Senators Question Mental Health App Companies Regarding Privacy and Data Sharing Practices

Senators Cory Booker (D-NJ), Ron Wyden (D-OR), and Elizabeth Warren (D-MA) have written to two prominent mental health app companies and sought responses regarding their practices on data collection and sharing.

There were several reports that the mental health apps used by Talkspace and BetterHelp are gathering, mining, and sharing private client details to third parties, which include big tech companies like Google and Facebook. During the time of the COVID-19 pandemic, the use of mental health applications grew quickly. The apps provided an alternative to conventional face-to-face therapy, with the app creators themselves advertising the apps as a cheaper substitute to conventional treatment.

Although therapists need to adhere to the Health Insurance Portability and Accountability Act (HIPAA), mental health applications fall under a gray area and are not normally subject to HIPAA, therefore the limitations on protected health information (PHI) uses and disclosures under the HIPAA Privacy Rule are not applicable to numerous mental health software.

Consumers of those applications may not be aware that any data gathered, saved, or transmitted using the applications may be disclosed to third parties. End-users may mistakenly believe that HIPAA covers these apps because if the same information were to be obtained by a healthcare organization – a HIPAA-covered entity – the data would be considered PHI and the HIPAA Regulations would cover it. But, the majority of app creators, which include mental health app makers, aren’t HIPAA-covered entities and are usually not even business associates. The creators of those applications must clarify their privacy policies concerning any uses or disclosures of users’ details, however, privacy policies are usually not clear.

At the beginning of this year, Consumer Reports’ Digital Lab researchers looked into 7 mental health software, including the software made available by Talkspace and BetterHelp. Utilizing specially programmed Android devices, the researchers monitored which third-party firms got information from the applications and examined whether privacy configurations were enabled or not by default. The researchers learned that the software behaved like a lot of other consumer applications, and shared unique IDs linked to individual smartphones which may be utilized by big tech firms to look at what people do in a lot of different apps. When merged with other data, users could be served targeted adverts.

An investigation in February 2020 discovered that BetterHelp was revealing analytics details with Facebook, which included how often the app was opened and metadata from all messages, information on how long and where users were accessing mental health services. The previous staff of Talkspace stated that treatment transcripts were considered a data resource to be mined, and individual users’ anonymized chats were often reviewed and extracted for ideas to help the firm with research and marketing strategies.

The Senators have raised problems with regards to the usage of anonymized data, considering that information can be mixed with other information to identify people. The Senators looked at a 2019 study that discovered anonymized information with only a zip code, date of birth, and gender would permit a person to be identified in 81% of cases.

The senators have asked both firms these questions:

  • the types of data accumulated
  • the extent of information that is being shared with third parties
  • the strategies employed to safeguard clients’ data
  • how future clients and present users are made aware of the privacy guidelines and the risks related to data sharing

The businesses have until July 6, 2022, to give a response.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at