AI Policy for Psychology and Mental Health Clinics: Free Template

Ensure your clinical AI use complies with regulatory standards

AI scribes and documentation tools are now part of everyday clinical work — and regulators are clear that the responsibility for using them safely, lawfully and ethically sits with the practitioner. A written AI use policy is the simplest way to show your practice is doing this properly, with patient consent and human oversight.

We built these templates so you don't have to start from a blank page. Each edition is written to be adopted largely as-is: the policy body is the same everywhere, and a one-page Schedule captures the few details specific to your practice. Choose the edition for your country below.

Choose your edition

Available in Spanish: Ver la plantilla de política de IA en español

The general edition below applies to any jurisdiction — adapt it with your local privacy law and professional-body guidance.

Last reviewed: June 2026 · Applies to: all jurisdictions (general edition) · Key sources: your local privacy and data-protection law and professional-body guidance — see the OECD AI Principles.

How to use this template

This policy is written to be adopted largely as-is. The body (Part 3) is deliberately free of fill-in blanks so you don't have to edit it clause by clause. Everything specific to your practice lives in one place — the Schedule (Appendix A) — which you complete once.

To adopt this policy:

  1. Complete the Schedule (Appendix A) — your practice name, the people who hold each governance role, your audit frequency, your default consent period, your transcript-retention setting, and your register of approved AI tools.
  2. Read Appendix B (Jurisdiction Requirements) — use the edition for your jurisdiction and confirm the listed laws and professional-body guidance still apply (regulators update these regularly).
  3. Adapt the optional items — name specific prohibited tools or add practice-specific rules in the Schedule. No need to touch the body.
  4. Approve, date, and version it using Appendix D, and brief your team.

A note on roles. The policy refers to three roles — the AI Governance Lead (owns the policy and approves new tools), the Documentation Auditor, and the Incident Contact. In a small practice these may all be the same person. Map each role to a real name in the Schedule.


Part 1 — What the rules require

Two bodies of rules govern AI use in clinical practice in every jurisdiction: privacy and data-protection law, and the standards of your professional registration body. The specific laws, regulators, and guidance documents that apply are set out in Appendix B. Whatever your jurisdiction, the same themes recur:

  • Health data is specially protected. It generally cannot be collected, used, or disclosed without a lawful basis — most often the patient's consent.
  • Sending data to a third-party AI vendor is a disclosure. It needs a basis, appropriate security, and — where the vendor processes data overseas — specific cross-border safeguards. You remain accountable for what your vendor does with the data.
  • Patient data must not train the vendor's AI models. Your agreement with the vendor must prohibit secondary use, including model training.
  • The practitioner stays accountable. AI is a decision-support tool; clinical judgement is never delegated to an algorithm, and the practitioner is responsible for the accuracy of the final record.
  • Consent is informed and usually tool-specific. Patients must understand which tool is used, what it captures, where data goes, and that they can withdraw at any time without affecting their care. For tools that record a consultation, consent is obtained before recording begins.
  • Use is transparent. Patients are told when AI is involved, and AI-assisted documents are labelled in the record.
  • Breaches must be reported. Most jurisdictions have a mandatory data-breach notification regime (see Appendix B).
  • Competence is required. Practitioners must understand the tool's capabilities, limitations, and biases before using it.

Part 2 — What clinicians worry about

Beyond formal regulation, a good policy addresses these head-on:

  • Accuracy and hallucinations. Generative AI is probabilistic and can produce confident but wrong output — a mistranscribed medication or fabricated symptom could drive an unsafe decision if not caught.
  • Over-reliance and deskilling. Busy clinicians may "rubber-stamp" AI notes without real review, eroding independent clinical judgement over time.
  • Loss of clinical nuance. Text transcripts miss tone, body language, micro-expressions, and cultural context — all central to psychological assessment.
  • Medico-legal discoverability. AI-generated notes and transcripts can be subpoenaed. A hallucinated detail or inaccurate risk assessment can create real liability.
  • Effect on the therapeutic relationship. Recording or AI monitoring can change the dynamic and make some clients less willing to disclose.

A sound policy doesn't pretend these risks away — it manages them with consent, human review, vendor due diligence, and audit.


Part 3 — The policy

This is the operative policy. Adopt it as written; practice-specific details are recorded in the Schedule (Appendix A), and the legal and professional requirements for your jurisdiction are in Appendix B. The Schedule (Appendix A) is provided in the downloadable template.

1. Purpose. Our practice is committed to the lawful, ethical, and responsible use of artificial intelligence (AI) to support — not replace — human-delivered psychological care. This policy governs how AI tools may be used in our clinical and administrative work, to protect patient privacy, uphold our professional obligations, and preserve the quality and safety of care. AI tools are adopted only where they support clinical workflows (such as documentation) and improve patient outcomes, and always under the accountability of a qualified practitioner.

2. Core principles.

a) Patient consent is required for the use of AI tools with their personal or health information, and may be withdrawn at any time without affecting their care. b) Clinical decisions always remain with the practitioner. AI is an assistant, never a decision-maker. Practitioners understand how their AI tools work, and their limitations and biases. c) Patient data is never used to train AI models. We use only tools whose providers contractually guarantee this.

3. Who this applies to. This policy applies to all practitioners and clinical staff at our practice. The user of any AI tool covered by this policy is always a qualified practitioner (or clinical staff acting under a practitioner's direct accountability) — never the patient. Any limits on use by non-clinical administrative staff are recorded in the Schedule.

4. Regulatory and ethical framework. We use AI consistently with the privacy and data-protection law and the professional standards that apply to our practice. These are set out for our jurisdiction in Appendix B and are reviewed whenever the law or professional guidance changes.

5. Approved, restricted, and prohibited uses.

Approved uses (with patient consent and clinician review) — the specific approved tools are listed in the Schedule:

a) AI scribes / ambient documentation for session transcription and note summarisation. b) Drafting, summarising, and grammar-checking of clinical notes and correspondence.

Restricted uses (permitted only with enhanced safeguards and mandatory independent verification by the clinician):

c) Tools offering differential-diagnosis support or pattern analysis, which must always be independently verified and never relied on alone.

Prohibited uses:

d) Using AI as the sole basis for any diagnosis or any suicide or violence risk assessment. e) Entering identifiable patient information into free, public, or non-approved AI systems (for example, consumer-tier ChatGPT, Gemini, or Copilot). f) Using any AI tool that has not been approved through the process in clause 10. g) Any additional tools or uses prohibited by our practice, as listed in the Schedule.

6. Privacy, security, and vendor due diligence. Before any AI tool is approved, we confirm that:

a) A binding data agreement is in place — a Business Associate Agreement, data processing agreement, or equivalent (see Appendix B for what your jurisdiction requires) — before any patient data is shared. b) The vendor contractually guarantees that patient data is never retained or used to train its own or any third-party AI models. c) Data is encrypted in transit and at rest, and stored in a known, compliant location (recorded in the Schedule). d) Cross-border transfers are accounted for. Where a vendor processes data outside our jurisdiction, we apply the cross-border safeguards required by law (see Appendix B) and understand we remain accountable for the data. e) De-identification or redaction is used wherever practical to minimise identifiable data sent for processing. f) Retention is deliberate. Where the tool allows transcripts or other artifacts to be retained, we set a retention period consistent with our professional record-keeping and legal obligations (recorded in the Schedule), rather than defaulting to indefinite storage without a reason.

7. Informed consent and patient transparency.

a) Consent is obtained before AI use — and, for any tool that records or processes a consultation, before recording begins. Consent is tool-specific: we explain which tool, what it captures, where data is stored and who can access it, the privacy risks, and the right to withdraw. A blanket "we use AI" consent is not sufficient. b) Consent is recorded — we note the patient's consent (and any withdrawal) in their clinical record, for the consent period recorded in the Schedule. c) Withdrawal is honoured immediately and without any reduction in the quality of care provided. d) Authorship is transparent — AI-assisted documents are clearly labelled in the record (see the sample label in Appendix C).

8. Human review and accountability.

a) AI output that becomes clinical documentation — session summaries, notes, letters, and reports — must be reviewed, edited, and approved by the responsible clinician before it is saved to the record. b) Session transcripts are a verbatim source artifact, not clinician-authored documentation. Where our tool and retention settings keep a transcript (see the Schedule), it is stored as a source record — useful for later review and insight — and does not require line-by-line clinician review; the clinician remains responsible for any summary or note drawn from it. c) The clinician retains full professional, ethical, and legal accountability for every clinical decision and for the accuracy of the final documentation. AI never carries that accountability.

9. Risk management and quality assurance.

a) We acknowledge AI's limitations — hallucinations, bias, and the absence of contextual clinical judgement — and train staff to watch for them. b) Audit. The Documentation Auditor reviews a sample of AI-assisted documentation, at the frequency set in the Schedule, for accuracy and completeness. c) Incident reporting. Any suspected data breach, AI-generated inaccuracy, or use of an unapproved tool is reported to the Incident Contact without delay and recorded in our incident register. Data-breach notification obligations are set out in Appendix B.

10. Training and governance.

a) Training. All clinical staff complete training on the capabilities, limitations, and privacy boundaries of any approved AI tool before using it. b) Approval process. No new AI tool may be used until approved by the AI Governance Lead, who confirms it meets clauses 6 to 8 and records it in the Schedule. c) Ownership and review. This policy is owned by the AI Governance Lead and reviewed at least annually, or sooner if the law or professional guidance changes.


Appendix B — Jurisdiction requirements: Other jurisdictions (general)

Currency: Checked June 2026. This is a generic edition. Replace it with your jurisdiction's specifics and seek local legal advice.

Privacy and data-protection law

  • Identify your data-protection / privacy law and confirm how it treats health information — in most jurisdictions it is a special, protected category requiring a lawful basis or consent.
  • Confirm the lawful basis for disclosing health data to a third-party AI vendor (commonly the patient's consent).
  • Require a data agreement with the vendor that prohibits secondary use and model training on patient data, and mandates encryption and security.
  • GDPR is a common benchmark — if you operate in or serve the EU/EEA, health data is special category data needing an Article 6 basis plus an Article 9 condition.

Professional standards

  • Confirm your professional registration body's position on AI — most psychology and medical regulators now publish guidance, and all hold the practitioner accountable for clinical decisions and documentation.
  • Where no AI-specific guidance exists — your existing code of conduct (confidentiality, consent, record-keeping, competence) still applies in full.

Cross-border data transfer. If your AI vendor processes data in another country, check whether your law restricts cross-border transfers and what safeguards it requires. You generally remain accountable for the data.

Data-breach notification. Check whether your jurisdiction has a mandatory data-breach notification regime, who must be notified, and the timeframe.

Appendix C — Sample consent script and authorship label

The example below is written for NovoNote, an AI scribe whose audio is never saved, whose transcript retention the practice controls (it can be deleted after use, or kept for a set period — for example seven years or indefinitely — to support ongoing care and later insight), and whose data is not used to train AI models. Adapt the wording to your approved tool and your retention setting (recorded in the Schedule). You can give patients NovoPsych's ready-to-use resources: the NovoNote patient consent form and the NovoNote patient information sheet (both on the NovoNote security page).

Sample verbal consent script (adjust the retention sentence to match your setting):

"In our sessions I use an AI note-taking tool called NovoNote to help me document our work accurately, so I can focus on you rather than on writing. It listens to the session and produces a written summary, which I review and edit before it becomes part of your record. The audio is never saved. The session transcript [is deleted once the summary is written / is kept securely as part of your record for [period] to support your care]. Your information is stored securely in Australia and is never used to train AI models. You can decline, or change your mind at any time, and it won't affect your care in any way. Are you comfortable with me using it today?"

Sample authorship label for the clinical record:

"Case note created with the assistance of AI (NovoNote), reviewed and adopted by [clinician name and title] on [date]."


Prepared by NovoPsych as a free resource for the mental health community. Current as of June 2026; general information only, not legal advice. Learn more at novopsych.com.

Use with AI

Copy the AI Policy to your clipboard for Claude, ChatGPT, Gemini, Copilot or Perplexity

Download the template

Patient resources

Other editions

New to NovoNote? See the NovoNote security & privacy overview.

See NovoNote in action

Using NovoNote AI Scribe for the First Time
See how to set up NovoNote and use it with your very first client — capturing session content and turning it into structured clinical notes, reports and letters.

Using NovoNote AI Scribe With Your First Patient
A step-by-step guide covering initial setup, session documentation and best practices.

AI in Therapy: Ethics, Consent and Privacy
The ethical, legal and privacy considerations of AI-generated documentation — consent, data security, regulatory compliance and mitigating AI bias.

Template Like a Pro: Customising NovoNote for Your Practice
Create your own personalised template to capture your individual therapeutic and note-taking approach.

From Session to Summary: AI-Generated Reports and Letters Made Easy
How NovoNote streamlines reports, GP letters and other clinical documentation.

Free resource provided by NovoPsych. General information only, not legal advice — adapt it and seek your own legal and professional advice before adopting.