Paubox blog: HIPAA compliant email made easy

Talkspace and HIPAA compliance

Written by Kirsten Peremore | June 12, 2023

Talkspace is a third-party mental health app that matches patients with providers that fit their needs. The app states that it is fully HIPAA compliant. Still, in recent years, data breaches have placed Talkspace in the spotlight along with its competitors. 

 

Talkspace privacy policy

Talkspace protects US users' data per HIPAA and HITECH Act requirements. As they comply with HIPAA, their privacy policy outlines how PHI is handled. These notices apply to PHI and provide information on how your data is used, disclosed, and protected. This includes:

  1. Data processing: Talkspace uses proprietary technology and advanced data processing techniques to handle user data. 
  2. User consent: Users have control over their personal information and can manage their preferences for receiving marketing materials or newsletters. As a user, Talkspace claims that you can also limit the use of cookies, pixels, and web beacons.
  3. Access, deletion, and modification of personal data: Users can request access to or deletion/modification of their personal information. Talkspace will honor these requests, subject to legal requirements and exceptions.
  4. Security: Talkspace takes commercially reasonable steps to protect the integrity and confidentiality of user information. They comply with the HIPAA security rule and undergo third-party assessments annually. 

This privacy policy applies specifically to Talkspace services but does not cover the third-party applications, software, or websites users can access through Talkspace. Furthermore, Talkspace may collect personal data and medical information during registration and throughout the use of its services. This information is used to provide the services, match users with therapists, process payments, support users, conduct research (with explicit authorization), and ensure quality and compliance.

 

Talkspace and user data 

In a 2022 report by Mozilla, the privacy and security measures of mental health apps were assessed. Among the apps assessed, Talkspace was among the worst offenders for having a vague privacy policy with several loopholes negatively impacting user data. Talkspace was found to collect users' chat transcripts with therapists, which are considered PHI containing medical diagnoses, treatments, and patient information. 

The 2023 update to the report found that the questionnaire supplied during registration asked users personal questions about their diagnosis (such as depression), which was then used for marketing purposes. 

 

Talkspace and data mining

A report from The New York Times raised concerns about the handling of user data by mobile therapy company Talkspace. Former employees claim that client conversations were routinely reviewed and mined for insights, with common phrases resulting from the data mining being shared with company marketing. Talkspace's interventions in client-therapist interactions were also questioned, with claims that the company instructed therapists to keep clients within the app. 

Related: Is online tracking HIPAA compliant?

 

Talkspace's response 

While Talkspace denies using transcripts for marketing purposes, it acknowledges sharing insights internally. It has stated that it maintains HIPAA and HITECH Act compliance and has implemented security and privacy measures to protect user data. 

 

Protecting your user data

Mental health apps often fall outside the scope of HIPAA, and despite Talkspaces' compliant status, there have been cases of data not being adequately protected. As such, users must protect their own data. These measures include:

  1. Review privacy settings: Check the privacy settings on your smartphone's operating system and adjust them to limit how apps track you. 
  2. Opt out of personalized ads and cross-app tracking: Disable personalized ad tracking on platforms like Google, Facebook, Twitter, and Apple to limit the data collected and shared across different apps.
  3. Disable mobile advertising ID: Mobile advertising IDs are unique identifiers apps use for tracking purposes. Consider disabling or resetting your mobile advertising ID on your device to limit how companies can collect and correlate your data.
  4. Read privacy policies: Carefully review the privacy policies of the apps or platforms you use, including online therapy services. Look for transparency in data collection, usage, and sharing practices.
  5. Limit data sharing: If the option is available, revoke any authorizations you may have given for using or disclosing your medical information. Request the limitation of data sharing with insurance providers if desired.
  6. Consider using a virtual private network (VPN): A VPN can help protect your privacy by masking your computer's location and preventing your internet service provider from seeing the websites you visit. However, VPNs may not be necessary for everyone and may have their own limitations.

Related: HIPAA compliant email: A definitive guide