If you’re a therapist in private practice looking for an AI email assistant, the decision isn’t “which tool?”. It’s “what goes in which channel?” Client PHI (appointment content, clinical discussion, treatment records) belongs in your practice-management system’s secure portal, with a signed Business Associate Agreement covering any vendor that can see that data. Everything else, referral coordination, CEU scheduling, insurance admin, colleague consultation, vendor emails, flows through your general inbox, and that’s where alfred_ fits.
This post makes two claims upfront:
- alfred_ is safe for the non-PHI 60-70% of your practice inbox, with OAuth 2.0, AES-256 encryption, and no training on user data.
- alfred_ is not a HIPAA-compliant solution for client PHI, standard individual subscriptions don’t include a BAA. Don’t route PHI through it.
The correct architecture is channel separation, not trying to make one tool do both.
40-80 emails/day
Typical inbound volume for a private-practice therapist, mixing practice operations with some client-adjacent admin
alfred_ estimate60-70%
of typical therapist inbox that's clearly non-PHI operations: referrals, CEUs, EAP/insurance admin, colleague consultation, billing from third parties, vendor correspondence
alfred_ estimate~$75K
Median annual revenue for a solo private-practice therapist (2025 benchmark). Lost CEU deadlines and missed insurance panel renewals are measurable revenue risk
Heard, Financial State of Private Practice Report (2025 data)The Channel-Separation Framework
The test: does the email content mention a specific client or contain client-identifying information? If yes → secure portal with BAA. If no → general inbox where alfred_ adds value.
| Email type | Safe tool | Why |
|---|---|---|
| Appointment scheduling/confirmation with clients | Practice-management system (SimplePractice, TherapyNotes, TheraNest) | Client-specific = PHI; needs BAA-covered secure messaging |
| Clinical content (symptoms, diagnosis, treatment) | Same, practice-management secure messaging only | HIPAA requires BAA for any system that sees this |
| Test results, assessment exchanges | Same, secure portal with BAA-covered vendor | PHI under HIPAA |
| Referral coordination (from schools, physicians, EAPs) | alfred_ or your general inbox | Non-client-specific until you add client info |
| Insurance panel applications, renewals, credentialing | alfred_ or your general inbox | Administrative, not client-specific |
| CEU registration, CE provider emails | alfred_ or your general inbox | No PHI |
| Colleague consultation (general, not case-specific) | alfred_ or your general inbox | No PHI if truly general |
| Colleague case consultation with client-identifying info | Practice-management secure messaging | PHI, needs BAA |
| Professional association, journal notifications | alfred_ or your general inbox | No PHI |
| Vendor/supplier communication for practice tools | alfred_ or your general inbox | No PHI |
What alfred_ Actually Does for a Therapist Practice
For the non-PHI 60-70% of your inbox:
- Daily Brief each morning: 40-80 emails compressed to a 5-10 minute read; drafts ready for referral acknowledgments, insurance responses, CEU confirmations
- Commitment tracking: CEU deadlines, insurance panel renewal windows, supervision scheduling, all the stuff that slips between sessions
- Drafted responses: routine replies to referral sources, EAP administrators, insurance billing questions
- Calendar integration: cross-checks conflicts between CEU events, supervision, and your clinical schedule
- Search and surface: emails from 6 months ago you vaguely remember (an insurance panel rep, a referral source) findable by natural query
Typical time reclaim for a full-caseload solo practice: 30-45 minutes/day, less than for a CEO but qualitatively different. The value is less about volume and more about nothing slipping: the CEU deadline you’d have missed, the insurance renewal window you’d have ignored, the EAP query that fell between clinical days.
What You Should Still Do Manually
- Anything touching a specific client by name, initials, DOB, or identifying detail
- Any email where the subject line alone could be PHI (“Client follow-up re: Smith, anxiety”)
- Emails you’d want privileged communication protection for
- Anything going to your licensing board, professional liability insurer, or attorney. These are privileged/legal channels that deserve human-eyes-only handling
Alternatives to Consider
- SimplePractice ($49–$99/month): the most popular HIPAA-compliant practice management system. Signed BAA, secure portal, telehealth, client messaging, billing. This is the tool you should use for client-facing email, not alfred_.
- TherapyNotes ($69/month solo, $79/month for group base): comparable to SimplePractice with stronger clinical documentation.
- TheraNest ($29–$89/month): budget-friendlier practice system, BAA available.
- Upheal / Blueprint.ai / Mentalyc: AI clinical documentation from session recordings. Different category, AI for clinical notes, not inbox. These have HIPAA-compliant architectures and BAAs; evaluate separately.
The Practical Setup
- Choose your practice-management system first (SimplePractice, TherapyNotes, or TheraNest). This is your HIPAA-safe client channel
- Use its secure portal for all client-bearing communication, strictly
- Use alfred_ for your general operations inbox, everything non-client
- Set up alfred_ exclusions for senders where you want to handle manually (your supervisor, attorney, licensing board). This takes 2 minutes
The separation is the point. A single “AI assistant” that tries to handle both surfaces is either regulatory-risky (if it reads PHI without a BAA) or impractical (if you manually split every incoming email). Two channels, each with the right tool, is the clean design.
If you’re not sure whether a given email type counts as PHI, the answer is conservative: route it through your practice system, not alfred_.