Senators Question Talkspace, BetterHelp On Patient Data Privacy Practices

June 30, 2022 - In letters to Talkspace and BetterHelp, Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) urged the leading mental health apps to provide clarification on their patient data privacy practices following reports of improper data collection, mining, and dissemination.

“As telehealth services, especially online mental health platforms, grow in popularity, it is increasingly important for consumers to understand whether their personal health data is being shared with third-parties, and if so, how and why this is done,” the letter stated.

“We are particularly concerned about your company’s data privacy and security policies and whether they are leaving the patients you serve vulnerable to exploitation from large technology platforms and other online actors.”

Third-party health apps often fall outside HIPAA’s purview, despite the fact that they hold similarly sensitive health data. Without HIPAA, these apps tend to fall into a regulatory gray area where security and privacy obligations are left up to individual companies as regulators race to solidify data privacy standards.

The Federal Trade Commission (FTC) has taken steps to address this glaring gap in health data security. In September 2021, the FTC issued a policy statement emphasizing that health apps and connected device companies must comply with the Health Breach Notification Rule, which requires vendors that collect sensitive health data to notify consumers of a breach.

READ MORE: Senators Call on FTC to Investigate Apple, Google’s “Deceptive” Data Privacy Practices

Even as regulators increasingly turn their attention toward health apps to quell concerns, privacy fears are growing.

In their letter to BetterHelp and Talkspace executives, the group of Senators pointed to multiple studies and reports that provided evidence of data sharing between mental health apps and tech giants like Google and Facebook. The Senators noted that these studies “reveal that patients and regulators alike may not understand the full extent of your company’s relationship with these businesses.”

In an effort to gain clarity, the Senators pressed BetterHelp and Talkspace to provide information on the type and breadth of data that they share with third parties, the methods that they use to protect user data, and the processes that they have developed to inform clients of data security and privacy risks.

“BetterHelp advertises that your services are ‘100% private’ and operate in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but several facets of your services are not covered by HIPAA, and your company appears to be taking advantage of the ‘regulatory gray area’ in which mental health applications operate to juice your profits,” the letter continued.

“A February 2020 investigation found that BetterHelp was sharing analytics with Facebook about how often users opened the app and metadata from every message shared on the platform – giving the company a sense of when, for how long, and where users were using mental health services.”

READ MORE: Meta Sued For Violating Patient Privacy, Scraping Health Data From Hospitals

The Senators provided a list of questions for Talkspace and BetterHelp to respond to by July 6. Among them were a request to provide a list of third parties that they share data with and clarification on the steps that the mental health apps take to anonymize data.

The Senators also questioned whether users had the ability to access or delete their medical records from the apps’ databases and whether users could opt out of having their data collected using tracking pixels and cookies.

“We have long been concerned about the misuse of personal data by Big Tech companies and unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations,” the letter stressed.

“Unfortunately, it appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

This letter is not the first action that Senators have taken this month to call out big tech companies and demand clarification on data privacy practices, especially in light of the recent Roe v. Wade ruling.

READ MORE: Senators Aim to Ban Data Brokers From Selling Health Data With New Bill

In early June, a group of 40 Congressional Democrats wrote a letter to Google asking them to stop collecting and retaining location information in anticipation of the repeal of Roe v. Wade. Lawmakers urged Google to stop collecting location data for fear prosecutors could use it to identify people obtaining abortions.

The Senators also sent a letter to the FTC asking it to investigate Apple and Google’s “unfair and deceptive” privacy practices, alleging that they were “enabling the collection and sale of hundreds of millions of mobile phone users’ personal data.”

“These companies have failed to inform consumers of the privacy and security dangers involved in using those products,” the letter to the FTC concluded.

“It is beyond time to bring an end to the privacy harms forced on consumers by these companies.”