HIPAA BAA Requirements for Mental Health Apps

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

The mental health app market spans a wide spectrum — from general consumer wellness tools like Calm and Headspace to clinical telehealth platforms connecting users with licensed therapists for ongoing treatment. HIPAA's applicability to a given mental health app depends heavily on where on that spectrum the app sits. Understanding this distinction is essential for app operators, their vendors, and the healthcare organizations that integrate with them.

The HIPAA Coverage Question for Mental Health Apps

HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and business associates (vendors handling PHI on behalf of covered entities). A mental health app must evaluate both prongs:

When a Mental Health App Is a Covered Entity

A mental health app is likely a HIPAA covered entity when it:

• Employs or contracts with licensed mental health clinicians (therapists, psychologists, psychiatrists) who treat users and create clinical records
• Submits insurance claims for therapy or psychiatric services rendered through the app
• Operates as a telehealth platform with actual clinical relationships between users and licensed providers
• Is prescribed by a physician as part of a formal treatment plan (digital therapeutic with clinical integration)

Platforms like BetterHelp, Talkspace, and Brightside, which connect users with licensed therapists for ongoing treatment and may bill insurance, likely meet the covered entity definition as healthcare providers transmitting health information electronically.

When a Mental Health App Is a Business Associate

A mental health app that does not itself provide clinical services may still be a business associate if it receives PHI from a covered entity. For example:

• An app that receives diagnosis or treatment information from a hospital's EHR to provide personalized wellness content is likely a BA
• An app that a health plan recommends and shares member data with is likely a BA to that health plan
• A digital therapeutics app that receives prescription information from a covered entity to personalize its intervention is likely a BA

When a Mental Health App Is Neither

Consumer wellness apps that operate entirely independently — users self-enroll without provider referral, no clinical data is exchanged with covered entities, no licensed clinicians provide treatment — generally are not covered entities or business associates. Calm, Headspace used for general wellness, and most meditation apps in their standard consumer configurations fall into this category. These apps are still subject to FTC Act requirements and applicable state privacy laws (including specific state mental health data protections), but HIPAA BAAs are not required.

What PHI Mental Health Apps Handle

For apps that are HIPAA-covered, the PHI they handle includes:

• Therapy session records and clinical notes
• Mental health diagnoses and treatment history
• Mood tracking data linked to identifiable users in a clinical context
• Prescription and medication data for psychiatric medications
• User-entered symptom and behavior data shared with clinicians

Vendors HIPAA-Covered Mental Health Apps Need BAAs With

Cloud Infrastructure

AWS, Google Cloud Platform, and Microsoft Azure all offer HIPAA BAAs through their enterprise account programs (AWS Business Associate Addendum, Google Cloud BAA, Microsoft Online Services BAA). These agreements cover the infrastructure layer — compute, storage, and managed services. Standard consumer or developer accounts do not include BAA provisions; the BAA must be explicitly enabled or requested through the enterprise account process.

Analytics and Product Intelligence Tools

Product analytics platforms like Amplitude and Mixpanel offer enterprise HIPAA BAAs. Standard consumer accounts for these tools do not include HIPAA provisions and should not be used to track PHI. If event data or user properties in the analytics platform could constitute PHI (e.g., tracking which therapy module a user completed, or session completion linked to a user's identity in a clinical context), an enterprise account with a BAA is required. See our post on whether Amplitude signs a BAA for details.

Push Notifications and Messaging Services

Push notification services (Twilio, SendGrid, OneSignal) and SMS platforms that send appointment reminders or clinical content linked to user health status may transmit PHI. Twilio and SendGrid offer HIPAA BAAs for healthcare enterprise accounts. Consumer-tier accounts for these services are not HIPAA-compliant for clinical use.

Telehealth Video

Mental health apps providing therapy via video must use HIPAA-compliant video infrastructure. Zoom for Healthcare, Daily.co (offers BAAs for healthcare customers), and Vonage Video API (offers BAAs) are among the options with established HIPAA BAA programs. Standard Zoom, WebRTC without a healthcare BAA, and consumer video tools are not appropriate for clinical telemental health sessions.

Common Vendor BAA Table for Mental Health Apps

Common Compliance Gaps for Mental Health Apps

The most frequent compliance issues for mental health app companies: (1) using developer-tier cloud accounts without activating the HIPAA BAA before onboarding clinical users; (2) deploying standard Amplitude or Mixpanel accounts that track clinical engagement events without enterprise BAAs; (3) operating as a covered entity (employing clinicians) without realizing that HIPAA's full compliance program — not just BAAs — applies; and (4) using standard consumer messaging services to send appointment reminders that disclose the user's relationship with a mental health provider.

For mental health organizations (not apps), see our guide on BAA requirements for behavioral health organizations. For digital health companies more broadly, see BAA requirements for healthtech startups.

Frequently Asked Questions

Do mental health apps need to comply with HIPAA?

It depends on how the app operates. Pure consumer wellness apps with no clinical relationships are generally not HIPAA-covered. Apps that employ licensed clinicians, submit insurance claims, or integrate with covered entity systems are likely covered entities or business associates subject to HIPAA. All apps handling mental health data face FTC and state law privacy obligations regardless of HIPAA status.

Does a consumer wellness app need HIPAA BAAs with its vendors?

Only if the app is subject to HIPAA. If the app is a covered entity or business associate, it must execute BAAs with infrastructure vendors handling PHI. If the app is not HIPAA-covered, BAAs are not required — but vendors with strong data security practices are still advisable given the sensitivity of mental health data.

What makes a mental health app a HIPAA covered entity?

A mental health app is likely a covered entity when it employs or contracts with licensed clinicians who treat users, submits insurance claims for clinical services, or operates as a telehealth platform creating clinical records. Integration with covered entity systems or receipt of PHI from a covered entity may make the app a business associate even if it doesn't itself employ clinicians.

What infrastructure vendors do mental health apps need BAAs with?

HIPAA-covered mental health apps need BAAs with their cloud hosting provider (AWS, GCP, Azure — all offer enterprise BAAs), analytics tools (Amplitude Enterprise, Mixpanel Enterprise), push notification and messaging services (Twilio, SendGrid healthcare enterprise), error monitoring (Sentry Enterprise), and telehealth video providers (Zoom for Healthcare, Daily.co). Standard consumer-tier accounts for these services do not include BAA provisions.