are mental health apps privatemental health app data sharingHIPAA mental health appsFTC BetterHelp Cerebral GoodRx

Part of AI hypnotherapy & behavioral change

Studies and FTC enforcement show most mental-health apps share data and aren't covered by HIPAA. What the record reveals — plus a checklist to vet any app.

· · 6 min read

How Private Are Mental-Health Apps, Really? The Research and the Record

You answer a questionnaire about depression, medications, suicidal thoughts. You assume it stays between you and a counselor.

The research and the enforcement record say otherwise.

Most mental-health apps are not as private as they appear. Independent studies have found routine data sharing with advertisers and trackers, and federal regulators have penalized BetterHelp, Cerebral, and GoodRx for handing sensitive health data to companies like Facebook and Google. The core gap: a wellness app usually isn’t a “covered entity” under HIPAA, so HIPAA’s protections often don’t apply at all.

What the research found about data sharing

The pattern is not anecdotal. It shows up when researchers actually instrument the apps.

A 2023 peer-reviewed study (Iwaya et al., published in Empirical Software Engineering) ran a deep privacy analysis on 27 top-ranked mental-health apps from the Google Play Store — static and dynamic testing, network traffic, server checks, and privacy-policy review. The findings were blunt: 20 of the 27 apps were at “critical” security risk, sensitive data was transmitted and logged in plain text in some cases, and data flowed to third-party advertisers and analytics providers in ways that make user profiling easy. Only 3 of 27 companies (11%) had carried out a formal privacy impact assessment.

The privacy policies that supposedly protect you are part of the problem. The same study found 24 of 27 privacy policies required at least a college-level education to read. Consent you can’t understand isn’t meaningful consent.

Mozilla’s *Privacy Not Included reviewers reached the same place from a different angle. In their 2023 review of 32 mental-health apps, 19 — about 59% — earned a “Privacy Not Included” warning label, and 40% had gotten worse on privacy and security since the prior year. One app, Cerebral, set a record the reviewers had never seen: 799 trackers fired within the first minute after download.

This is the backdrop to the broader regulatory mess covered in the AI therapy gold rush and its regulatory problem — the tools moved faster than the rules.

The enforcement record: what regulators actually proved

You don’t have to take researchers’ word for it. The Federal Trade Commission has brought and settled cases against three of the largest names in the space.

BetterHelp — $7.8 million (2023). The FTC charged that the online-counseling service revealed consumers’ email addresses, IP addresses, and health-questionnaire answers to Facebook, Snapchat, Criteo, and Pinterest for advertising — after promising to keep that data private. BetterHelp used the fact that people had “previously been in therapy” to help target lookalike audiences on Facebook. The settlement required it to pay $7.8 million in partial refunds and banned it from disclosing health data for advertising.

GoodRx — $1.5 million (2023). This was the FTC’s first-ever enforcement action under its Health Breach Notification Rule. The agency said GoodRx shared users’ prescription medications and health conditions with Facebook, Google, and Criteo — and displayed a seal “falsely suggesting” it complied with HIPAA. GoodRx paid a $1.5 million civil penalty. More than 55 million consumers had used its site or apps since 2017.

Cerebral — about $7 million (2024). The FTC alleged the telehealth firm disclosed the sensitive data of nearly 3.2 million consumers to third parties including LinkedIn, Snapchat, and TikTok via tracking tools. The order — which the FTC Chair called “a first-of-its-kind prohibition” banning the company from using health information for most advertising — required Cerebral to pay roughly $7 million total, including a civil penalty.

Three companies. Three settlements. One repeated fact pattern: a privacy promise on the page, sensitive data flowing to ad platforms behind it.

The HIPAA gap: why “it’s health data” doesn’t mean it’s protected

Here’s the part most people get wrong. They assume that because an app handles mental-health information, HIPAA must apply. Usually, it doesn’t.

HIPAA covers “covered entities” — essentially doctors, hospitals, and insurers — and their business associates. A wellness or self-help app you download yourself is typically none of those. As a 2020 analysis in the Journal of Healthcare Informatics Research (Theodos and Sittig) put it: “These digital health tools are not covered entities therefore they are not required to protect the data they collect under HIPAA.” The authors note that mHealth apps and wearables “seem to fall between FDA regulation and the HIPAA Privacy Rule.”

The FTC says the same thing plainly. In its April 2024 guidance on the updated Health Breach Notification Rule, the agency wrote that “with advances in monitoring and technology, a lot of health-related information doesn’t fall within HIPAA.” That’s precisely why the FTC had to step in with a different rule — and why GoodRx could be penalized for displaying a HIPAA seal it wasn’t actually bound by.

The 2024 rule does extend breach-notification duties to many health apps not covered by HIPAA, which is real progress. But notification after a breach is not the same as a ban on collecting and selling your data in the first place. The default, for most consumer mental-health apps, is still: HIPAA’s wall isn’t there.

This regulatory grey zone is the same one explored in the honest research breakdown of AI therapy versus human therapists — where accountability, not capability, is the weak point.

How to vet a mental-health app before you trust it

You can’t audit network traffic yourself. But you can apply the same questions the researchers and regulators used. Before you hand over anything sensitive:

  • Check the data-sharing language, not the marketing. Search the privacy policy for “third parties,” “advertising,” “partners,” and “sell.” Vague phrasing like “we may share with service providers” is where the data goes.
  • Look for trackers and SDKs. If the policy lists Facebook, Google Analytics, TikTok, or “advertising partners,” your in-app behavior is likely leaving the app. The Cerebral and BetterHelp cases were exactly this.
  • Don’t trust a HIPAA badge by itself. A seal or the word “HIPAA” doesn’t mean the app is a covered entity. GoodRx was penalized partly for implying compliance it didn’t have.
  • Find the delete path. Can you actually delete your data and account? Researchers found many apps make this opaque or impossible.
  • Be wary of free apps that gate a questionnaire up front. Several apps pushed users into answering sensitive questions before showing a privacy policy or asking for consent.
  • Prefer apps that minimize collection. The strongest privacy posture is data that’s never collected. Look for plain statements that the company doesn’t sell or share personal information for advertising.

The bottom line

Mental-health apps are not uniformly unsafe — Mozilla flagged a handful that handle data responsibly, and the 2024 breach rule tightened the floor. But the burden is on you, not the app, to verify it. The honest answer to “are mental-health apps private?” is: assume not, until the policy and the company’s record prove otherwise.

For what it’s worth, that’s the standard we hold ourselves to at Oriamind — privacy by design, not privacy by promise.

This article is part of our AI hypnotherapy & behavioral change series.

Part of the AI hypnotherapy & behavioral change series

This article is part of our comprehensive guide to AI hypnotherapy & behavioral change. View all articles in this series →

A Shaaban

Founder of Oriamind. About the author and how these articles are made →