Mental Health App Data Privacy: What Therapy and Wellness Apps Must Do Beyond HIPAA

Most wellness and therapy app founders assume HIPAA is the only privacy framework they need to worry about. It isn't. Mental health data sits under a stricter federal layer, state confidentiality statutes, and FTC enforcement actions that apply even when you're not a covered entity.

Mental Health App Data Privacy: What Therapy and Wellness Apps Must Do Beyond HIPAA
Loading AudioNative Player...

The Three-Layer Problem: Why HIPAA Isn't Enough for Mental Health Apps

Most mental health and wellness app founders assume HIPAA either fully governs their product or doesn't apply at all. Neither assumption is usually correct. The actual compliance picture involves three overlapping regulatory layers — and HIPAA is often the least of your concerns.

Start with who HIPAA actually covers. Under 45 CFR § 160.103, a covered entity is limited to three categories: health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with a covered transaction. A standalone meditation app, mood tracker, or teletherapy platform you built and sell directly to consumers does not fit any of those three categories. HIPAA does not apply to it — not because of any exemption, but because the statute simply wasn't written with consumer apps in mind.

There is one path into HIPAA even for non-provider apps: the business associate relationship. If your app creates, receives, maintains, or transmits protected health information on behalf of a covered entity — say, a hospital system integrates your symptom-tracking tool into its patient portal — you become a business associate under § 160.103 and HIPAA obligations attach. But that relationship must exist upstream. If you sell directly to consumers with no covered entity in the chain, business associate status doesn't apply either.

That gap is where the Federal Trade Commission steps in. The FTC treats consumer health apps as its jurisdiction under Section 5 of the FTC Act (unfair or deceptive acts) and the Health Breach Notification Rule, which applies to health apps and similar technologies regardless of HIPAA status. The FTC's enforcement record makes the stakes concrete: actions against BetterHelp, GoodRx, and Premom all involved mental health or health data shared with advertisers — none of those companies were HIPAA-covered entities, and none escaped federal enforcement.

⚠️
The three-layer framework: HIPAA (if you have a covered entity relationship), 42 CFR Part 2 (if you handle substance use disorder records), and state mental health confidentiality laws (which vary significantly and can be stricter than federal law). Most wellness apps need to analyze all three independently — they don't stack neatly.

42 CFR Part 2: The Stricter Federal Layer for Substance Use Records

If your app touches substance use disorder treatment — diagnosis, counseling referrals, or medication-assisted treatment records — a second federal statute enters the picture before HIPAA does. 42 CFR Part 2 governs SUD patient records maintained by federally assisted programs, and its requirements differ from HIPAA in ways that can surprise even experienced compliance teams.

Under 42 CFR § 2.12, a program qualifies as "federally assisted" if it operates under any federal license or authorization — including Medicare participation, a DEA registration for controlled substances used in SUD treatment, receipt of any federal funding, or IRS authorization through tax deductions. That's a wider net than most founders expect. A telemedicine platform with a DEA-registered prescriber treating opioid use disorder may fall inside Part 2 without realizing it.

The most consequential distinction is the proceedings restriction. Under 42 CFR § 2.13, SUD patient records cannot be used or disclosed in any civil, criminal, administrative, or legislative proceeding without patient written consent or a court order. HIPAA's law enforcement provisions under 45 CFR § 164.512(e) permit disclosures once procedural safeguards are satisfied — Part 2 does not. Substance use records also cannot be used to investigate or prosecute a patient without meeting that same consent-or-court-order threshold.

The consent structure also differs. HIPAA permits providers to share protected health information for treatment, payment, and healthcare operations (TPO) without patient authorization. Historically, Part 2 required written consent for most disclosures. The 2024 final rule — effective April 16, 2024, with a compliance deadline that passed February 16, 2026 — modernized this by allowing a single, durable patient consent covering all future TPO uses and disclosures. Apps subject to Part 2 should already be operating under these updated consent requirements. But the rule did not eliminate the proceedings restriction or allow bundling consent for legal proceedings with other disclosure categories. The regime remains meaningfully stricter than HIPAA's baseline.

De-identification has also been updated. The 2024 amendments replaced Part 2's prior de-identification standards with HIPAA's framework, requiring that no reasonable basis exist to believe information could be used to re-identify a patient. Information that would identify someone as having or having had a substance use disorder — even without a name attached — remains protected until that standard is met.

⚠️
Part 2 applies if your program is: (1) operated by a federal agency, (2) licensed or registered by a federal agency — including Medicare or DEA — (3) funded by federal dollars, or (4) supported by a federal tax authorization. If any one criterion applies and your product handles SUD records, Part 2's separate consent requirements and proceedings restrictions govern independently of your HIPAA obligations.

State Mental Health Confidentiality Laws: The Layer HIPAA Doesn't Preempt

Federal law sets a floor, not a ceiling. Under 45 CFR § 160.202, a state law is considered "more stringent" than HIPAA when it prohibits disclosures HIPAA would permit, provides greater patient access rights, requires narrower consent, or otherwise affords greater privacy protection. More-stringent state laws are not preempted — they become the operative standard. For mental health apps operating in Texas, California, or Washington, that distinction carries real compliance weight.

Texas Health & Safety Code Chapter 611 covers any mental health professional's communications with a patient and any records of identity, diagnosis, evaluation, or treatment. Under Chapter 611, those records are confidential and may not be disclosed except in the narrow circumstances enumerated in § 611.004 and § 611.0045. If your product creates or maintains records for licensed Texas therapists or counselors, Chapter 611 is part of your compliance surface whether or not HIPAA applies.

California reached further and faster. AB 2089, effective January 1, 2023, amended the Confidentiality of Medical Information Act (CMIA) to define a "mental health digital service" as any mobile app or website that collects mental health information from a consumer, markets itself as facilitating mental health services, and uses that information to actually provide those services. All three prongs must be present — but that description fits most therapy apps, mood trackers with clinical framing, and digital CBT platforms. Once a product qualifies, it carries the full CMIA confidentiality obligations.

CMIA penalties are structured to create plaintiff incentives without requiring proof of harm. California Civil Code § 56.36 authorizes up to $2,500 per negligent disclosure, up to $25,000 per knowing or willful violation, and up to $250,000 plus disgorgement of profits where the violator used the information for financial gain. Section 56.36(b) adds a private right of action carrying $1,000 in nominal damages per violation — no proof of actual harm required. A single data-sharing event that reaches thousands of California users can generate seven-figure aggregate exposure before any plaintiff establishes concrete injury.

Washington's My Health My Data Act, effective March 31, 2024, is the most explicit federal gap-filler to date. The legislature described the Act in those terms: it exists to protect consumer health data not otherwise covered by HIPAA or state healthcare regulations. It applies to any business that targets Washington consumers and collects "consumer health data," expressly including mental health status — and it applies regardless of whether the business is a HIPAA covered entity. Washington MHMD requires independently obtained opt-in consent before collecting or sharing consumer health data, and a signed authorization before any sale of that data. Violations constitute unfair or deceptive practices under Washington's Consumer Protection Act (RCW 19.86), which provides a private right of action including class actions, treble damages on actual harm (capped at $25,000), and attorney fee shifting.

📋
Multi-state checklist minimum: (1) Texas Ch. 611 — applies if you maintain records for licensed Texas mental health professionals; (2) California CMIA/AB 2089 — applies if your app collects mental health information, markets mental health services, and delivers them; (3) Washington MHMD — applies if you collect any consumer health data (including mental health status) from Washington residents, regardless of HIPAA status. Each layer may require different consent forms, data handling procedures, and breach notification timelines.

FTC Enforcement: What Happened to BetterHelp and What It Means for Your App

In March 2023, the FTC took action against BetterHelp — banning the company from sharing mental health data for advertising and requiring it to pay $7.8 million in consumer refunds, the first FTC action to return money to consumers whose health data was misused for advertising. The conduct at issue was tracking pixel deployment: BetterHelp shared users' email addresses, IP addresses, and answers to intake health questionnaires with Facebook and Snapchat to power targeted advertising campaigns. The legal theory was Section 5 of the FTC Act — unfair or deceptive practices — because BetterHelp had told users their health data would only be used for limited purposes and then used it for advertising.

The GoodRx settlement, finalized the same month, added a second theory. GoodRx engaged in nearly identical pixel-tracking conduct — sharing sensitive health information with ad platforms without proper notification — but the FTC charged it under the Health Breach Notification Rule rather than Section 5 alone, resulting in a $1.5 million fine. Together, BetterHelp and GoodRx demonstrated the FTC's willingness to use both unfair practices doctrine and HBNR against non-HIPAA health apps that route health data through advertising pixels. Neither company was a HIPAA covered entity.

The HBNR's reach extends further than most founders realize. The rule expressly covers health apps, fitness trackers, symptom trackers, and any online service that provides mechanisms to track diseases, diagnoses, medications, mental health conditions, or similar data — regardless of whether the app is subject to HIPAA. If your teletherapy waitlist form, mood journal, or symptom check-in page sits behind a Meta pixel or Google Analytics tag, you are squarely within HBNR's scope.

The 2024 HBNR amendments tightened that framework further. Under the updated rule, a "breach" is no longer limited to cyberattacks or unauthorized access — it now includes any unauthorized disclosure of protected health information. Under the FTC's enforcement interpretation, voluntarily routing mental health data to an ad platform without explicit consumer consent may qualify as a reportable breach under the amended rule, triggering notification obligations even if your servers were never compromised. The FTC has also indicated that authorization obtained through dark patterns — pre-checked consent boxes, buried disclosures — does not constitute valid consumer approval under the Rule.

🚨
In July 2023, the FTC and HHS jointly warned approximately 130 hospital systems and telehealth providers that embedding the Meta pixel or Google Analytics on health-related pages may constitute an illegal disclosure of health information. The warning applies whether or not the platform is HIPAA-covered — and the same logic extends to mental health apps operating outside the covered entity framework.

The practical implication: any mental health or wellness app must treat third-party pixels as potential unauthorized disclosures, not routine analytics infrastructure. Audit every tag on every page that collects health information. If a pixel transmits data about a user's mental health status, treatment seeking, or symptom history to an ad network — even passively, without a deliberate API call — you have a disclosure problem the FTC has shown it will act on.

What Your App Needs to Do: A Practical Compliance Framework

The prior four sections mapped the regulatory terrain. This section converts that map into executable steps — a sequence that works whether your app is a HIPAA covered entity, a Part 2 SUD program, or a non-HIPAA wellness product subject only to the FTC.

Step 1: Determine Your Regulatory Layer

FTC guidance draws a hard distinction between HIPAA covered entities and business associates, non-HIPAA apps subject to the FTC Act and the Health Breach Notification Rule, and 42 CFR Part 2 programs. Each category produces a different consent standard, a different vendor agreement structure, and a different breach notification obligation. Getting this wrong at the start means every downstream decision is built on the wrong foundation.

Step 2: Audit Every Data Flow Destination

Map every system that touches mental health data — analytics platforms, customer support tools, advertising SDKs, session-recording software, and A/B testing libraries. Under the 2024 amendments to the Health Breach Notification Rule, embedding a tracking pixel on a page that reveals a user's mental health status can itself constitute an unauthorized disclosure, even if no external actor exploited it. Build a documented data flow inventory and review it on every material product change.

FTC enforcement orders consistently require affirmative express consent — a clear and conspicuous disclosure of all material facts before health data is shared with any third party. A clause in your privacy policy stating that continued use of the app constitutes consent to future changes is not a lawful mechanism for obtaining consent to material retroactive changes in health data practices. Affirmative express consent means the user takes a deliberate action — a checkbox, a signed acknowledgment, an in-app prompt — specifically accepting the disclosed practice before the data sharing begins.

Step 4: Execute the Right Vendor Agreements

HIPAA-regulated apps need Business Associate Agreements with any vendor that handles protected health information. Non-HIPAA apps face a different but equally firm requirement: data processing agreements that explicitly prohibit vendors from using mental health data for advertising, resale, or any purpose beyond the contracted service. FTC enforcement orders in health privacy cases have included permanent bans on third-party sharing for marketing purposes — meaning the agency treats unauthorized vendor use of health data as a sanctionable violation, not a technical footnote.

Step 5: Remove or Ring-Fence Ad Pixels on Sensitive Pages

Any page that collects, displays, or logically reveals a user's mental health status — intake questionnaires, condition-selection screens, therapy scheduling flows, mood trackers — should have no advertising or behavioral tracking pixels. The 2024 HBNR amendments treat voluntary data sharing with advertisers without consumer consent as a breach. If a pixel fires on a page where a user selects "depression" or "anxiety" as a concern, and that signal reaches an ad network, the app has disclosed mental health information without authorization. The only safe approach is removal.

Step 6: Build an Incident Response Protocol That Matches the HBNR Timeline

Under 16 CFR Part 318, non-HIPAA health apps must notify affected individuals and the FTC within 60 calendar days of discovering a breach. The 2024 amendments expanded the definition of "breach" to include voluntary unauthorized disclosures — including sharing with advertisers — not just external intrusions. For incidents affecting 500 or more people, notifications must identify the unauthorized recipients, describe the categories of health information disclosed, explain the potential harm, and provide at least two contact methods for affected users.

✔️
Framework summary: (1) Identify your regulatory category. (2) Map every data destination. (3) Obtain affirmative express consent before any health data sharing. (4) Execute BAAs or data processing agreements with every vendor. (5) Strip ad pixels from all sensitive pages. (6) Build a 60-day incident response protocol. Each step is independently enforceable — regulators do not wait for the full compliance picture before acting on the part they can prove.

Understanding Where You Stand Before the FTC Does

Mental health data is the most sensitive category of health information federal regulators and plaintiffs' attorneys have consistently singled out for enforcement. The BetterHelp action returned money to consumers. The California CMIA's private right of action requires no proof of harm. Washington's My Health My Data Act invites class litigation. The 2024 HBNR amendments turned routine ad tracking into a defined breach. None of those developments required the involved companies to be HIPAA covered entities — they applied precisely because HIPAA didn't.

Promise Legal works with digital health founders on the full legal architecture of building in this space: regulatory classification, privacy policy and consent structure, vendor agreement terms, and incident response frameworks. If you are building a product that collects mental health data and want to understand where your legal exposure actually sits — before your first enforcement inquiry — get in touch.

Promise Legal works with digital health founders on regulatory classification, privacy frameworks, vendor agreements, and compliance architecture. Get in touch before your first enforcement inquiry.

Get in touch