On this page
Why Legal Belongs in the Room
The decision to add an AI mental-health tool usually starts as an HR or benefits conversation — utilization, cost, EAP overlap, employee experience. Our HR buyer’s guide covers that ground. But the legal exposure of the same decision sits somewhere else entirely: whether the tool is tied to your group health plan or offered as a standalone perk changes which federal statute governs it; the ADA constrains what HR is even allowed to see; ERISA can attach fiduciary duties you didn’t know you had; and as of 2025, at least two states have passed laws that directly regulate what an AI tool is permitted to do in a mental-health context. None of this is optional reading for the person signing the contract — it is the reason Legal needs a seat at the table before the vendor call, not after the invoice.
The stakes are not abstract. HR that skips the legal review typically discovers the gap in one of two ways: a state regulator or plaintiff’s attorney flags a requirement the vendor never mentioned, or an internal audit finds that individual-level clinical data has been flowing to people inside the company who were never supposed to see it. Both are expensive to unwind after launch and cheap to prevent before it. Because this area is moving fast — two state laws took effect in a single year, 2025, and more states are expected to follow — a legal review done at procurement time can be stale within months if nobody owns re-checking it.
Everything below is written to brief that conversation. It is not a substitute for it. Confirm every point against your specific plan design, employee population, and jurisdiction with your own counsel before you sign anything.
HIPAA and the BAA Question
The single most consequential fork in the road is whether the tool touches your group health plan. Per HHS guidance on workplace wellness programs:
- If the tool is tied to the group health plan — it affects premiums, cost-sharing, HSA/HRA contributions, or plan eligibility — HIPAA applies. In that case, the plan, not the employer, is the HIPAA-covered entity, and the vendor handling that data is a business associate that must sign a Business Associate Agreement (BAA). No BAA means no identifiable data can lawfully flow to the vendor, regardless of how the product is marketed.
- If the tool is offered as a standalone perk outside the health plan, HIPAA generally does not apply. That is not the same as unregulated: the FTC, the ADA, and state privacy law still govern the same data.
Employer-side legal analysis reaches the same conclusion — see Ogletree Deakins’ 2025 compliance guidance — and it’s the first question your counsel should answer in writing before you evaluate anything else on this page: is this tool inside the plan, or outside it? Every other HIPAA question is downstream of that answer.
Two follow-on points belong in the same conversation. First, the absence of a signed BAA on a plan-tied tool is not a paperwork gap to fix later — if the vendor won’t sign one, that is a reason to walk away, not a reason to proceed carefully. Second, “standalone perk” is a legal characterization, not a marketing choice; how the benefit is actually funded and administered decides the answer, so have counsel confirm the classification rather than accepting the vendor’s own description of its product.
The ADA and the Confidentiality Line
Separately from HIPAA, the ADA draws a hard line around who inside your own organization is allowed to see what. Under longstanding EEOC enforcement guidance, medical information collected through a voluntary wellness program must be kept confidential and maintained in files separate from ordinary personnel records, and disclosed internally only on a strict need-to-know basis. In practice, this means HR should never receive individual-level usage or clinical data from an AI mental-health vendor — aggregate, de-identified reporting only. That expectation belongs in the contract as a defined term, not as a verbal assurance from a sales rep.
This is worth stress-testing against the actual product, not just the vendor’s privacy policy. Ask what an admin dashboard shows by default, whether any report can be filtered down to a small enough cohort to re-identify an individual, and who inside your organization — not just the vendor — has access credentials. A tool can be contractually compliant on paper and still leak individual-level information through a dashboard nobody thought to lock down.
ERISA and Fiduciary Considerations
When an AI mental-health tool is wired into the group health plan rather than offered as a standalone perk, it can also raise ERISA fiduciary questions — how the tool was selected, how its outputs are used, and how the plan monitors it over time are all areas ERISA fiduciary principles can touch. Law-firm analysis, including McDermott Will & Emery’s review of AI in employer-sponsored group health plans, treats this as an emerging and unsettled area rather than a fixed checklist. We are not going to summarize a specific rule here, because the honest answer is that the fiduciary analysis is fact-specific to your plan design and vendor structure. If the tool you’re evaluating is plan-tied, put ERISA fiduciary review on your counsel’s agenda explicitly — don’t assume it’s covered by the HIPAA/BAA conversation, because it isn’t the same analysis.
The New State AI-Therapy Laws
Two state laws took effect in 2025 and directly regulate what an AI tool is legally permitted to do in a mental-health context — independent of HIPAA, independent of whether the tool touches your health plan:
- Illinois — the Wellness and Oversight for Psychological Resources Act (the WOPR Act, Public Act 104-0054), effective August 2025. Per the Illinois Department of Financial and Professional Regulation, the law bars AI from delivering therapy or making independent therapeutic decisions unless a licensed professional is responsible for those decisions. AI is limited to administrative support — scheduling, transcription, and similar tasks — with consent. Violations can carry fines up to $10,000 per violation. See also Holland & Knight’s analysis of the law’s scope.
- Utah — HB 452, effective May 2025. Per Davis Wright Tremaine’s coverage, the law requires AI mental-health chatbots to disclose clearly that they are not human, and restricts selling or sharing individually identifiable health data. Violations can carry fines up to $2,500 per violation.
Neither law is limited to consumer apps — both apply to AI tools operating in a mental-health capacity within their state, which reaches employer-sponsored benefits if the employee population includes Illinois or Utah residents. If your workforce is distributed across states, ask every vendor directly how they handle state-by-state variation, and treat “a licensed professional remains responsible for the output” as the emerging legal floor rather than a nice-to-have feature. Expect more states to pass similar laws; build a process for tracking this rather than treating Illinois and Utah as a closed list.
The FTC and Data-Sharing Risk
Even when HIPAA doesn’t apply, the FTC does — and it has shown it will enforce. Two facts belong in front of Legal:
The FTC’s amended Health Breach Notification Rule now explicitly covers mental-health apps. Per Davis Wright Tremaine’s summary, the amended rule took effect July 29, 2024, and was expanded to reach apps that track mental health. That means a non-HIPAA mental-health app your company offers as a standalone perk still carries federal breach-notification obligations if it’s compromised.
The risk isn’t hypothetical. In 2023 the FTC finalized a $7.8 million order against BetterHelp for sharing users’ mental-health intake data with advertisers — a vendor operating in the same product category HR is evaluating. Ask every vendor, in writing, exactly what third parties their data touches (analytics, advertising, model training) and whether that answer would survive an FTC inquiry.
GINA — A Brief Note
The Genetic Information Nondiscrimination Act (GINA) governs genetic information, including family medical history, collected through wellness programs. Per the EEOC’s final rule on wellness programs and genetic information, GINA becomes relevant to an AI mental-health tool only if its intake process happens to ask about family medical history — something some mental-health screening questionnaires do. For most tools this is a minor “also check” item rather than a central risk, but it’s an easy one to miss: have counsel confirm the vendor’s intake form doesn’t ask a GINA-covered question without the required authorization.
A Pre-Signature Legal Checklist
A starting list to hand to counsel before any AI mental-health benefit is signed. This is a starting point, not a substitute for a jurisdiction-specific review:
- Is this tool tied to our group health plan, or offered as a standalone perk outside it? Get this determination in writing — it decides whether HIPAA applies.
- If HIPAA applies, has the vendor signed a Business Associate Agreement? Ask to see it, not a description of it.
- If the tool is plan-tied, has ERISA fiduciary exposure been reviewed — selection process, ongoing monitoring, and documentation?
- What data does HR actually receive, and is it contractually guaranteed to be aggregate and de-identified only, consistent with ADA confidentiality requirements?
- Does the vendor comply with the Illinois WOPR Act, Utah HB 452, and any other state AI-therapy law applicable to where our employees live? Is a licensed professional responsible for the AI’s clinical output, or is it AI-only?
- What is the vendor’s process under the FTC’s Health Breach Notification Rule, and exactly which third parties (analytics, advertising, model training) touch user data?
- Does the intake flow ask about family medical history in a way that triggers GINA authorization requirements?
- Are all of the above documented in the contract itself, not represented verbally in the sales process?
Bottom Line
An AI mental-health benefit touches more law than almost any other line item HR buys: HIPAA only if it’s plan-tied, the ADA’s confidentiality wall regardless of plan status, potential ERISA fiduciary exposure if it’s plan-tied, two (and counting) state AI-therapy laws with real fines attached, and FTC data-sharing rules that apply whether or not HIPAA does. None of those obligations are mutually exclusive, and none of them are waived because a vendor’s marketing page says “HIPAA compliant.” The right process is not to resolve these questions yourself from a vendor deck — it’s to bring this map into the room with Legal before the contract is signed, and let your own counsel confirm how each piece applies to your specific plan design, vendor, and employee population. This page is general information, not legal advice.
Related Reading
- AI Mental Health Tools for Employee Benefits: An HR Buyer’s Guide — the full evaluation framework this legal guide sits alongside
- The EU AI Act and AI Mental-Health Tools — the EU counterpart to this US-focused guide, for staff in the EU/EEA
- HIPAA and AI Mental-Health Tools for Employers — a deeper walkthrough of the BAA process
- The AI Mental-Health Vendor RFP Checklist — procurement-ready questions for every vendor call
- HIPAA-Compliant AI Tools: What “Compliant” Actually Means