Best AI Therapy

Mental Health Information

This content is for informational purposes only. AI therapy tools are not substitutes for professional mental health treatment. Always consult a licensed mental health professional.

In crisis?

  • Call 988 (Suicide & Crisis Lifeline)
  • Text HOME to 741741 — free, confidential, 24/7.

The AI Mental-Health Vendor RFP Checklist for HR

Every AI mental-health vendor pitch sounds the same — “clinically validated,” “HIPAA compliant,” “crisis-safe.” This is the checklist that turns those three phrases into answerable questions, so you can tell which vendors can back their claims and which are marketing over a chatbot. Print it, forward it, or paste it straight into your RFP — it’s built to be used, not just read.

On this page
  1. How to Use This Checklist
  2. Clinical Quality & Evidence
  3. Data Privacy & Compliance
  4. Crisis & Safety
  5. Integration & Implementation
  6. Pricing & ROI Measurement
  7. Vendor Maturity & References
  8. Red Flags to Watch For
  9. Bottom Line
  10. Related Reading

How to Use This Checklist

This is the deeper, RFP-ready version of the scoring criteria in our AI mental-health employee-benefits guide. That guide explains why each criterion matters; this page gives you the actual questions — grouped so you can drop them straight into a vendor RFP or a live demo script.

  • Send it in writing. A vendor that answers well verbally but stalls on a written RFP response is telling you something. Ask for written answers you can keep on file for Legal and Finance.
  • Score, don’t vibe-check. Use a simple 0–2 scale per question (0 = no/refused, 1 = partial/vague, 2 = clear and documented) and total by section. A vendor scoring low on Clinical Quality or Crisis & Safety should not advance regardless of how strong the rest of the pitch is — those two sections are gating, not just weighted.
  • Ask for evidence, not assurances. “Yes, we’re HIPAA compliant” is not evidence. A signed Business Associate Agreement is. Every question below is written so the honest answer is a document, a name, or a number — not a adjective.
  • Loop in Legal and IT/Security early. The Data Privacy & Compliance and Crisis & Safety sections both surface questions that Legal and Security should own or co-sign — don’t let HR carry every answer alone.

Clinical Quality & Evidence

This is where marketing claims and clinical reality diverge most. A 2019 analysis published in npj Digital Medicine found that 64% of top-ranked mental-health apps claimed clinical effectiveness, but only 3.4% cited supporting research — and much of that research involved people who helped build the app. Treat every clinical claim as unverified until the vendor produces the citation.

  • Can you name the specific clinical framework or model your tool is built on (e.g., CBT-based, a named published protocol), not just “evidence-based AI”? Score 2 if they name a specific framework and can describe how the product implements it; 0 if the answer stays at the marketing-copy level.
  • Send us the independent, peer-reviewed study of your specific product — not a category-level review, not a vendor-funded study. Score 2 only if at least one cited study has no vendor employee, founder, or advisor among the authors. This is the single highest-value question on the whole checklist: it is the exact gap the 2019 analysis above documented, and it still holds.
  • Is a licensed clinician responsible for the AI’s outputs, or is this AI-only with no human oversight? Score 2 if a named, licensed role reviews or supervises AI outputs; 0 if the tool operates fully autonomously with no clinical accountability chain.
  • If your product uses a generative/LLM-based chatbot rather than a scripted flow, what independent evidence do you have for that specific architecture? Independent 2025 systematic reviews found AI chatbots have only modest overall effects, and specifically flagged generative/LLM-based tools as “inconclusive” on effectiveness compared with scripted chatbots. A vendor that can’t answer this for their own architecture hasn’t done the homework.
  • Does your tool diagnose or claim to treat any mental-health condition? In a November 2025 advisory, the American Psychological Association stated that no AI chatbot has FDA approval to diagnose or treat any mental-health condition. Score 0 immediately if a vendor claims otherwise — that is a compliance and liability flag, not a feature.

Data Privacy & Compliance

Get a definitive answer on which regulatory regime applies before you evaluate anything else — it changes what “compliant” even means for this vendor.

  • Is this tool tied to our group health plan (affecting premiums, cost-sharing, or HSA/HRA eligibility), or is it a standalone perk outside the plan? This determines whether HIPAA applies at all. If it’s plan-tied, HIPAA applies and you need the next question answered with a document, not a promise.
  • Will you sign a Business Associate Agreement (BAA)? If the tool is tied to the health plan, this is non-negotiable. “We’re HIPAA compliant” without a signed BAA is not an acceptable answer — HIPAA has no certification regime, so any vendor can say the phrase. Score 0 if they hedge on the BAA.
  • If this is a standalone perk outside the health plan, how do you comply with the FTC’s Health Breach Notification Rule? The rule, which took effect July 29, 2024, covers mental-health apps regardless of HIPAA status. A vendor unaware of this rule for a non-HIPAA product is a red flag on its own.
  • Exactly what data does HR receive, and can you show us a sample report? The correct answer is de-identified, aggregate data only. Ask them to show, not tell — a sample report with individual-level detail (even a small pilot group) is disqualifying.
  • Are you SOC 2 audited (Type I or II)? Can we see the report or a bridge letter? SOC 2 is not a HIPAA substitute, but its absence on a tool handling clinical or near-clinical data is a meaningful gap.
  • How do you comply with state AI-therapy laws such as Illinois’ WOPR Act and Utah’s HB 452? Both took effect in 2025 and specifically regulate AI in therapeutic and mental-health-chatbot contexts — Illinois via the WOPR Act and Utah via HB 452. If you have employees in either state, an evasive answer here is gating, not just a deduction.
  • What is your data retention and deletion policy, and can employees request deletion of their own data? Ask for the specific retention window and the mechanism (self-serve vs. request-based).

Crisis & Safety

This section is gating. A vendor that cannot walk you through their exact escalation pathway, in specifics, should not be purchased — regardless of price or polish.

  • Walk us through, step by step, what happens between the moment the AI detects crisis or self-harm language and the moment a human is involved. Score 2 only for a specific, named pathway (detection method, escalation trigger, who is contacted, and how). A generic “we route to crisis resources” answer scores 0.
  • What is your committed response time from crisis detection to human contact, and is it in the contract? If the vendor won’t commit a number in writing, treat the pathway as undocumented.
  • Has your crisis-detection or escalation logic ever failed in production, and what changed afterward? A vendor with no incident history either hasn’t had enough real usage to know, or isn’t disclosing. Either answer needs follow-up.
  • Is your crisis response the same 24/7/365, including holidays and overnight? Mental-health crises are not confined to business hours; confirm the pathway doesn’t degrade off-hours.
  • What does the tool explicitly tell a user about its own limitations before a crisis occurs — does it disclose it is not a human and not an emergency service? The APA’s November 2025 advisory specifically warned that AI tools’ ability to safely guide someone in crisis is “limited and unpredictable”. A tool that doesn’t disclose this to users upfront is a liability exposure for you as the purchaser.
  • How do you handle a user expressing risk to others, not just to themselves? Self-harm and harm-to-others protocols are not always the same pathway; confirm both are documented separately.

Integration & Implementation

  • Does this tool replace, complement, or duplicate our existing EAP or other wellness benefits? Get a direct answer, not a positioning statement. Ambiguity here predicts confused employees and wasted spend.
  • What SSO and HRIS integrations do you support out of the box, and what requires custom engineering? Ask for your specific HRIS/SSO stack by name, not a generic “we integrate with most systems.”
  • What does a typical implementation timeline look like from contract signature to employee access? Get a number in weeks, and ask what has caused past implementations to slip.
  • What launch communications, manager training, and change-management support do you provide, and what is included vs. billed separately? Adoption is a communications problem as much as a product one — a vendor with no launch playbook is asking you to build one from scratch.
  • What ongoing account management do we get after launch, and how often will we meet? Confirm this isn’t a sell-and-disappear relationship.

Pricing & ROI Measurement

  • Is pricing per-employee-per-month (flat, regardless of usage) or usage-based, and what is the total cost at our headcount? Ask for the all-in number, including implementation and any per-seat minimums.
  • What outcomes or utilization reporting do we receive, at what cadence, and in what format? Confirm the reporting is aggregate-only (see Data Privacy section) but still substantive enough to justify the spend to Finance.
  • What utilization rate have comparable employers seen with this tool, and can you share a reference for that figure? Traditional EAP utilization sits at a median of roughly 5.5% (2018 data); ask the vendor to substantiate any claim that their tool beats that baseline, and treat an unsupported number the same way you’d treat an unsupported clinical claim.
  • What specific, named ROI study supports your pricing — and is it an employer-program study or a category-level model? Be skeptical of any single headline multiplier presented without its source, currency, and study population. Ask which population and country the study covers, and whether it measured this vendor’s product or the broader category of workplace mental-health investment.
  • What is the contract length, and what are our exit and data-portability terms if it underperforms? Multi-year lock-in without a performance off-ramp increases your risk if utilization or outcomes don’t materialize.

Vendor Maturity & References

  • How long has this specific product been in market, and how many employees does it currently serve? Distinguish the company’s age from the product’s — a mature company can still be running an early-stage AI feature.
  • Can you provide two references at a similar headcount and industry to ours, and may we contact them directly? Insist on direct contact, not a vendor-curated quote or case study.
  • Have you had a data breach or security incident, and how was it disclosed and remediated? A “no” from a young vendor with limited scale means less than a documented, well-handled incident from a mature one. Ask how they know.
  • What is your funding status, and what happens to our data and our employees’ access if the company is acquired or shuts down? Get this in writing as a contract term, not a verbal assurance.
  • Who owns clinical oversight internally — is there a named clinical leader, and what are their credentials? A product handling mental-health content with no named clinical leadership is a structural gap, not a minor one.

Red Flags to Watch For

  • “Clinically validated” or “evidence-based” with no citation offered unprompted. If you have to ask twice for the study, that is itself the answer.
  • Every cited study has a vendor employee, founder, or advisor as an author. This is the exact pattern the 2019 npj Digital Medicine analysis flagged — it has not gone away.
  • Vague or evasive answers on crisis escalation, or an answer that stops at “we show crisis resources.” A real pathway names the trigger, the human, and a response-time commitment.
  • “HIPAA compliant” offered as a fact with no mention of a signed BAA. HIPAA has no certification regime; a signed BAA is the only thing that matters if the tool is tied to your health plan.
  • Refusal or reluctance to provide direct reference contacts. Curated quotes and logo walls are not references.
  • An ROI figure presented without its source study, currency, or population. Ask which study, which country, and whether it measured this product or the category.
  • No named clinical leadership, or clinical questions routed only to sales. If nobody with clinical credentials can answer clinical questions, that tells you how the product was actually built.

Bottom Line

Score every vendor against the same rubric, treat Clinical Quality and Crisis & Safety as gating rather than merely weighted, and insist on documents over adjectives at every step — a signed BAA, a named study, a specific escalation pathway, a reachable reference. Vendors that can answer all six sections in writing, without hedging, are rare; that scarcity is useful information in itself. A vendor unwilling to put its claims on paper has told you what you need to know before you’ve spent a dollar.

Best AI Therapy is an independent editorial resource. We are not a vendor, and we do not accept payment for placement or ranking. This page is general information for benefits decision-makers, not legal, clinical, or financial advice — confirm compliance specifics with your own counsel before you sign.

In crisis? Call 988 or text HOME to 741741 — free, confidential, 24/7