Direct-pay psychiatry, DPC membership models, and cloud AI scribes: HIPAA coverage and the vendor archive in cash-only psychiatric practice

What direct-pay and DPC psychiatry look like in 2026

Direct Primary Care (DPC) began as a primary care payment model in which patients pay a monthly or annual membership fee directly to their physician — bypassing insurance billing for routine care. The model has expanded significantly since the Affordable Care Act's DPC-compatible Health Savings Account provisions and has generated parallel developments in psychiatric practice. "Direct-pay psychiatry" and "concierge psychiatry" describe practices that operate on a membership fee, retainer, or flat-fee cash model: the patient pays the psychiatrist directly, no claims are submitted to insurers, and the relationship is structured outside the traditional fee-for-service third-party-payer system.

In 2026, direct-pay psychiatric practices span several configurations: individual psychiatrists operating entirely outside insurance panels; concierge practices charging monthly retainers for comprehensive medication management and extended appointment access; hybrid practices that accept direct-pay for psychiatric services while the patient's primary care physician handles insurance-billed medical care; and DPC primary care clinics that employ or contract with psychiatrists for integrated behavioral health within the membership fee. Common settings include urban boutique practices, rural areas where insurance-panel psychiatrists have multi-month wait times, and practices serving high-acuity patients who value the extended appointment time and communication access that direct-pay models enable.

What patients and practitioners often share in these settings is a perception of heightened privacy: no insurance claims means no diagnosis codes flowing through clearinghouses, no remittance records at insurance companies, no benefit records accessible to employers who self-insure their health plans. That perception has real substance — the insurance billing channel is a genuine source of disclosure risk that direct-pay genuinely avoids. But it does not address the cloud AI scribe channel, which operates entirely independently of the billing relationship and creates its own documentation record.

The HIPAA covered-entity determination for cash-only practices

HIPAA's Privacy Rule and Security Rule apply to "covered entities" — health care providers that transmit health information in electronic form "in connection with a transaction covered under" HIPAA's standard transaction rules. Those covered transactions are defined in 45 CFR Part 162 and are primarily insurance billing transactions: claims submission (the 837 transaction), eligibility and benefit inquiries (270/271), remittance advice (835), and similar administrative transactions between health care providers and health plans. The critical phrase is "in connection with" — a health care provider that never submits an insurance claim, never verifies insurance eligibility electronically, and never receives electronic remittance from a health plan may not be conducting covered electronic transactions and thus may not meet the covered-entity definition under 45 CFR § 160.103.

A direct-pay psychiatric practice with no insurance billing relationships and no covered electronic transactions is therefore potentially outside HIPAA's covered-entity definition. This is not an oversight or a loophole; it reflects HIPAA's origin as a framework for standardizing electronic billing transactions between covered entities and health plans. A practice with no such transactions was not the primary regulatory target.

In practice, the non-covered-entity exemption is narrower than it appears. Several common situations pull a nominally direct-pay practice back into covered-entity status: accepting Medicare or Medicaid for any patients (which requires covered electronic transactions with the government health plans); maintaining an EHR that automatically checks insurance eligibility or submits coordination-of-benefits inquiries, even for a subset of patients; accepting HSA or FSA debit cards in configurations that route through standard transaction processing; or participating in value-based arrangements that involve covered electronic data exchanges. Many practices that consider themselves direct-pay have at least some billing activity that triggers covered-entity status. Practices that are genuinely conducting no covered electronic transactions whatsoever are less common than often assumed.

Regardless of covered-entity status, overlapping legal frameworks apply independently. State medical practice acts impose patient confidentiality obligations on licensed physicians independent of HIPAA. State consumer and medical privacy laws impose specific protections that do not require a HIPAA covered-entity predicate — California's CMIA, Illinois's MHDDCA, and New York's Mental Hygiene Law § 33.13 all apply to health care providers in those states regardless of HIPAA status. For a detailed analysis of how these state laws operate independently of the federal HIPAA framework, see our examination of state mental health privacy laws stricter than HIPAA. Professional licensing obligations — the ethical duty of confidentiality enforced by state psychiatric licensing boards under state medical practice acts — apply regardless of HIPAA covered-entity status. None of these frameworks governs what a cloud AI scribe vendor does with session audio it independently retains under its own terms of service.

What cloud AI scribes capture in direct-pay psychiatric practice

Direct-pay psychiatric sessions typically involve more extended appointment time than insurance-billed visits — the business model explicitly offers longer consultations as a value proposition, and psychiatrists in direct-pay settings often spend 30 to 60 minutes on medication management appointments that insurance-billed practices compress into 15-minute slots. That means the cloud AI scribe captures substantially more clinical content per session than is typical in fee-for-service psychiatric practice.

Medication management conversations

Psychiatric medication management is the core clinical activity in most direct-pay psychiatric practices. Sessions cover medication initiation, dose titration, side effect profiles, adherence patterns, drug-drug interactions, and the patient's subjective experience of their psychiatric symptoms over time. For controlled substances — stimulants prescribed for ADHD, benzodiazepines for anxiety disorders, buprenorphine for opioid use disorder — session content includes the patient's self-reported use patterns, the prescriber's verbal prescribing rationale, and discussions of dose changes, early refill requests, or medication concerns. A cloud AI scribe retains verbatim audio of all of it. For the specific legal exposure this creates in a controlled substance prescribing context, see our analysis of telehealth psychiatric prescribing, the Ryan Haight Act, and DEA administrative subpoena authority.

Diagnostic formulation and history

The extended appointment time in direct-pay practice allows for more thorough diagnostic exploration: detailed symptom history, family psychiatric history, trauma history, personality formulation, and differential diagnosis discussion. This content is often substantially more candid and detailed than what appears in a formal diagnostic note — the session conversation captures the exploratory process, the clinician's tentative formulations, and the patient's own characterizations of their mental health history in language that the formal note condenses into diagnostic categories and clinical summary. The vendor's verbatim archive of a diagnostic formulation session contains materially more specific — and more potentially revealing — information about the patient's psychiatric history than the formal note produced from it.

The cumulative longitudinal archive

Direct-pay psychiatric relationships are frequently longitudinal — patients stay with the same psychiatrist for years within the membership model. The cloud AI scribe vendor's archive across a multi-year relationship constitutes a session-by-session record of the patient's symptom fluctuations, medication history, disclosed life events, relationship and employment circumstances, and the full range of content that arises in an extended psychiatric treatment relationship. This cumulative archive is substantially more detailed than the formal clinical record — which reflects the psychiatrist's documentation judgment about what is clinically relevant and appropriate to record — and it exists outside the formal medical record as the vendor's independently maintained business record. For an overview of what vendors actually retain and how that retention practice creates separately accessible records, see what cloud AI scribes actually send to their servers.

The patient expectation gap

Patients who choose a direct-pay psychiatric practice often do so explicitly to keep psychiatric treatment off the insurance record. They are making a deliberate privacy choice — paying more, out of pocket, to avoid the disclosure risks of insurance-billed mental health care. That choice is rational: insurance billing channels involve real disclosure risk through employers' access to self-insured plan data, insurance company data practices, and the administrative record that flows through clearinghouses. The patient who chose direct-pay to avoid the insurance record is almost certainly unaware that their psychiatrist uses a cloud AI scribe that retains verbatim session audio in a commercial archive that is separately subpoenable by legal mechanisms that reach any commercial third party regardless of the patient's payment method.

Five adversarial proceedings that reach the vendor archive in direct-pay psychiatry

1. DEA administrative investigation under 21 U.S.C. § 877

DEA's administrative subpoena authority under 21 U.S.C. § 877 reaches third-party business record custodians independently of the prescriber, without judicial authorization, and before any charge is filed. Cash-pay controlled substance prescribers — particularly those prescribing stimulants for ADHD, benzodiazepines for anxiety and insomnia, or buprenorphine for opioid use disorder — have been a focus of DEA prescribing pattern investigations in part because the absence of insurance billing means the formal prescribing record is limited to the PDMP dispensing record and the prescriber's clinical notes. The cloud AI scribe vendor's session archive, however, contains verbatim medication management conversations — the prescriber's spoken prescribing rationale, the patient's self-reported medication use patterns, and the session-by-session discussion of controlled substance management — in substantially more detail than the formal note. A § 877 subpoena directed at the vendor can reach that content before the prescriber is necessarily informed, without judicial involvement, and without the HIPAA BAA framework that might otherwise govern the vendor's disclosure obligations. If the practice is not a covered entity and no BAA was executed, the vendor's compliance with the subpoena is governed by the subpoena's scope and the vendor's own legal obligations as a commercial custodian of business records.

2. State medical licensing board investigation

State medical licensing boards investigate complaints about prescribing practices, standard-of-care violations, boundary issues, and other professional conduct matters. Licensing board investigators have broad administrative subpoena authority under state medical practice acts — including the ability to obtain records from third-party custodians under state health oversight authority (parallel to HIPAA's 45 CFR § 164.512(d) for covered entities). A licensing board investigating a complaint about a direct-pay psychiatrist's prescribing or clinical conduct can seek the cloud AI scribe vendor's session archives as a business record of the clinical encounters at issue. The vendor's records may contain session content that the psychiatrist's formal notes summarize more carefully — the real-time prescribing rationale, the patient's reported symptoms across sessions, and clinical conversations that the formal note compresses into standard documentation language. Because the licensing board subpoena operates through state administrative authority rather than civil litigation discovery, it may reach the vendor through channels that are faster and less formally constrained than civil Rule 45 subpoenas.

3. Civil malpractice and wrongful prescribing litigation

Malpractice litigation involving direct-pay psychiatric practices typically arises from adverse medication outcomes: overdose, harmful drug interactions, inadequate monitoring for medication side effects, or failure to identify a dangerous psychiatric condition. In civil malpractice litigation, the plaintiff's attorney can issue a Rule 45 subpoena to any third-party custodian holding records relevant to the clinical relationship. The cloud AI scribe vendor — holding verbatim session audio from every medication management appointment — is a third-party business record custodian reachable by civil discovery subpoena. The vendor's records may reveal divergences between the formal note and the actual session conversation: situations where the formal note records "patient tolerating medication well" while the session audio captured the patient describing concerning side effects, or where the formal note records "prescribing rationale discussed" while the audio reveals the discussion was brief and the clinical reasoning was less thorough than the note implies. In civil litigation, those divergences are exactly what plaintiff's counsel uses to establish the gap between documented and actual standard of care. For broader analysis of how the cloud AI scribe vendor archive functions in civil proceedings, see whether AI therapy notes and their underlying vendor archives can be subpoenaed.

4. Family court and contested custody proceedings

Direct-pay psychiatric patients who become involved in contested custody proceedings may have their psychiatric treatment records sought by opposing counsel. Family courts can issue subpoenas to third parties, and psychiatric treatment records — particularly those documenting diagnoses, symptom patterns, and medication management — are commonly disputed in custody cases where one parent's mental health is placed at issue. The cloud AI scribe vendor holds a session-by-session archive of the patient's disclosed psychiatric symptoms, life stressors, parenting discussions, and the full range of content that arises in psychiatric sessions. The formal clinical note reflects the psychiatrist's documentation judgment; the vendor's archive captures what was actually said. In a contested custody proceeding, the difference between the note's clinical summary and the vendor's verbatim record may be significant: the vendor's archive may contain session content about parenting stress, relationship conflict, or symptom severity that the formal note did not record with equivalent specificity. This is particularly salient in the direct-pay context because patients who seek cash-pay psychiatric care often do so precisely to avoid a formal psychiatric record — and may not realize that the cloud AI scribe creates a separate, more complete commercial archive that opposing counsel can reach through family court discovery.

5. Estate, probate, and wrongful death proceedings

High-net-worth patients who seek direct-pay psychiatric care and subsequently die may become the subject of estate, probate, or wrongful death proceedings in which the psychiatric treatment history is legally relevant — to establish testamentary capacity at the time a will was executed, to evaluate whether the patient's decision-making in the months before death was impaired by psychiatric illness, or to support a wrongful death claim based on alleged prescribing errors. In probate proceedings, the personal representative of the estate may waive the decedent's physician-patient privilege, opening the treatment record to disclosure. The cloud AI scribe vendor's multi-year verbatim session archive represents the most detailed contemporaneous record of the patient's expressed mental state, disclosed intentions, and medication history in the period leading up to death — content that may be directly relevant to testamentary capacity disputes, wrongful death prescribing claims, or beneficiary-contested will proceedings. Civil discovery in estate and probate matters allows subpoenas to commercial third-party record custodians, and the vendor holds business records of its services to the psychiatrist that are reachable through those mechanisms.

On-device processing and the direct-pay context

When a direct-pay or DPC psychiatric practice uses an on-device AI scribe — processing session audio locally on the psychiatrist's Mac without transmitting audio to any cloud vendor — the separately subpoenable commercial vendor archive does not exist. The vendor receives nothing; there is no vendor archive to subpoena.

In the direct-pay context, this has specific consequences for each of the adversarial proceedings described above:

• A DEA § 877 administrative subpoena directed at the cloud AI scribe vendor produces no records, because the vendor holds none. The DEA's investigation is limited to the prescriber's formal clinical notes, the PDMP dispensing record, and the pharmacy's dispensing data — the documentation that exists for any prescribing relationship, with or without an AI scribe.
• A state licensing board administrative subpoena to the vendor yields nothing. The board's investigation proceeds from the formal clinical record — the documentation the psychiatrist created and maintained — rather than from a vendor's verbatim session archive that may diverge from the formal note in ways the board's investigators could use to challenge the prescriber's account.
• In civil malpractice litigation, the plaintiff's Rule 45 subpoena to the vendor produces no session audio. The evidentiary record of the clinical encounters is the formal clinical note and any other records in the psychiatrist's possession — not a verbatim commercial archive that the vendor maintained independently.
• In family court and custody proceedings, opposing counsel cannot obtain a vendor session archive through a third-party subpoena to the AI scribe company. The patient's psychiatric treatment record available through discovery is limited to what the formal medical record contains.
• In estate and wrongful death proceedings, the estate, contesting beneficiaries, or wrongful death plaintiffs cannot subpoena a vendor archive that was never created. The psychiatric treatment history is established through the formal clinical record rather than through a multi-year commercial archive of verbatim sessions.

The direct-pay patient who chose cash payment to keep their psychiatric treatment off the insurance record achieves what they were actually seeking: privacy from both the insurance billing channel and the commercial AI scribe vendor channel. The patient's expectation of heightened privacy aligns with the technical reality when on-device processing is used. That alignment is the architectural privacy guarantee — it does not depend on a business associate agreement, a vendor's contractual commitments, or a privilege analysis that may or may not hold in the specific jurisdiction and proceeding type. For a broader explanation of why architectural privacy differs from contractual privacy, see our analysis of what a BAA actually covers — and what it does not.

Practical implications for direct-pay psychiatric practitioners

Audit your covered-entity status carefully. The non-covered-entity exemption for direct-pay practices is narrower in practice than it appears in theory. If your practice accepts Medicare for any patients, uses an EHR that checks insurance eligibility electronically, accepts HSA/FSA payments through standard transaction processing, or participates in any value-based arrangement involving covered electronic data exchanges, you may be a HIPAA covered entity. Consult with a health care attorney about your specific billing practices before concluding that HIPAA's Privacy and Security Rules do not apply to your practice.

Recognize that non-covered-entity status is not the same as unregulated. Even if your practice is genuinely outside HIPAA's covered-entity definition, state medical practice acts, state mental health privacy laws, and professional licensing ethical codes impose confidentiality obligations that apply independently. In California, Illinois, New York, and other states with mental health-specific privacy statutes, those state protections may impose stricter requirements than HIPAA's baseline — and they apply to your practice regardless of your HIPAA status.

Understand what the cloud AI scribe vendor's terms of service actually say. If your practice is not a HIPAA covered entity, the vendor may not be required to sign a BAA. The vendor's handling of session audio is governed by its standard terms of service and data retention policies rather than HIPAA business associate obligations. Review those terms with care: what does the vendor retain, for how long, in what form, under what conditions it will respond to legal process, and what notice (if any) it will give you before complying with a DEA administrative subpoena, licensing board demand, or civil discovery request directed at the vendor.

Disclose accurately to patients seeking direct-pay care for privacy reasons. Patients who choose your practice specifically to keep their psychiatric treatment off the insurance record deserve accurate informed consent about any cloud AI scribe relationship. If a patient is paying cash to avoid insurance disclosure channels, they should know whether session audio is being transmitted to a commercial vendor that maintains its own archive independently of your clinical records. Accurate disclosure is ethically required and may be mandated by state informed consent standards applicable to your practice.

Evaluate on-device processing as the architecture that delivers what direct-pay promises. Patients in direct-pay psychiatric practice are paying a premium for a more private clinical relationship. On-device AI scribing — where session audio never leaves the psychiatrist's device — delivers the documentation efficiency of AI scribing without creating a separately subpoenable commercial vendor archive. For psychiatrists whose patient population includes individuals who have explicitly sought care outside the insurance system for privacy reasons, the architecture of the documentation tool should match the privacy premise of the practice model.

Frequently asked questions

Is a direct-pay or DPC psychiatric practice a HIPAA covered entity?

HIPAA's covered-entity definition requires that the health care provider transmit health information in electronic form in connection with a covered transaction — primarily insurance billing transactions under 45 CFR Part 162. A practice that never submits insurance claims and conducts no covered electronic transactions is technically outside the covered-entity definition. In practice, many direct-pay practices conduct at least some covered electronic transactions through Medicare acceptance, EHR eligibility functions, or HSA/FSA billing. Whether any specific practice qualifies for the non-covered-entity exemption requires careful examination of every category of electronic transaction the practice actually conducts. State medical privacy laws apply to the practice regardless of its HIPAA covered-entity status.

Does a non-covered-entity psychiatric practice need a BAA with its cloud AI scribe vendor?

Under HIPAA, the BAA requirement applies when a covered entity discloses protected health information to a vendor. If the practice is not a covered entity, the HIPAA BAA requirement does not technically apply. However, the vendor still receives sensitive psychiatric session content — medication management conversations, diagnostic discussions, controlled substance treatment plans — and the vendor's handling of that information is governed by the vendor's terms of service and applicable state laws, not by a HIPAA BAA. The absence of a required BAA does not prevent the vendor archive from being subpoenable through DEA, civil discovery, or family court. It means the legal framework governing the vendor's disclosures is the vendor's own policies and applicable law rather than a HIPAA BAA's contractual protections.

Can DEA subpoena a cloud AI scribe vendor's records from a direct-pay psychiatric practice?

Yes. DEA's administrative subpoena authority under 21 U.S.C. § 877 reaches third-party business record custodians independently, without judicial authorization, and without regard to the practice's HIPAA covered-entity status. A vendor holding session audio from controlled substance medication management appointments holds business records potentially relevant to a DEA prescribing pattern investigation. HIPAA's law enforcement exception at 45 CFR § 164.512(f) governs covered-entity business associate disclosures in response to law enforcement requests — if the practice is not a covered entity and no BAA governs the vendor relationship, the vendor's response to a § 877 subpoena is determined by the subpoena's scope, the vendor's legal obligations as a commercial record custodian, and any applicable privilege, not by HIPAA BAA restrictions.

What does the patient expectation gap mean in direct-pay psychiatry?

Many patients choose direct-pay psychiatric care specifically to avoid the insurance disclosure channel — keeping their diagnosis codes, medication history, and treatment record out of insurance company systems and away from employers who administer self-insured health plans. That privacy rationale is legitimate and real with respect to the insurance billing channel. The expectation gap is that when the psychiatrist uses a cloud AI scribe, a commercial vendor receives and retains verbatim session audio independently of any billing relationship. That vendor archive is accessible through DEA administrative subpoenas, civil discovery, licensing board investigative demands, and family-court orders — all mechanisms that reach any commercial third party regardless of the patient's payment method. The patient who chose direct-pay for privacy may be unaware that a separate, more complete commercial archive of their psychiatric sessions exists outside the insurance system.

Does on-device AI processing resolve the vendor archive risk for direct-pay psychiatric practices?

On-device processing eliminates the vendor archive by processing session audio entirely on the psychiatrist's local device without transmitting audio to any cloud service. The vendor receives no audio and retains no session content. DEA § 877 subpoenas, civil discovery subpoenas, licensing board demands, and family-court orders directed at the vendor produce nothing, because the vendor holds nothing. The psychiatrist's formal clinical notes remain as the medical record of the clinical encounter. What on-device processing eliminates is the separately held commercial vendor archive that extends beyond those notes. For direct-pay patients who chose cash payment to stay out of the insurance system, on-device processing extends the privacy protection to the documentation layer — aligning the technical reality with the privacy premise of the direct-pay relationship.