PubLedgeMental Health Chatbot — No Third-Party Data Sharing
A mental health chatbot supplier may not sell or share identifiable health information or user inputs with third parties. Narrow exceptions exist for user-consented or user-requested transfers to a health care provider or plan. Third-party sharing for functionality requires HIPAA-equivalent controls (45 CFR Parts 160 and 164, Subparts A and E) as if the supplier were a covered entity.
What Counts
- Prohibition on selling identifiable health information or user input
- Prohibition on sharing with third parties absent user consent or user request
- HIPAA-equivalent controls where sharing is necessary for product functionality
- Treatment of user input as health information when it describes symptoms, treatment, or clinical context
What Does Not Count
- Aggregate, de-identified analytics that do not re-identify users
- Transfers to a health care provider or health plan at the user's explicit request
- Subprocessor arrangements where the subprocessor operates under HIPAA-equivalent obligations
Implementing Legal Instruments
| Legal Instrument | Scope | Status | Provisions |
|---|---|---|---|
| Utah HB 452 (2025) — Mental Health Chatbot Regulations | us-ut | enforcing | 1 |