Are mental health platforms like BetterHelp HIPAA compliant?

Concerns about how mental health platforms like Talkspace and BetterHelp handle user data have arisen, leading to FTC investigations and Senators speaking out. This has prompted the need to examine the apps that store our private health information.

How does HIPAA apply to mental health apps?

HIPAA's rules and regulations apply to covered entities and business associates. HIPAA compliance is required to protect the protected health information (PHI) these organizations handle. 

Mental healthcare apps may fall outside the scope of HIPAA even though they have access to potentially sensitive patient data. This has caused concern amongst US senators and the FTC, resulting in the release of the FTC's policy statement on third-party mental health apps and their need to meet the requirements of HIPAA's Breach notification rule. 

Legislative Requirements for mental health platforms

The FDA is the primary federal regulator of software that assists in the diagnosis and treatment of medical conditions, including mental health disorders. The FDA has the authority to review and regulate medical software, including mobile health apps, to ensure their safety and effectiveness. The FDA has released guidance documents that provide information on its regulatory approach to mobile health software, including mental health apps. 

The guidance clarifies which types of apps are subject to regulatory oversight and which may be exempt. Their regulatory oversight is on mobile health apps that pose a risk to patient safety if they do not function as intended. Apps that connect to and control existing medical devices, perform patient-specific analysis, or offer patient-specific diagnosis or treatment are more likely to be regulated. 

Consequences of using a mental health platform that does not adhere to HIPAA standards

1. Privacy breaches: HIPAA protects the privacy and security of individuals' health information. If an app does not follow HIPAA standards, this can result in privacy breaches, where personal information is accessed, disclosed, or used without consent.
2. Data misuse: Mental health data is highly sensitive and confidential. If an app does not adhere to HIPAA standards, the collected data could be used for purposes other than intended. 
3. Inadequate security measures: HIPAA requires implementing appropriate security measures to protect health information from unauthorized access, disclosure, or alteration. If an app does not adhere to these standards, it may lack regulation of its security features, making it more susceptible to hacking, data breaches, or cyberattacks. 
4. Limited accountability: HIPAA compliance helps establish accountability. When an app does not adhere to these standards, there may be a lack of accountability for data breaches, privacy violations, or other misconduct. 

Mental health apps and cases of data breaches

 In 2020, Talkspace, a popular mental health therapy app, suffered a data breach that exposed confidential therapy session records of some of its users. The breach occurred due to unauthorized access to the company's database, potentially compromising the privacy and confidentiality of therapy sessions.

 In 2019, 7 Cups, a platform that provides online emotional support, disclosed a data breach that affected approximately 3.7 million user accounts. The breach involved unauthorized access to usernames, email addresses, and hashed passwords of users.

In light of the 2023 FTC investigation into BetterHelp into data sharing with Meta, the subsequent class actions have resulted in a spotlight being placed on the lack of regulation in the scope of mental health use of user data. 

These cases have been followed by a letter from concerned US senators questioning the integrity of sensitive users seeking mental health assistance and having their privacy infringed upon. 

Go deeper: 

• BetterHelp fined $7.8M and banned from sharing sensitive data
• Betterhelp and HIPAA compliance
• Meta claims hospitals are to blame for Meta Pixel HIPAA violations

Protecting user data 

Users should take several precautions to protect their data while using mental health apps. These include thoroughly researching the app's privacy policy and data handling practices before using it. 

Only use mental health platforms with a proven track record of prioritizing data privacy and security. This includes verifiable HIPAA best practices. Additionally, ensure that research is done on the app's approach to data protection and breaches that have occurred. 

Related: HIPAA Compliant Email: The Definitive Guide