What did BetterHelp do wrong if it was HIPAA-compliant?

BetterHelp's therapist-patient session data is HIPAA-protected. The 2023 FTC action was about a different data layer: the marketing and onboarding data (visitor email, IP address, intake questionnaire responses) that BetterHelp shared with Meta, Snapchat, Pinterest, and Criteo for advertising purposes. That data sat outside HIPAA but was still subject to FTC consumer-protection authority.

Is Wysa HIPAA compliant?

Wysa publishes HIPAA-compliance documentation for its enterprise/employer-sponsored deployments where the relationship with a covered entity creates a HIPAA obligation. The consumer-facing Wysa app is generally not a HIPAA-covered service in the strict legal sense, though the company applies HIPAA-equivalent security standards. Read Wysa's current privacy policy for exact terms.

Should I worry about an app sharing my mental-health data?

It depends on the data and the app. Therapist-patient session content with major platforms (BetterHelp, Talkspace, Cerebral) is HIPAA-protected. Marketing and onboarding data, mood logs in non-clinical apps, and metadata are often not. The FTC settlements with BetterHelp (2023) and Cerebral (2024) showed real money-on-the-line consequences for data-sharing practices that violated user expectations. Read privacy policies with a sceptic's eye and check in-app data-sharing toggles.

How do I check if a specific app shares data with advertisers?

(1) Search the privacy policy for "advertising," "third party," "shared," and "sold." (2) Check in-app privacy / data-sharing settings (often default ON, requires manual opt-out). (3) Look up the app on Mozilla's Privacy Not Included guide. (4) Check the FTC enforcement docket — if the app has settled, read the settlement order. (5) For EU users, request a data export under GDPR Article 15 to see what the app actually has.

Are AI Mental Health Apps HIPAA Compliant? 2026 Privacy Guide

The short answer

Most consumer-facing AI mental-health apps are not HIPAA-covered entities. They operate under direct-to-consumer privacy laws, primarily the FTC Act, the FTC Health Breach Notification Rule, state privacy laws (Washington's My Health My Data Act, California's CCPA/CPRA), and the EU's GDPR for European users. "HIPAA-compliant" claims in app marketing are often imprecise or misleading. This guide explains what HIPAA actually covers, when an AI mental-health app falls under it, and how to evaluate a platform's privacy posture in practice.

Who HIPAA covers

The Health Insurance Portability and Accountability Act (HIPAA) — specifically the Privacy Rule and Security Rule — applies to covered entities and their business associates. Covered entities are:

Health plans (insurance companies, employer-sponsored plans, government programs).
Health care providers who transmit health information electronically (most doctors, hospitals, clinics, pharmacies, licensed therapists in private practice or group practices).
Health care clearinghouses (entities that translate medical billing data between formats).

Business associates are vendors that handle Protected Health Information (PHI) on behalf of a covered entity — EHR vendors, billing services, and increasingly AI medical scribes. Business associates must sign a Business Associate Agreement (BAA) with the covered entity and follow HIPAA security standards.

Why most consumer mental-health apps are not HIPAA-covered

Direct-to-consumer apps that you sign up for yourself — Calm, Headspace, Wysa free tier, Woebot (when consumer-facing), most meditation apps, most AI chatbot wellness apps — are typically not covered entities under HIPAA. They are not delivering services on behalf of a health plan or licensed provider; they are selling a wellness app directly to you. The data you give them isn't legally PHI in the HIPAA sense.

This is counter-intuitive. The data feels private and clinical (mood logs, anxiety scores, journal entries). But because the app is not part of a covered-entity workflow, HIPAA doesn't apply.

When mental-health apps are HIPAA-covered

Online therapy with licensed therapists. BetterHelp, Talkspace, Cerebral therapy services, and similar platforms employ licensed therapists who are health care providers under HIPAA. Session content (the actual messaging, video, or audio with the therapist) is PHI, and these platforms operate HIPAA-compliant infrastructure for that data.
Telehealth clinical services. K Health's clinician-staffed plans, Hims/Hers prescription evaluations, Amwell visits, Teladoc encounters — all involve licensed providers and are HIPAA-covered for the clinical-encounter data.
Insurer-sponsored wellness apps. If your insurance company gives you free Calm or Headspace, the relationship between the insurer and the app vendor may invoke HIPAA via the business-associate pathway. The data flow on your phone is unchanged but the legal framework differs.
Employer Employee Assistance Programs (EAP). Some EAP-delivered mental-health apps fall under HIPAA via the employer's group health plan.

What protects users when HIPAA doesn't apply

For non-HIPAA-covered consumer apps, the privacy framework is a patchwork:

FTC Act Section 5 (deceptive practices). If an app says "we don't share your data with advertisers" and then does, the FTC can sue. This is the basis for the 2023 BetterHelp settlement ($7.8M) and the 2024 Cerebral settlement ($7M) — both companies were HIPAA-covered for therapy services but still settled with the FTC over advertising-related data sharing outside the therapist-patient channel.
FTC Health Breach Notification Rule. Updated in 2024 to explicitly cover health apps and connected devices that aren't HIPAA-covered. Requires notification within 60 days of a data breach. This is what gives the FTC enforcement authority over consumer health apps even when HIPAA doesn't apply.
Washington My Health My Data Act (2023). The strongest US state privacy law for non-HIPAA health data. Applies to any entity processing health data of Washington residents. Requires explicit consent for collection and prohibits certain forms of data sharing.
California CCPA / CPRA. Applies to "sensitive personal information" including mental-health data for California residents.
GDPR (EU). Health data is "special category" personal data under Article 9. Requires explicit consent and stronger purpose-limitation than general personal data.
State medical-licensure laws. Apply to therapist-patient interactions even when the platform isn't HIPAA-covered.

How to evaluate an app's privacy posture

Read the privacy policy specifically for "shared with" and "sold to." Look for any mention of advertising platforms (Meta, Snap, TikTok, Google), data brokers, or "trusted partners." If the app shares ANY identifiable health-related data with advertisers, treat that as a meaningful concern.
Check the data-sharing toggles in the app. Many apps default to ad tracking on and require manual opt-out. Calm, Headspace, BetterHelp, Cerebral, and Talkspace all have in-app privacy controls — find and review them.
Look up the app on the Mozilla *Privacy Not Included* guide (foundation.mozilla.org/en/privacynotincluded/) for an independent assessment.
Check the FTC enforcement docket. If the app has settled with the FTC, that's a real disclosure — read the settlement order to understand what data practices the company was required to change.
For online-therapy specifically, the therapist-patient session content is HIPAA-protected. The metadata around it (that you signed up, your IP address, the marketing data you provide) often is not. The 2023 BetterHelp action was about the metadata layer, not session content.

What to expect from each major platform

Wysa, Woebot, Calm, Headspace — direct-to-consumer wellness apps; typically not HIPAA-covered. Privacy varies by app; check current policies.
BetterHelp, Talkspace, Cerebral — HIPAA-covered for therapist-patient session content; FTC-enforced for marketing/advertising data sharing. Both BetterHelp (2023) and Cerebral (2024) have FTC settlements bearing on data practices.
K Health, Hims/Hers, Amwell, Teladoc — HIPAA-covered for clinical encounters. Mind the data shared during onboarding (questionnaire responses, demographic data) — that may sit outside the strict clinical-PHI boundary.
Insurance-sponsored wellness apps — typically HIPAA-covered via business-associate agreements with the sponsoring insurer or employer plan.

Bottom line

"HIPAA compliant" is doing a lot of work in mental-health-app marketing copy, often more than it should. For consumer-facing apps not delivered by a licensed provider, HIPAA usually doesn't apply at all. The protective framework is FTC enforcement, state laws, and (for EU users) GDPR. Read each platform's privacy policy with a sceptic's eye, check the FTC settlement history, and assume that any non-clinical data you share — including mood logs, journal entries, and onboarding-questionnaire responses — may be used in ways the app's marketing doesn't make obvious.

Are AI Mental Health Apps HIPAA Compliant? A 2026 Privacy Guide