Best AI Therapy

Mental Health Information

This content is for informational purposes only. AI therapy tools are not substitutes for professional mental health treatment. Always consult a licensed mental health professional.

In crisis?

  • Call 988 (Suicide & Crisis Lifeline)
  • Text HOME to 741741 — free, confidential, 24/7.

Is AI Therapy HIPAA-Compliant? What HR Must Verify

The most misunderstood question in AI mental-health procurement isn’t “is this vendor secure?” — it’s whether HIPAA even applies to the tool you’re buying. The answer isn’t about the vendor at all. It turns on how you structure the benefit: tie it to your group health plan and you’re in HIPAA territory; offer it as a standalone perk and HIPAA generally steps back — though other rules step in. This guide is the employer-facing companion to our clinician-focused HIPAA guide, written for the HR and benefits teams who have to get this structural call right before Legal signs off.

On this page
  1. The Question HR Keeps Getting Wrong
  2. When HIPAA Applies — and When It Doesn’t
  3. The BAA: What It Is and When You Need One
  4. What HR Should (and Should Not) See
  5. The FTC Now Covers Mental-Health Apps
  6. A Due-Diligence Checklist
  7. Bottom Line
  8. Related Reading

The Question HR Keeps Getting Wrong

“Is this tool HIPAA-compliant?” is usually the first question a benefits team asks about a new AI mental-health app — and it’s also the fastest way to ask the wrong question. HIPAA compliance is not a property a vendor has or doesn’t have, like a security certification it can display on a trust page. It is a legal status that depends on how the employer structures the benefit, not on how the tool is built or marketed. Two employers can license the identical AI app and land on opposite answers: one where HIPAA governs every data flow into and out of the tool, and one where HIPAA never applies to it at all.

Before your team scores a vendor’s security page or asks for a Business Associate Agreement out of habit, settle the structural question first — it determines which rulebook you’re actually operating under, and asking a vendor for the wrong document wastes a procurement cycle.

The rest of this guide walks through that structural test, what a Business Associate Agreement actually is and when you need one, what HR should and should not be able to see about employee usage, why a “no-HIPAA” answer is not the same as “no compliance obligations,” and a checklist you can run every vendor through before you sign.

When HIPAA Applies — and When It Doesn’t

The rule of thumb is simple to state and easy to get backwards: HIPAA applies to an employer-offered mental-health tool only if it is tied to the employer’s group health plan — meaning it affects premiums, cost-sharing, HSA or HRA contributions, or plan eligibility. In that scenario, the plan — not the employer — is the HIPAA-covered entity, and any vendor handling the plan’s data on its behalf is a “business associate” under HIPAA, which must sign a Business Associate Agreement.

If the same tool is instead offered as a standalone perk that sits outside the group health plan — funded from a general wellness or benefits budget rather than through the plan itself, with no effect on premiums or plan eligibility — HIPAA generally does not apply. That does not mean the data is unregulated; it means a different set of rules governs it, which the rest of this guide walks through.

This decision rule comes directly from HHS guidance on workplace wellness programs, and is echoed in employer-side legal analysis, including a 2025 Ogletree Deakins client alert on staying compliant across HIPAA, the ADA, and 42 CFR Part 2. One nuance worth carrying into Legal and Finance conversations: the employer itself is generally not the HIPAA-covered entity in either scenario — the group health plan is, and it is a distinct legal entity from the employer acting as plan sponsor.

The BAA: What It Is and When You Need One

A Business Associate Agreement (BAA) is the contract HIPAA requires between a covered entity — here, the group health plan — and any vendor that creates, receives, maintains, or transmits Protected Health Information on the plan’s behalf. If your AI mental-health benefit is tied to the group health plan under the rule above, the plan needs a signed BAA with the vendor before any employee data flows to it. No signed BAA means no PHI should flow — full stop, with no exception for a vendor that “looks secure.”

If the benefit is structured as a standalone perk outside the group health plan, a BAA is not the applicable instrument, and it’s worth telling your procurement team to stop treating “will you sign a BAA?” as the finish line for every vendor conversation. Ask instead what the FTC’s Health Breach Notification Rule and the ADA require of them — those are the rules that actually govern a standalone perk, and both are covered below.

This is also where this guide diverges from its companion. Our HIPAA-compliant AI tools guide walks therapists and practice owners through BAAs from the provider side of the relationship — a therapist deciding whether a vendor can touch a client’s clinical record. As the employer purchasing the benefit, your BAA question is scoped to the plan, not to your own organization, and the trigger for needing one is the plan-tied structure described above, not the vendor’s marketing claims.

What HR Should (and Should Not) See

Regardless of which structure applies, one rule should be non-negotiable in your contract: HR should never receive individual-level usage or clinical data from an AI mental-health vendor — only de-identified, aggregate reporting.

This isn’t just good practice; it tracks longstanding EEOC guidance under the ADA, which holds that medical information collected through a voluntary wellness program must be kept confidential and stored separately from personnel records, and shared only on a need-to-know basis. An employee’s individual engagement with a mental-health app, their self-reported symptoms, or any clinical detail is exactly the kind of information that guidance is designed to wall off from managers, HR generalists, and personnel files.

Make this a contractual requirement during procurement, not an assumption you carry away from a sales call. Ask the vendor to show you, in writing, exactly what a standard HR dashboard displays — and be specific about what “aggregate” means on their platform. A usage report broken down to a five-person team is not aggregate in any meaningful sense, even if the vendor’s slide deck calls it that.

This matters just as much for a standalone perk as it does for a plan-tied benefit. The EEOC guidance above is not a HIPAA rule — it applies under the ADA to voluntary wellness programs generally, which means the “aggregate only to HR” expectation does not disappear just because you structured the tool outside your group health plan to avoid HIPAA. Whichever structure you choose, the confidentiality obligation to your own workforce travels with it.

The FTC Now Covers Mental-Health Apps

Even when HIPAA doesn’t apply — a standalone perk offered outside the group health plan — the tool is not unregulated, and this is the gap where employers most often assume they’re in the clear when they aren’t. The FTC’s amended Health Breach Notification Rule took effect July 29, 2024, and was expanded specifically to cover apps that track mental health. That means a non-HIPAA mental-health app your company licenses as a standalone perk still carries federal breach-notification duties if it mishandles employee data.

This risk is not theoretical. In July 2023, the FTC finalized a $7.8 million order against BetterHelp for sharing users’ mental-health intake data with advertisers — a stark reminder that “we don’t touch HIPAA” is not the same as “we face no federal exposure.” When you evaluate a standalone AI mental-health perk, ask the vendor directly how it complies with the amended Health Breach Notification Rule and whether it shares or sells any individually identifiable health data to third parties — not just whether it has a BAA on file, which, for a standalone perk, is the wrong document to be asking for.

A Due-Diligence Checklist

Before you sign, walk every AI mental-health vendor through this sequence:

  1. Structure first. Is this tool tied to our group health plan (it affects premiums, cost-sharing, HSA/HRA contributions, or eligibility), or is it a standalone perk funded outside the plan? Get this in writing — it determines everything downstream.
  2. If plan-tied: Will the vendor sign a Business Associate Agreement with the plan? Do not proceed without one in hand.
  3. If standalone: How does the vendor comply with the FTC’s amended Health Breach Notification Rule? Does it share or sell any individually identifiable health data to third parties, including advertisers?
  4. Either way — what HR sees: Confirm contractually that HR receives aggregate, de-identified reporting only, never individual-level usage or clinical data.
  5. Either way — where data lives: Per EEOC guidance, medical information must be kept confidential and stored separately from the personnel record, accessible only on a need-to-know basis. Ask the vendor and your own HRIS team to confirm this in practice, not just in policy.
  6. Either way — who signs off: Loop in Legal before the contract is signed, not after a data question comes up. For a fuller walkthrough of what can go wrong when this checklist is skipped, see our companion guide on AI mental-health benefits legal risk, and for a structured way to run this evaluation across several vendors side by side, our AI mental-health vendor RFP checklist.

Bottom Line

Whether HIPAA governs your AI mental-health benefit is a design choice, not a vendor attribute. Tie the tool to your group health plan and you’re in BAA territory, with the plan — not your company — as the covered entity. Keep it as a standalone perk and HIPAA steps back, but the FTC’s Health Breach Notification Rule, the ADA’s confidentiality requirements, and applicable state laws step in. Get the structural question answered first, put the right instrument in place — a BAA where required, contractual data-handling commitments everywhere — and make aggregate-only reporting to HR a term in the contract, not a verbal assurance from a sales call. For the full evaluation framework this checklist sits inside, see our HR buyer’s guide to AI mental-health tools for employee benefits.

This page is general information for HR and benefits decision-makers, not legal advice — confirm the specifics of your plan structure and vendor contracts with your own counsel before you sign.

In crisis? Call 988 or text HOME to 741741 — free, confidential, 24/7