Telehealth Reform Is Needed for Consumer Protection
continued from page 19
growth of these platforms has exposed significant vulnerabilities in privacy and data security , particularly given the sensitive nature of the information involved . Teletherapy platforms handle vast amounts of personal data , from mental health histories to private therapeutic conversations , making them attractive targets for cyber threats and data breaches . The increasing reliance on digital platforms for mental health services has , as a result , heightened both the risk to personal privacy and the potential for data misuse .
Regulatory bodies have responded to these concerns , with the FTC taking significant enforcement actions against several major teletherapy providers . These actions underscore the critical need for stronger safeguards to protect sensitive health data . For instance , the FTC fined BetterHelp $ 7.8 million and banned it from sharing personal health data for advertising purposes . Cerebral agreed to an FTC order that included a $ 7 million fine , with similar restrictions on data usage . Monument was ordered to pay $ 2.5 million and required to implement more stringent data handling protocols .
While these actions are a necessary step in addressing privacy violations , they reveal the limitations of the current regulatory framework . BetterHelp , Cerebral , and Monument each faced significant violations , yet the regulatory responses — primarily focused on financial penalties and operational changes — were largely uniform , despite the differing nature of the offenses . vacy may fall outside of these agencies ’ direct purview , highlighting the gaps in regulatory coverage .
Moreover , state-level agencies contribute significantly to the enforcement and regulation of telehealth services , especially licensing and the practice of telemedicine . These agencies often adopt their own privacy and consumer protection laws , creating a patchwork of regulations that can vary by jurisdiction . This lack of consistency across different states further complicates the regulatory landscape for teletherapy providers and consumers .
Key legislative acts , such as HIPAA , the FTC Act , and the Children ’ s Online Privacy Protection Act ( COPPA ), shape the regulatory landscape for telehealth . However , their implementation and enforcement are not always aligned with the dynamic , multifaceted risks posed by digital mental health services . Additionally , while the FTC has become more active in regulating teletherapy providers , a more comprehensive approach — one that includes context-specific regulations — is necessary to ensure that enforcement actions are tailored to the severity and nature of the violations . View a table of “ Relevant Laws and Regulations ” that provides an overview of the relevant laws and regulations , their scope , and how they impact teletherapy services . It also highlights gaps in enforcement and the need for a more coordinated regulatory framework that accounts for the diversity of practices within the teletherapy field .
THREE CASE STUDIES : LESSONS FROM BETTERHELP , CEREBRAL , AND MONUMENT
UNDERSTANDING THE REGULATORY LANDSCAPE — AND THE GAPS IN IT
To understand the full scope of privacy concerns in teletherapy , it is crucial to grasp the various federal and state regulatory bodies and the key legislative frameworks that govern the industry . While the FTC plays a pivotal role in enforcing consumer protection laws , including addressing deceptive advertising practices and privacy violations , several other agencies also impact the teletherapy landscape .
The Food and Drug Administration ( FDA ), for example , regulates digital health tools that may function as medical devices , such as mental health apps that claim to diagnose or treat conditions . The Department of Health and Human Services ( HHS ), through the Health Insurance Portability and Accountability Act ( HIPAA ), governs the handling of patient data in healthcare settings , including telehealth platforms that store or transmit patient health records . However , as teletherapy expands , other issues such as cybersecurity , misleading marketing , and data pri-
The cases of BetterHelp , Cerebral , and Monument provide valuable insights into the current regulatory landscape and offer a stark illustration of how context-specific regulatory responses could better address the unique challenges posed by each violation . While regulatory actions — such as fines and operational changes — are important , these cases reveal that a more nuanced , context-specific approach to enforcement is needed to better protect consumers and enhance long-term compliance .
• BetterHelp . BetterHelp was found to have engaged in deceptive advertising practices and insufficient data privacy protections , which misled consumers about the scope and nature of their services . While the $ 7.8 million fine and the restriction on sharing data for advertising purposes were necessary , they were primarily punitive . The corrective measures — such as mandatory transparency in advertising and the implementation of stricter data privacy protocols — represent a positive step forward , but they still reflect a broader regulatory framework that treats all violations as broadly similar . continued on page 21
20 The Advocate Magazine 2025 , Issue # 1 American Mental Health Counselors Association ( AMHCA ) www . amhca . org