Senators Question Mental Health App Providers About Privacy and Data Sharing Practices

Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) have written to two leading mental health app providers demanding answers about their data collection and sharing practices.

There have been multiple reports that the mental health apps provided by Talkspace and BetterHelp are collecting, mining, and disseminating private client information to third parties, including big tech firms such as Google and Facebook. During the COVID-19 pandemic, the use of mental health apps grew rapidly. The apps offered an alternative to traditional face-to-face therapy, with the app developers themselves marketing the apps as a cost-effective alternative to traditional therapy.

While therapists may be required to comply with the Health Insurance Portability and Accountability Act (HIPAA), mental health apps fall into a gray area as they are generally covered under HIPAA, which means that the restrictions on uses and disclosures of protected health information under the HIPAA Privacy Rule do not apply to many mental health apps.

Talkspace has confirmed to HIPAA Journal that its app does meet the privacy and security standards of HIPAA. “Our technology fully meets HIPAA privacy and security requirements and protocols,” said Jeannine Feyen, Director of Communications, Talkspace. “In addition to regularly working with leading national experts in healthcare security and privacy, we have dedicated, seasoned professionals on our staff, led by a Chief Privacy Officer with decades of HIPAA experience, to create and maintain the privacy and security controls that help make that trust possible.”

Please see the HIPAA Journal Privacy Policy

Users of mental apps may not understand that any information collected, stored, or transmitted through the apps may be shared with third parties. Consumers may mistakenly believe that HIPAA applies to these apps because if the same data were to be collected by a healthcare provider – a HIPAA-covered entity – the information would be classed as protected health information and the HIPAA Rules would apply. However, most app developers, including mental health app developers, are not HIPAA-covered entities and are generally not even business associates. The developers of those apps should explain clearly in their privacy policies about any uses or disclosures of users’ information, but privacy policies are often unclear.

“We have long been concerned about the misuse of personal data by Big Tech companies and unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations,” explained the Senators in their letter to BetterHelp and Talkspace. “Unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

Earlier this year, researchers at Consumer Reports’ Digital Lab investigated 7 mental health apps, including the apps provided by Talkspace and BetterHelp. Using specially programmed Android devices, the researchers tracked which third-party companies received data from the apps and checked whether privacy settings were on or off by default. The researchers found that the apps behaved like many other consumer apps, and shared unique IDs associated with individual smartphones which can be used by big tech companies to track what people do across many different apps. When combined with other data, users can be served targeted ads.

An investigation in February 2020 found BetterHelp was sharing analytics data with Facebook, which included how many times the app was opened and metadata from every message, including data on how long and where users were accessing mental health services. Former employees of Talkspace claimed that treatment transcripts were viewed as a data resource to be mined, and individual users’ anonymized conversations were routinely reviewed and mined for insights to help the company with research and marketing tactics.

The Senators have raised concerns about the use of anonymized data, as that information could be combined with other data to identify individuals. The Senators referred to a 2019 study that found anonymized data that included only a zip code, gender, and date of birth would allow an individual to be identified in 81% of cases.

The senators have asked both companies questions about the types of data collected, the extent of data sharing with third parties, the methods used to protect clients’ information, and how potential clients and current users are informed about the privacy policies and the risks associated with sharing data. The companies have been given until July 6, 2022, to respond.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.