deploy Azure OpenAI Service for Custom Psychoeducation Generator
Set up Azure OpenAI Service to power the custom psychoeducation content generator. This component creates patient-facing educational materials on mental health topics that clinicians can personalize and distribute. Create an Azure subscription (or use existing), deploy a GPT-4.1-mini model instance, configure networking restrictions, and verify HIPAA BAA coverage.
- Step 6a: Accept Azure HIPAA BAA — Azure Portal > Search 'Regulatory Compliance', or: Subscriptions > [subscription] > Properties > Manage BAA. Review and accept the Microsoft HIPAA BAA.
# Step 6b: Create Azure OpenAI resource via Azure CLI
az login
az group create --name rg-mentalhealth-ai --location eastus2
az cognitiveservices account create \
--name oai-mentalhealth-prod \
--resource-group rg-mentalhealth-ai \
--kind OpenAI \
--sku S0 \
--location eastus2 \
--custom-domain oai-mentalhealth-prod# Step 6c: Deploy GPT-4.1-mini model
az cognitiveservices account deployment create \
--name oai-mentalhealth-prod \
--resource-group rg-mentalhealth-ai \
--deployment-name gpt-41-mini \
--model-name gpt-4.1-mini \
--model-version '2025-04-14' \
--model-format OpenAI \
--sku-capacity 30 \
--sku-name Standard# Step 6d: Retrieve API key and endpoint
az cognitiveservices account keys list \
--name oai-mentalhealth-prod \
--resource-group rg-mentalhealth-ai
az cognitiveservices account show \
--name oai-mentalhealth-prod \
--resource-group rg-mentalhealth-ai \
--query properties.endpoint# Step 6e: Configure network restrictions (recommended)
az cognitiveservices account network-rule add \
--name oai-mentalhealth-prod \
--resource-group rg-mentalhealth-ai \
--ip-address <PRACTICE_PUBLIC_IP># Step 6f: Enable diagnostic logging
az monitor diagnostic-settings create \
--name oai-diagnostics \
--resource /subscriptions/<SUB_ID>/resourceGroups/rg-mentalhealth-ai/providers/Microsoft.CognitiveServices/accounts/oai-mentalhealth-prod \
--logs '[{"category":"Audit","enabled":true},{"category":"RequestResponse","enabled":true}]' \
--workspace /subscriptions/<SUB_ID>/resourceGroups/rg-mentalhealth-ai/providers/Microsoft.OperationalInsights/workspaces/<WORKSPACE_NAME>Azure OpenAI Service requires an application for access — apply at https://aka.ms/oai/access and specify healthcare use case. Approval typically takes 1–5 business days. The GPT-4.1-mini model provides the optimal balance of quality and cost for psychoeducation content. Network restrictions limit API access to the practice's IP addresses only. Diagnostic logging creates an audit trail of all API calls required for HIPAA compliance. If Azure OpenAI access is delayed, use OpenAI API directly with BAA (contact baa@openai.com) as a temporary measure.
Step 7: Deploy Custom Psychoeducation Content Generator Web Application
Deploy the custom psychoeducation content generator as a lightweight web application that clinicians access via browser. This application uses the Azure OpenAI API to generate personalized patient education materials based on clinician-selected topics, reading level, and therapeutic modality. Deploy as an Azure App Service with Entra ID authentication.
# Create Azure App Service for the psychoeducation generator
az appservice plan create \
--name asp-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--sku B1 \
--is-linux
az webapp create \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--plan asp-psychoed-prod \
--runtime 'PYTHON:3.12'
# Configure environment variables (API keys, endpoints)
az webapp config appsettings set \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--settings \
AZURE_OPENAI_ENDPOINT='https://oai-mentalhealth-prod.openai.azure.com/' \
AZURE_OPENAI_DEPLOYMENT='gpt-41-mini' \
AZURE_OPENAI_API_VERSION='2025-04-01-preview'
# Store API key in Azure Key Vault (never in app settings directly)
az keyvault create \
--name kv-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--location eastus2
az keyvault secret set \
--vault-name kv-psychoed-prod \
--name azure-openai-key \
--value '<YOUR_API_KEY>'
# Enable managed identity for the web app to access Key Vault
az webapp identity assign \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai
# Grant Key Vault access to web app managed identity
az keyvault set-policy \
--name kv-psychoed-prod \
--object-id <MANAGED_IDENTITY_OBJECT_ID> \
--secret-permissions get
# Enable Entra ID authentication
az webapp auth update \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--enabled true \
--action LoginWithAzureActiveDirectory
# Enforce HTTPS only
az webapp update \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai \
--https-only true
# Deploy application code (see custom_ai_components for full source)
az webapp deployment source config-local-git \
--name app-psychoed-prod \
--resource-group rg-mentalhealth-ai
# Push code to Azure
git remote add azure <DEPLOYMENT_URL_FROM_ABOVE>
git push azure mainThe Azure App Service B1 tier costs approximately $13.14/month and is sufficient for a small practice. Scale to B2 or S1 if concurrent usage exceeds 5 clinicians. Entra ID authentication ensures only authorized practice staff can access the generator — no separate login required. All API keys are stored in Azure Key Vault, never in application configuration directly. The application does NOT store any PHI — it generates generic psychoeducation content based on topic selection, not patient-specific data. This is an important architectural decision that simplifies HIPAA compliance.
Step 8: Configure Audio Capture Hardware for AI Session Documentation
Set up Jabra Speak2 75 speakerphones and Evolve2 55 headsets at each clinician workstation. Install Jabra Direct software for firmware management and audio optimization. Configure audio routing so that the AI documentation tool captures session audio through the correct input device. Test audio quality in a simulated therapy session.
# Install Jabra Direct via winget
winget install Jabra.Direct --accept-package-agreements
# After installation, open Jabra Direct
# 1. Connect Jabra Speak2 75 via USB-C
# 2. Jabra Direct will detect device and check for firmware updates
# 3. Apply any available firmware updates
# 4. Under Settings > Audio, verify:
# - Noise cancellation: Enabled
# - Microphone mode: 360-degree pickup
# - Sidetone: Medium (so clinician can hear their own voice)
# Set Jabra as default audio device for Chrome
# Windows: Settings > System > Sound > Input > Select 'Jabra Speak2 75'
# Or configure per-app in Chrome:
# chrome://settings/content/microphone > Select Jabra device
# Verify audio levels in AI documentation tool:
# Open AutoNotes > Settings > Audio > Microphone Test
# Speak at normal conversation volume from 3-4 feet away
# Verify waveform shows clear audio without clipping
# For telehealth sessions with AI capture:
# Ensure telehealth platform (Doxy.me/Zoom) AND AI tool both
# have access to the same audio input
# Some tools capture system audio; verify per vendor documentationThe Jabra Speak2 75 is optimized for rooms up to 10x10 feet, which covers most therapy offices. For larger group therapy rooms, consider the Jabra Speak2 75+ or adding a second unit in daisy-chain configuration. Bluetooth pairing is also available for clinicians who prefer wireless setup, but USB-C provides more reliable audio for transcription. Important: test audio quality BEFORE the first client session — poor audio input is the #1 cause of inaccurate AI transcription.
Step 9: Create and Deploy Patient Consent Forms for AI Documentation
Build digital consent forms that patients must sign before AI-assisted documentation is used in their sessions. The consent form must clearly explain what AI does, how session data is processed, and the patient's right to opt out. Deploy via JotForm HIPAA for digital collection during intake, and create printable PDF versions for in-office signing.
Consent form language should be reviewed by the practice's legal counsel before deployment. The consent must be specific to AI documentation — a general HIPAA consent is NOT sufficient. In two-party consent states (California, Florida, Illinois, Maryland, Massachusetts, etc.), explicit written consent for audio recording is legally required before any session recording occurs. Build a clear opt-out workflow: if a patient declines AI consent, the clinician must be able to easily disable recording for that session and document manually. Illinois has enacted Public Act 104-0054 specifically governing AI in mental health — review and incorporate requirements if practice operates in Illinois.
Step 10: Customize Clinical Templates and Prompt Libraries
Work with the practice's clinical champion to customize AI-generated document templates for treatment plans, progress notes, and psychoeducation materials. Configure templates to match the practice's documentation standards, insurance requirements, and therapeutic modalities. Load custom prompt templates into both the SaaS documentation tool and the custom psychoeducation generator.
- AutoNotes Template Customization (Web UI): Login to AutoNotes as Practice Admin
- Navigate to Settings > Templates > Treatment Plans
- Create template: 'Standard Treatment Plan' — Sections: Presenting Problem, Diagnosis (DSM-5-TR), Treatment Goals (SMART format), Interventions, Frequency/Duration, Measurable Objectives, Discharge Criteria, Client Strengths, Barriers to Treatment, Safety Plan (if applicable)
- Create template: 'Progress Note - SOAP' — Sections: Subjective, Objective, Assessment, Plan
- Create template: 'Progress Note - DAP' — Sections: Data, Assessment, Plan
- Create template: 'Progress Note - BIRP' — Sections: Behavior, Intervention, Response, Plan
- Set default template per clinician based on preference
- Configure terminology preferences: Use person-first language, avoid pathologizing terms per practice policy, include required insurance documentation elements
- Mentalyc Modality Configuration (if using Mentalyc): Navigate to Settings > Clinical Profile > Select Modalities
- Configure per clinician: CBT, DBT, EMDR, ACT, MI, etc.
- Enable SMART goal generation for treatment plans
- Configure supervisor access for trainee clinicians
Template customization is the most clinically-sensitive part of the implementation. The MSP provides technical execution, but the clinical champion must approve all template content and output formatting. Schedule a 2-hour working session with the clinical champion to finalize templates. Insurance companies (especially Medicare/Medicaid) have specific documentation requirements for treatment plans — ensure templates include all required elements for the practice's most common payers. Save template configurations as documentation in the MSP's client knowledge base for future reference.
Step 11: Configure HIPAA-Compliant Backup and Audit Logging
Set up automated backup of exported clinical documents to Wasabi HIPAA-compliant cloud storage. Configure audit logging across all components to maintain a complete trail of who accessed what PHI, when, and what actions were taken. This satisfies HIPAA Security Rule requirements for audit controls and backup/disaster recovery.
# Configure Wasabi HIPAA backup
# 1. Create Wasabi account at https://wasabi.com
# 2. Execute BAA (available in account settings)
# 3. Create bucket with versioning and encryption
aws configure --profile wasabi
# Enter Wasabi access key and secret
# Region: us-east-2 (or appropriate)
# Endpoint: https://s3.us-east-2.wasabisys.com
aws s3api create-bucket \
--bucket mentalhealth-practice-backup \
--profile wasabi \
--endpoint-url https://s3.us-east-2.wasabisys.com
aws s3api put-bucket-versioning \
--bucket mentalhealth-practice-backup \
--versioning-configuration Status=Enabled \
--profile wasabi \
--endpoint-url https://s3.us-east-2.wasabisys.com
aws s3api put-bucket-encryption \
--bucket mentalhealth-practice-backup \
--server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}' \
--profile wasabi \
--endpoint-url https://s3.us-east-2.wasabisys.com
# Create weekly backup script (PowerShell)
# Save as C:\Scripts\backup-clinical-docs.ps1
$date = Get-Date -Format 'yyyy-MM-dd'
$exportPath = "C:\ClinicalExports\$date"
# Export documents from AI tool (varies by vendor)
# Sync to Wasabi
aws s3 sync $exportPath s3://mentalhealth-practice-backup/$date/ --profile wasabi --endpoint-url https://s3.us-east-2.wasabisys.com --sse AES256
# Schedule via Task Scheduler
schtasks /create /tn "ClinicalDocBackup" /tr "powershell.exe -File C:\Scripts\backup-clinical-docs.ps1" /sc weekly /d SUN /st 02:00 /ru SYSTEM
# Azure OpenAI audit logging was configured in Step 6f
# Verify logs are flowing:
az monitor log-analytics query \
--workspace <WORKSPACE_ID> \
--analytics-query 'AzureDiagnostics | where ResourceProvider == "MICROSOFT.COGNITIVESERVICES" | take 10'Wasabi's S3-compatible API means standard AWS CLI tools work directly. Ensure the backup script runs under a service account, not a clinician's user profile. Retention policy should match state law requirements for clinical records (typically 7 years for adults, until age 21 for minors, but varies by state — verify with practice's legal counsel). Test restore procedures quarterly to verify backup integrity. The Apricorn encrypted drive (from hardware procurement) provides an additional air-gapped backup layer for the most critical documents.
Step 12: Conduct Pilot Testing with Clinical Champion
Before rolling out to all clinicians, conduct a 1–2 week pilot with the designated clinical champion using test/sample cases (NOT real patient data initially, then transitioning to live sessions with consented patients). Validate AI output quality, template accuracy, EHR integration workflow, and audio capture reliability. Document any issues and adjust configuration before full rollout.
The pilot phase is critical for clinical buy-in. Do NOT skip or rush this phase. Clinical professionals are rightfully cautious about AI-generated documentation — they need to see the output quality firsthand and confirm it meets their professional standards. Common pilot findings that require adjustment: AI using overly clinical language that doesn't match the clinician's voice, missing specific insurance documentation requirements, audio capture issues in rooms with poor acoustics. Document all pilot findings in a shared document for the clinical champion to review and approve before full rollout.
Step 13: Full Rollout: Onboard All Clinicians
After successful pilot, expand deployment to all clinicians. Conduct group training sessions, distribute quick-reference guides, and provide 2 weeks of elevated support. Monitor adoption metrics and address individual clinician concerns promptly.
- Day 1: Group Training Session (90 minutes) — Demonstrate AI note generation workflow (live demo), walk through treatment plan generation, show psychoeducation content generator, practice EHR integration workflow, review consent form process, Q&A session
- Day 1-3: Individual Workstation Setup — For each clinician workstation: (1) Verify Chrome extension installed and connected, (2) Verify audio device configured and tested, (3) Verify AI tool account active with correct template, (4) Verify EHR integration functional, (5) Have clinician generate their first AI note with MSP present
- Day 3-5: Supervised First Live Sessions — Clinical champion available for real-time support, MSP tech on standby for technical issues, each clinician uses AI for at least 3 live sessions
- Week 2: Independent Use with Check-ins — Daily check-in email from MSP: 'Any technical issues?', clinical champion holds brief huddle to share tips, MSP monitors usage dashboards for adoption tracking
- Week 3: Transition to Standard Support — Move to standard MSP support SLA, schedule 30-day review meeting
Expect 10-20% of clinicians to be resistant to AI documentation initially. The clinical champion is essential for peer-to-peer encouragement. Frame AI as a 'first draft generator' that the clinician always reviews and edits — this addresses the #1 concern (loss of clinical control). Provide a printed quick-reference card for each therapy room with the 5-step workflow: (1) Get consent, (2) Start recording, (3) End session, (4) Review AI draft, (5) Approve and transfer to EHR.
Custom AI Components
Psychoeducation Content Generator
Type: agent A web-based application that generates personalized psychoeducation materials for patients using Azure OpenAI GPT-4.1-mini. Clinicians select a mental health topic, therapeutic modality, reading level, and output format. The system generates evidence-based educational content that clinicians can review, edit, and distribute to patients as handouts, homework assignments, or digital resources. Critically, this component does NOT process PHI — it generates generic educational content based on topic parameters, simplifying HIPAA compliance.
Implementation
# Full Implementation (app.py)
# Psychoeducation Content Generator - Full Implementation
# Stack: Python 3.12 + Flask + Azure OpenAI SDK + Bootstrap 5
# File: app.py
import os
from flask import Flask, render_template, request, jsonify, session
from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
import logging
app = Flask(__name__)
app.secret_key = os.environ.get('FLASK_SECRET_KEY', os.urandom(32))
# Configure logging for audit trail
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger('psychoed_generator')
# Retrieve API key from Azure Key Vault
def get_api_key():
try:
credential = DefaultAzureCredential()
kv_url = os.environ.get('AZURE_KEY_VAULT_URL', 'https://kv-psychoed-prod.vault.azure.net/')
client = SecretClient(vault_url=kv_url, credential=credential)
return client.get_secret('azure-openai-key').value
except Exception as e:
logger.error(f'Key Vault access failed: {e}')
return os.environ.get('AZURE_OPENAI_API_KEY') # Fallback for local dev
# Initialize Azure OpenAI client
client = AzureOpenAI(
api_key=get_api_key(),
api_version=os.environ.get('AZURE_OPENAI_API_VERSION', '2025-04-01-preview'),
azure_endpoint=os.environ.get('AZURE_OPENAI_ENDPOINT', 'https://oai-mentalhealth-prod.openai.azure.com/')
)
DEPLOYMENT_NAME = os.environ.get('AZURE_OPENAI_DEPLOYMENT', 'gpt-41-mini')
# Topic library with evidence-based content guidance
TOPICS = {
'anxiety_management': {
'name': 'Anxiety Management',
'subtopics': ['Understanding Anxiety', 'Breathing Techniques', 'Grounding Exercises', 'Cognitive Restructuring', 'Exposure Hierarchy', 'Worry Time Technique', 'Progressive Muscle Relaxation']
},
'depression_coping': {
'name': 'Depression & Mood Management',
'subtopics': ['Understanding Depression', 'Behavioral Activation', 'Activity Scheduling', 'Thought Records', 'Sleep Hygiene', 'Social Connection Strategies', 'Self-Compassion Exercises']
},
'trauma_recovery': {
'name': 'Trauma & PTSD Recovery',
'subtopics': ['Understanding Trauma Responses', 'Window of Tolerance', 'Grounding for Flashbacks', 'Safety Planning', 'Self-Care After Trauma', 'Understanding Triggers', 'Building Resilience']
},
'grief_loss': {
'name': 'Grief & Loss',
'subtopics': ['Understanding Grief', 'Stages and Tasks of Grief', 'Coping with Anniversaries', 'Continuing Bonds', 'Self-Care During Grief', 'Supporting Grieving Children', 'Complicated Grief']
},
'relationship_skills': {
'name': 'Relationship & Communication Skills',
'subtopics': ['Active Listening', 'I-Statements', 'Boundary Setting', 'Conflict Resolution', 'Attachment Styles', 'Emotional Validation', 'Assertiveness Training']
},
'stress_management': {
'name': 'Stress Management',
'subtopics': ['Understanding Stress', 'Time Management', 'Mindfulness Basics', 'Work-Life Balance', 'Burnout Prevention', 'Relaxation Techniques', 'Problem-Solving Skills']
},
'substance_use': {
'name': 'Substance Use Education',
'subtopics': ['Understanding Addiction', 'Stages of Change', 'Trigger Identification', 'Coping Skills', 'Relapse Prevention', 'Harm Reduction', 'Building a Recovery Network']
},
'child_adolescent': {
'name': 'Child & Adolescent Mental Health',
'subtopics': ['Emotional Regulation for Kids', 'Understanding Big Feelings', 'Coping Skills for Teens', 'Screen Time & Mental Health', 'Bullying Coping', 'Parent-Child Communication', 'School Anxiety']
},
'dbt_skills': {
'name': 'DBT Skills',
'subtopics': ['Distress Tolerance', 'Emotion Regulation', 'Interpersonal Effectiveness', 'Mindfulness', 'TIPP Skills', 'DEAR MAN', 'Radical Acceptance']
},
'self_esteem': {
'name': 'Self-Esteem & Identity',
'subtopics': ['Core Beliefs', 'Positive Self-Talk', 'Values Exploration', 'Strengths Identification', 'Body Image', 'Self-Worth vs Performance', 'Overcoming Perfectionism']
}
}
MODALITIES = ['CBT', 'DBT', 'ACT', 'Psychodynamic', 'Person-Centered', 'Solution-Focused', 'Motivational Interviewing', 'Trauma-Informed', 'Mindfulness-Based', 'General/Integrative']
READING_LEVELS = ['5th Grade', '8th Grade', 'High School', 'College', 'Professional']
FORMATS = ['Patient Handout', 'Worksheet with Exercises', 'Informational Brochure', 'Homework Assignment', 'Guided Self-Reflection', 'Psychoeducation Lesson Plan']
LANGUAGES = ['English', 'Spanish', 'French', 'Mandarin Chinese', 'Vietnamese', 'Korean', 'Arabic', 'Tagalog', 'Portuguese', 'Haitian Creole']
@app.route('/')
def index():
return render_template('index.html', topics=TOPICS, modalities=MODALITIES,
reading_levels=READING_LEVELS, formats=FORMATS, languages=LANGUAGES)
@app.route('/generate', methods=['POST'])
def generate():
data = request.json
topic_key = data.get('topic')
subtopic = data.get('subtopic')
modality = data.get('modality', 'General/Integrative')
reading_level = data.get('reading_level', '8th Grade')
output_format = data.get('format', 'Patient Handout')
language = data.get('language', 'English')
custom_instructions = data.get('custom_instructions', '')
topic_name = TOPICS.get(topic_key, {}).get('name', topic_key)
logger.info(f'Generating content: topic={topic_name}, subtopic={subtopic}, modality={modality}, level={reading_level}, format={output_format}, language={language}')
try:
response = client.chat.completions.create(
model=DEPLOYMENT_NAME,
messages=[
{'role': 'system', 'content': SYSTEM_PROMPT},
{'role': 'user', 'content': user_prompt}
],
max_tokens=3000,
temperature=0.7,
top_p=0.9
)
content = response.choices[0].message.content
usage = response.usage
logger.info(f'Generation complete: {usage.prompt_tokens} input tokens, {usage.completion_tokens} output tokens')
return jsonify({
'success': True,
'content': content,
'tokens_used': {
'input': usage.prompt_tokens,
'output': usage.completion_tokens,
'estimated_cost': round((usage.prompt_tokens / 1_000_000 * 0.40) + (usage.completion_tokens / 1_000_000 * 1.60), 4)
}
})
except Exception as e:
logger.error(f'Generation failed: {str(e)}')
return jsonify({'success': False, 'error': str(e)}), 500
@app.route('/topics', methods=['GET'])
def get_topics():
return jsonify(TOPICS)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000)Psychoeducation Content Generator — System Prompt
Psychoeducation Content Generator — User Prompt Template
flask==3.1.0
openai==1.76.0
azure-identity==1.19.0
azure-keyvault-secrets==4.9.0
gunicorn==23.0.0- templates/index.html: Bootstrap 5 SPA with topic/subtopic selectors, modality dropdown, reading level selector, format selector, language dropdown, custom instructions textarea, generate button, and a rendered Markdown output area with copy/print buttons.
- Use marked.js for Markdown rendering and a print stylesheet for clean printing.
Treatment Plan Generator Prompt Template
Type: prompt A structured prompt template used within the AI documentation platform (AutoNotes or Mentalyc) or as a standalone Azure OpenAI API call to generate comprehensive, insurance-compliant treatment plans from clinician-provided session data. The template enforces SMART goal formatting, DSM-5-TR diagnostic alignment, and includes all elements typically required by commercial insurance and Medicaid for treatment plan approval.
Implementation:
Use in AutoNotes custom template or Azure OpenAI API call. Temperature: 0.4 (lower for clinical accuracy). Max tokens: 4000.
Treatment Plan Generator - System Prompt
Treatment Plan Generator - User Prompt Template
Progress Report Generator Prompt Template
Type: prompt A structured prompt template for generating clinical progress reports that summarize treatment progress over a defined period. These reports are typically required for insurance reauthorization, referral sources, school systems (for child/adolescent clients), and court-ordered treatment documentation. The template produces narrative reports with quantitative progress metrics.
Implementation:
# Progress Report Generator - System Prompt
# Temperature: 0.4
# Max tokens: 3000
SYSTEM_PROMPT = """Progress Report Generator - System Prompt
Progress Report Generator - User Prompt Template
AI Documentation Consent Form Template
Type: prompt A complete patient consent form template specifically for AI-assisted clinical documentation in mental health settings. This form addresses session recording, AI transcription, data processing, storage, and the patient's right to opt out. Designed to satisfy HIPAA informed consent requirements and state-specific recording consent laws. To be deployed via JotForm HIPAA or printed for in-office use. Implementation:
AI-Assisted Documentation Consent Form
EHR Integration Workflow Automation
Type: workflow A defined workflow automation that orchestrates the end-to-end process from session recording through AI note generation, clinician review, and EHR submission. This workflow includes decision points for consent verification, quality review, and error handling. Designed to be implemented within the AI documentation platform's native workflow engine or as a supplementary checklist automated via Microsoft Power Automate. Implementation:
# EHR Integration Workflow - Power Automate Flow Definition
# Trigger: Manual (clinician initiates post-session)
# Or: Automated when AI tool marks note as 'Ready for Review'
## Workflow Steps (Implement in Power Automate or as practice SOP)
### WORKFLOW: Post-Session AI Documentation
workflow:
name: AI-Assisted Session Documentation
trigger: session_end
steps:
- id: check_consent
type: decision
description: Verify patient has active AI documentation consent on file
condition: consent_status == 'active'
on_true: proceed_to_recording_check
on_false: manual_documentation_required
- id: manual_documentation_required
type: notification
description: Alert clinician that patient has not consented to AI documentation
action: Display banner 'AI documentation not available - manual documentation required'
next: end
- id: proceed_to_recording_check
type: decision
description: Check if session was recorded successfully
condition: recording_file_exists AND audio_quality_score > 0.7
on_true: transcription
on_false: manual_input_fallback
- id: manual_input_fallback
type: user_input
description: Clinician provides written session summary for AI processing
prompt: 'No usable recording available. Please type a brief session summary for AI note generation.'
next: generate_note
- id: transcription
type: ai_process
description: AI transcribes session audio to text
service: ai_documentation_platform
timeout: 300 seconds
on_success: generate_note
on_failure: manual_input_fallback
- id: generate_note
type: ai_process
description: AI generates clinical note from transcript or manual input
template: selected_note_format (SOAP|DAP|BIRP)
parameters:
- clinician_style_profile: loaded from clinician settings
- note_template: loaded from practice template library
- diagnosis_context: pulled from client's active treatment plan
on_success: clinician_review
on_failure: retry_once_then_alert
- id: clinician_review
type: human_review
description: Clinician reviews, edits, and approves AI-generated note
interface: side-by-side view (AI draft | editable final version)
required_actions:
- review_clinical_accuracy: true
- verify_no_hallucinated_content: true
- check_correct_client: true
- edit_as_needed: true
- digital_signature: required
timeout: 48 hours
escalation: practice_admin_notification
on_approve: transfer_to_ehr
on_reject: regenerate_or_manual
- id: transfer_to_ehr
type: integration
description: Transfer approved note to EHR
method: browser_extension_injection | api_push | manual_copy
ehr_field_mapping:
- subjective: ehr.note.subjective
- objective: ehr.note.objective
- assessment: ehr.note.assessment
- plan: ehr.note.plan
- session_date: ehr.note.date
- cpt_code: ehr.billing.cpt (suggested by AI, verified by clinician)
on_success: confirm_and_log
on_failure: alert_clinician_manual_transfer
- id: confirm_and_log
type: logging
description: Log successful note creation for audit trail
log_fields:
- timestamp
- clinician_id
- client_id (anonymized in log)
- note_type
- ai_model_used
- generation_time
- edit_percentage (how much clinician changed AI output)
- transfer_method
next: delete_recording
- id: delete_recording
type: cleanup
description: Delete audio recording after note is finalized
condition: note_status == 'signed_and_transferred'
action: secure_delete(recording_file)
verification: confirm_deletion
next: end
- id: end
type: complete
description: Workflow completeKey Decision Points
Metrics to Track
- Average time from session end to signed note
- AI draft acceptance rate (% approved without major edits)
- Average edit percentage per clinician
- Notes per clinician per day
- Failed transcription rate
HIPAA Audit Log Monitor
Type: integration A monitoring integration that aggregates audit logs from all AI documentation components (SaaS platform, Azure OpenAI API, EHR access logs) into a centralized dashboard for HIPAA compliance reporting. Provides alerts for anomalous access patterns and generates monthly compliance reports.
Implementation:
-- Query 1: All Azure OpenAI API calls with user attribution
AzureDiagnostics
| where ResourceProvider == 'MICROSOFT.COGNITIVESERVICES'
| where Category == 'RequestResponse'
| project TimeGenerated, CallerIPAddress,
OperationName, ResultType,
DurationMs,
Properties = parse_json(properties_s)
| order by TimeGenerated desc-- Query 2: Failed authentication attempts (anomaly detection)
SigninLogs
| where AppDisplayName contains 'psychoed' or AppDisplayName contains 'OpenAI'
| where ResultType != '0'
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 5
| order by FailedAttempts desc-- Query 3: After-hours access patterns
SigninLogs
| where AppDisplayName contains 'psychoed' or AppDisplayName contains 'AutoNotes'
| extend HourOfDay = datetime_part('hour', TimeGenerated)
| where HourOfDay < 6 or HourOfDay > 22
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location
| order by TimeGenerated desc-- Query 4: Monthly compliance summary
AzureDiagnostics
| where ResourceProvider == 'MICROSOFT.COGNITIVESERVICES'
| where TimeGenerated > ago(30d)
| summarize TotalCalls = count(),
AvgDurationMs = avg(DurationMs),
UniqueCallers = dcount(CallerIPAddress),
FailedCalls = countif(ResultType != 'Success')
| extend ReportMonth = format_datetime(now(), 'yyyy-MM')import json
import smtplib
from datetime import datetime, timedelta
from email.mime.text import MIMEText
def generate_weekly_audit_report():
report = {
'report_date': datetime.now().isoformat(),
'period': f'{(datetime.now() - timedelta(days=7)).strftime("%Y-%m-%d")} to {datetime.now().strftime("%Y-%m-%d")}',
'checks': []
}
# Check 1: Verify BAAs are current
baa_expiry_dates = {
'AutoNotes': '2026-01-15',
'Azure/Microsoft': '2026-03-01',
'Wasabi': '2026-02-28',
'JotForm': '2026-01-01'
}
for vendor, expiry in baa_expiry_dates.items():
days_until = (datetime.strptime(expiry, '%Y-%m-%d') - datetime.now()).days
status = 'OK' if days_until > 90 else 'WARNING' if days_until > 30 else 'CRITICAL'
report['checks'].append({
'check': f'BAA Status - {vendor}',
'status': status,
'detail': f'Expires in {days_until} days ({expiry})'
})
# Check 2: Verify encryption status on managed devices
# (Integrate with RMM tool API - example with NinjaRMM)
report['checks'].append({
'check': 'BitLocker Encryption Status',
'status': 'CHECK_RMM',
'detail': 'Verify all managed endpoints report BitLocker enabled via RMM dashboard'
})
# Check 3: MFA enforcement verification
report['checks'].append({
'check': 'MFA Enforcement',
'status': 'CHECK_ENTRA',
'detail': 'Verify Conditional Access policy requiring MFA is active and no exclusions added'
})
# Check 4: AI tool user access review
report['checks'].append({
'check': 'User Access Review',
'status': 'MANUAL_REVIEW',
'detail': 'Verify all AI tool user accounts match current active clinician roster. Disable accounts for departed staff.'
})
# Generate and send report
report_text = json.dumps(report, indent=2)
# Email report to MSP and practice admin
msg = MIMEText(report_text)
msg['Subject'] = f'Weekly HIPAA AI Audit Report - {report["period"]}'
msg['From'] = 'msp-monitoring@mspdomain.com'
msg['To'] = 'compliance@mspdomain.com, admin@practicedomain.com'
# Send via configured SMTP (use practice's M365 SMTP or MSP relay)
# smtp_server.send_message(msg)
return report
if __name__ == '__main__':
generate_weekly_audit_report()- BAA expiration within 90 days → Email warning to MSP
- BAA expiration within 30 days → Urgent alert to MSP + practice admin
- Failed login attempts > 5 in 1 hour → Immediate alert
- After-hours access from unknown IP → Alert within 15 minutes
- New user added to AI-Documentation-Users group → Confirmation alert
- AI API error rate > 10% → Technical alert to MSP
Testing & Validation
- TEST 1 - Audio Capture Quality: In each therapy room, conduct a 5-minute simulated conversation at normal therapy voice levels (both speakers 3-6 feet from Jabra Speak2 75). Record and transcribe. Verify transcription accuracy is >90% word accuracy rate. Test with door closed and ambient HVAC noise active to simulate real conditions.
- TEST 2 - AI Progress Note Generation (SOAP): Input a standardized sample session summary describing a client with GAD discussing cognitive distortions. Generate a SOAP note. Verify: (a) Subjective section captures client's reported experience, (b) Objective section includes behavioral observations, (c) Assessment section aligns with GAD diagnostic criteria, (d) Plan section includes specific next-session interventions. Have clinical champion rate output on 1-5 clinical accuracy scale — must score ≥4.
- TEST 3 - AI Treatment Plan Generation: Input a sample case of a 35-year-old presenting with Major Depressive Disorder, moderate severity. Generate treatment plan. Verify: (a) DSM-5-TR code F33.1 is correctly identified, (b) At least 2 SMART goals are generated, (c) Each goal has ≥2 measurable objectives, (d) Interventions name specific evidence-based techniques, (e) Discharge criteria are measurable. Have clinical champion review for insurance documentation completeness.
- TEST 4 - EHR Browser Extension Integration: Generate a progress note in the AI tool, then transfer to EHR via browser extension. Verify: (a) All note sections populate in correct EHR fields, (b) No data loss or truncation during transfer, (c) Formatting (headers, bullet points) renders correctly in EHR, (d) Session date and client record match. Test with SimplePractice, TherapyNotes, or the practice's specific EHR.
- TEST 5 - Psychoeducation Content Generator: Generate materials for 5 different topics (anxiety, depression, grief, DBT skills, child emotional regulation) at 8th-grade reading level. Verify: (a) Content is clinically accurate (reviewed by clinical champion), (b) Reading level is appropriate (run through Flesch-Kincaid readability tool — target grade 7-9), (c) No hallucinated research citations or statistics, (d) Disclaimer is present, (e) Content is actionable with exercises/worksheets.
- TEST 6 - Psychoeducation Generator in Spanish: Generate an anxiety management handout in Spanish. Have a Spanish-speaking staff member or professional translator verify: (a) Translation quality is natural/fluent, (b) Clinical terminology is correctly translated, (c) Cultural sensitivity is appropriate.
- TEST 7 - Consent Workflow: Complete the AI documentation consent form via JotForm HIPAA as a test patient. Verify: (a) All required fields are enforced, (b) E-signature captures correctly, (c) PDF copy is generated and emailed to test patient email, (d) Submission appears in JotForm admin dashboard, (e) Submission is linked to correct clinician.
- TEST 8 - Opt-Out Workflow: Simulate a patient declining AI consent. Verify: (a) Clinician can easily disable recording for that session in the AI tool, (b) No audio is captured or transmitted, (c) Clinician can still access manual note-writing functionality, (d) Client's preference is recorded for future sessions.
- TEST 9 - HIPAA Access Controls: Attempt to access the AI documentation platform and psychoeducation generator without MFA. Verify access is denied. Attempt to access from an IP address outside the practice's allowed range (for Azure OpenAI). Verify access is denied. Attempt to access with a deactivated user account. Verify access is denied.
- TEST 10 - BitLocker and Device Compliance: On each configured laptop, verify: (a) BitLocker is active and encrypting the OS drive (Get-BitLockerVolume shows 'FullyEncrypted'), (b) Recovery key is escrowed in Entra ID, (c) Intune compliance policy shows device as 'Compliant', (d) Windows Defender is active and definitions updated within 24 hours.
- TEST 11 - Backup and Recovery: Run the Wasabi backup script manually. Verify: (a) Files are uploaded to the correct bucket with AES-256 server-side encryption, (b) File integrity check passes (compare checksums), (c) Test restore: download a backed-up file and verify it opens correctly, (d) Verify the Apricorn encrypted drive accepts PIN and allows file copy.
- TEST 12 - Audit Logging: Generate 3 AI notes and 1 psychoeducation document. Check Azure diagnostic logs to verify: (a) All 4 API calls appear in the log, (b) Timestamp, caller IP, and operation type are recorded, (c) Entra ID sign-in logs show corresponding authentication events, (d) Weekly audit report script generates correctly and would send email notification.
- TEST 13 - End-to-End Workflow: Conduct a complete simulated therapy session (15 minutes) with clinical champion role-playing as clinician. Execute the full workflow: (1) Verify consent on file, (2) Start audio recording, (3) Conduct session, (4) Stop recording, (5) Wait for AI transcription and note generation, (6) Review and edit AI-generated SOAP note, (7) Transfer to EHR, (8) Verify note appears correctly in client record, (9) Generate treatment plan from session data, (10) Verify audit log captured all events. Time the entire workflow — target is under 10 minutes post-session for completed documentation.
Client Handoff
Client Handoff Deliverables and Training Plan
Training Sessions (Schedule 3 sessions)
Session 1: Practice Administrator Training (90 minutes)
- AI documentation platform admin panel walkthrough (user management, template configuration, billing)
- JotForm consent form management (accessing submissions, adding new forms, managing responses)
- HIPAA compliance responsibilities overview (BAA tracking, risk assessment updates, breach notification procedures)
- Wasabi backup verification procedures
- How to add/remove clinician accounts when staff changes occur
- Audit log review process and monthly compliance report interpretation
Session 2: Clinician Group Training (90 minutes)
- Live demonstration of complete AI documentation workflow (record → transcribe → generate → review → transfer)
- Treatment plan generation walkthrough with hands-on practice
- Psychoeducation content generator demonstration and practice
- Patient consent form process and opt-out workflow
- Common issues and troubleshooting (poor audio, incorrect template, EHR transfer failures)
- Clinical responsibility: reviewing AI output, catching errors, maintaining professional documentation standards
- Q&A session addressing clinical and ethical concerns
Session 3: Individual Clinician Setup Sessions (30 minutes each)
- Personalize each clinician's template preferences (SOAP vs DAP vs BIRP)
- Configure audio device at their specific workstation
- First supervised AI note generation with feedback
- Bookmark psychoeducation generator and verify access
Documentation to Leave Behind
Success Criteria to Review Together at Handoff
Maintenance
Ongoing Maintenance Responsibilities
Weekly Tasks (MSP Automated + Manual Review)
- Audit Log Review: Run weekly HIPAA audit script and review output for anomalies (failed logins, after-hours access, new user additions). Estimated time: 15 minutes/week.
- Backup Verification: Confirm weekly Wasabi backup completed successfully by checking S3 bucket for new timestamped folder. Verify file count matches expected export. Estimated time: 10 minutes/week.
- Device Compliance Check: Review Intune compliance dashboard — all devices should show 'Compliant' status with BitLocker active, Defender updated, and OS patches current. Estimated time: 10 minutes/week.
Monthly Tasks
- AI Platform Usage Review: Log into AI documentation admin panel, review usage metrics (notes generated per clinician, adoption rates, error rates). Share summary with practice administrator. Identify clinicians with low adoption for targeted follow-up. Estimated time: 30 minutes/month.
- Azure OpenAI Cost Review: Check Azure billing for OpenAI consumption. For a 5-clinician practice, monthly API cost should be $15–$50. Investigate if costs spike unexpectedly (may indicate misconfiguration or unauthorized use). Estimated time: 15 minutes/month.
- Software Update Check: Verify AI documentation platform, browser extensions, and psychoeducation generator are running latest versions. Apply updates during low-usage hours (weekends or evenings). Estimated time: 30 minutes/month.
- HIPAA Compliance Report: Generate and archive monthly compliance report summarizing: user access review, encryption status, backup status, incident log, and any policy changes. Deliver to practice administrator. Estimated time: 45 minutes/month.
Quarterly Tasks
- BAA Inventory Review: Verify all vendor BAAs are current and not approaching expiration. Renew any BAAs expiring within 90 days. Estimated time: 30 minutes/quarter.
- Backup Restore Test: Perform a test restore of one week's backup from Wasabi to a secure test location. Verify document integrity. Document test results. Estimated time: 45 minutes/quarter.
- Template Effectiveness Review: Meet with clinical champion to review AI output quality trends. Adjust prompt templates or AI settings if note quality has degraded or clinical needs have changed. Estimated time: 60 minutes/quarter.
- Security Assessment: Run vulnerability scan on practice network, verify firewall rules, check for unauthorized devices on network, review Conditional Access policies for drift. Estimated time: 2 hours/quarter.
Annual Tasks
- HIPAA Risk Assessment Update: Conduct full risk assessment including all AI documentation systems. Update risk register and mitigation plans. Coordinate with compliance consultant if needed. Estimated time: 4–8 hours/year.
- Vendor Re-evaluation: Assess whether current AI documentation platform still meets practice needs. Compare pricing, features, and compliance posture against market alternatives. Present findings and recommendation to practice. Estimated time: 2–4 hours/year.
- Patient Consent Form Review: Review consent form language with practice legal counsel to ensure compliance with any new state or federal regulations. Update and redeploy if needed. Estimated time: 1–2 hours/year.
- Disaster Recovery Test: Simulate loss of primary AI documentation platform (vendor outage). Verify clinicians can fall back to manual documentation. Test backup EHR access procedures. Estimated time: 2 hours/year.
SLA Considerations
- Response Time: Critical issues (system down, potential data breach) — 1 hour response, 4 hour resolution target. Standard issues (feature not working, quality concern) — 4 hour response, next business day resolution. Low priority (template adjustment, training request) — next business day response, 5 business day resolution.
- Escalation Path: Tier 1 (MSP help desk) → Tier 2 (MSP project engineer) → Tier 3 (AI vendor support) → Vendor escalation manager. For HIPAA incidents: MSP immediately + practice privacy officer + compliance consultant within 1 hour.
- AI Model Updates: When AI vendors update their underlying models (e.g., AutoNotes upgrades from GPT-4 to GPT-4.1), schedule a 1-hour validation session with the clinical champion to verify output quality has not degraded. Do this within 1 week of any announced model change.
- Uptime Target: AI documentation platform SLA is dependent on vendor (typically 99.5–99.9%). MSP-managed components (Azure OpenAI endpoint, psychoeducation generator) target 99.5% uptime during business hours (M–F 7am–9pm).
Cost Monitoring Triggers
- Azure OpenAI monthly cost exceeds $100 for a 5-clinician practice → Investigate usage patterns
- AI documentation platform per-clinician cost increases by >20% → Evaluate alternative vendors
- Total monthly managed service cost exceeds client's approved budget → Schedule budget review meeting
Alternatives
Blueprint Free EHR + Pay-Per-Session AI
Replace both the existing EHR and AI documentation tool with Blueprint's combined offering. Blueprint provides a free EHR platform with AI documentation charged at $0.49–$0.99 per session. This eliminates the need for a separate AI documentation subscription and potentially reduces or replaces the existing EHR cost.
SimplePractice with Native AI Note Taker Add-On
For practices already using SimplePractice (250K+ practitioners), add the native AI Note Taker add-on ($35/month per provider) instead of deploying a third-party AI tool. This provides the tightest possible EHR integration since both the EHR and AI are from the same vendor. Supplement with the custom Azure OpenAI psychoeducation generator for patient materials.
Mentalyc for Modality-Specific Practices
Replace AutoNotes with Mentalyc as the primary AI documentation platform for practices that heavily specialize in specific therapeutic modalities (EMDR, DBT, trauma-informed, somatic experiencing). Mentalyc offers modality-specific note templates and SMART goal generation calibrated to specific therapeutic frameworks.
Fully Custom Azure OpenAI Build (White-Label)
Instead of using a third-party AI documentation SaaS, build a complete custom documentation solution using Azure OpenAI API (GPT-4.1-mini). The MSP creates a branded web application that handles session transcription (via Azure Speech Services), note generation, treatment plan creation, and psychoeducation materials — all integrated directly with the practice's EHR via FHIR API.
RECOMMEND WHEN: MSP has development capability and plans to serve 10+ mental health practices, making the investment in a reusable platform worthwhile.
Open-Source Self-Hosted LLM (Maximum Data Control)
Deploy an open-source LLM (Meta LLaMA 3 70B or Mistral 8x22B) on dedicated GPU hardware either on-premises or in a private cloud instance. All data processing occurs within the practice's controlled environment with zero data leaving the perimeter. Pair with Whisper (open-source) for speech-to-text transcription.
Want early access to the full toolkit?