BetterHelp, Talkspace, Grow Therapy, and Headway: how your platform's HIPAA structure changes where a cloud AI scribe's records belong

The platform landscape and why the structure matters

By 2026, a significant share of US licensed mental health professionals see at least some clients through an online therapy platform. The platforms have sorted into two structurally different categories that carry different implications for documentation workflow and HIPAA accountability.

The first category — exemplified by BetterHelp and Talkspace — integrates the full clinical channel. Clients sign up with the platform, are matched with therapists, and conduct sessions through the platform's own messaging, video, or voice infrastructure. The session itself runs on platform infrastructure. When a therapist wants to document, they are documenting sessions that the platform also processed. Any documentation tool the therapist brings to that workflow operates in proximity to content the platform simultaneously holds.

The second category — exemplified by Grow Therapy, Headway, and Alma — functions primarily as a practice-management and insurance credentialing layer. The platform handles credentialing, insurance panel contracting, scheduling, and billing. The therapist conducts sessions using their own telehealth tool (SimplePractice, Zoom for Healthcare, their own platform-of-choice) and maintains their own clinical records in their own EHR or documentation system. The platform's role in the actual clinical workflow is limited to its administrative function.

The HIPAA distinction between these models is real but is frequently misunderstood. The more consequential legal fact for most therapists on most platforms — one that applies regardless of platform type — is this: the platform's HIPAA compliance structure does not extend to a cloud AI scribe you independently adopted.

The BetterHelp FTC settlement in March 2023 added a second legal framework to this analysis: consumer protection enforcement applies to health data handled by therapy-adjacent vendors even where HIPAA's coverage is ambiguous. A cloud AI scribe vendor whose data practices are deceptive faces FTC exposure by the same logic that produced the $7.8 million consent order against BetterHelp. Understanding both frameworks is essential for therapists on any platform.

How each platform type structures HIPAA obligations — and where therapist responsibility sits

A common misconception is that working through a HIPAA-compliant therapy platform transfers some portion of the therapist's HIPAA obligations to the platform. It doesn't. In both platform models, the therapist is the HIPAA covered entity.

A licensed mental health professional who provides therapy services is a healthcare provider under HIPAA. When that provider engages in covered transactions — submitting electronic claims to insurers, receiving electronic remittance advice — they become a covered entity subject to the Privacy Rule, Security Rule, and Breach Notification Rule. That status attaches to the therapist individually, independent of which platform they work through. The platform does not absorb it.

What the platform does is operate as a business associate of the therapist-covered-entity. The platform handles protected health information in connection with the covered entity's operations: it processes appointment data, billing codes, session metadata, and in the case of integrated-channel platforms, session content itself. A properly executed business associate agreement (BAA) between the platform and the therapist should govern this relationship, specifying what the platform may do with PHI and obligating the platform to HIPAA's BA protections.

The practical difference between platform types lies in the scope of the BA relationship:

• BetterHelp / Talkspace model: The platform is a BA that also controls the clinical channel. Session content flows through platform infrastructure. The platform's own documentation tools (internal note templates, session summaries) are within the BA's permitted scope. A third-party cloud AI scribe that the therapist adopts independently — outside the platform's own tool ecosystem — is NOT the platform's responsibility. The therapist must independently execute a BAA with the scribe vendor. The platform's compliance posture says nothing about the scribe vendor's data practices.
• Grow Therapy / Headway / Alma model: The platform is a BA for billing and administrative functions only. The therapist uses their own clinical channel and their own documentation tools. Any cloud AI scribe the therapist uses is entirely the therapist's independent decision. The therapist must have a BAA with the scribe vendor. The platform has no relationship with the scribe vendor and cannot govern its data practices.

The therapist's obligation to vet the scribe vendor, execute a BAA, and bear accountability for the vendor's HIPAA compliance is identical in both models. The platform model determines the scope of the platform's BA obligations — it does not shift any of the therapist's own obligations onto the platform.

Additionally, integrated-channel platforms typically include service agreement provisions that restrict what therapists can do with session content. BetterHelp's and Talkspace's therapist contractor agreements address confidentiality of the platform's client relationships, IP ownership of content generated in the platform's environment, and restrictions on using third-party tools with session data. A therapist who uses a cloud AI scribe to process session content from BetterHelp or Talkspace sessions may be violating platform contract provisions even if the scribe vendor is independently HIPAA-compliant. The contract exposure and the HIPAA exposure are separate legal risks that compound each other.

The BetterHelp FTC settlement: what it established and why cloud AI scribes face the same exposure

In March 2023, the Federal Trade Commission filed a complaint against BetterHelp, Inc. under Section 5 of the FTC Act — the provision prohibiting unfair or deceptive acts or practices in commerce. The core allegation: BetterHelp had represented to users that their mental health information would be kept private and used only for treatment purposes, but in practice had deployed advertising tracking pixels from Facebook and Snapchat that transmitted limited health data — including whether a user had been in therapy before and whether they had completed a mental health intake questionnaire — to the advertising platforms for targeting and look-alike audience campaigns.

BetterHelp agreed to a $7.8 million settlement, which funded refunds to affected users who had subscribed between August 2017 and December 2020. The settlement also required BetterHelp to prohibit the sharing of any consumer information for advertising purposes going forward.

Two points about this settlement are critical for therapists evaluating cloud AI scribes.

First, the FTC's enforcement was under Section 5 — not HIPAA. The FTC did not allege that BetterHelp violated HIPAA. The case proceeded under the consumer protection theory that BetterHelp made deceptive representations about how it would use user data and then acted contrary to those representations. This is significant because it establishes that the FTC's health data enforcement authority fills the gap where HIPAA's covered entity framework is ambiguous — and that the FTC can reach any entity handling health-related data that makes deceptive privacy representations, regardless of HIPAA coverage.

Second, this exact enforcement theory applies to cloud AI scribe vendors whose data practices diverge from their stated privacy policies. A scribe vendor whose terms of service promise that session content will not be used for model training, product improvement, or advertising targeting — but whose actual infrastructure practices include any of those uses — faces FTC Section 5 exposure by the same logic that produced the BetterHelp settlement. The therapist who selected that vendor is not the FTC's primary target; the vendor is. But the therapist's choice of a vendor later found to have deceptive data practices creates its own professional and contractual exposure, particularly if the vendor's deceptive practices result in unauthorized disclosures of client information.

The BetterHelp settlement should be read not as a BetterHelp-specific event, but as a signal that health data across the therapy technology ecosystem — platforms, scribes, scheduling tools, EHR integrations — is subject to FTC enforcement independent of HIPAA. A therapist evaluating a cloud AI scribe should evaluate the vendor's actual data practices against its stated policy with the same skepticism that the FTC applied to BetterHelp's pixel deployments.

For analysis of what cloud AI scribes actually transmit in the course of normal operations, see our post on what cloud AI scribes actually send to their servers.

Where a third-party cloud AI scribe sits in each platform model

Regardless of platform type, the cloud AI scribe vendor's independently retained records occupy a specific position in the legal landscape: they are held by a third-party custodian, separately subpoenable, and outside the control of both the platform and the therapist.

In the integrated-channel model (BetterHelp/Talkspace), the legal topology looks like this:

• The platform holds session metadata, billing records, and potentially session recording data (for video sessions) as a business associate of the therapist
• The therapist holds their own clinical notes and documentation as the covered entity
• The cloud AI scribe vendor holds independently retained verbatim post-session dictation, audio (if captured), draft notes, and processing artifacts as an independent third party

A subpoena targeting one of these archives does not automatically reach the others. A plaintiff's attorney who obtains the platform's records through a subpoena to the platform does not thereby obtain the cloud AI scribe vendor's records. A court order directed at the therapist's clinical records does not compel production of the vendor's independently retained content. Each archive requires its own legal process directed at its own custodian. This multiplication of subpoenable targets is the direct consequence of routing session documentation through a cloud AI scribe — one clinical relationship generates three independently subpoenable record sets.

In the practice-management model (Grow Therapy/Headway), the platform holds only administrative records: scheduling data, insurance credentialing information, billing records submitted for reimbursement, and claims-processing data. The therapist holds all clinical documentation. The cloud AI scribe vendor holds its independently retained verbatim archive. The multiplication of subpoenable targets is structurally identical — but the platform's records are more administrative than clinical, which shifts the focus of adversarial proceedings toward the clinical records held by the therapist and the verbatim content held by the scribe vendor.

In both models, the BAA between the therapist and the cloud AI scribe vendor — which should exist if the scribe vendor is processing PHI — governs the vendor's use and safeguarding obligations. As we analyzed in detail in our post on what a BAA actually covers, the BAA does not function as a court order. It does not prevent a court-authorized subpoena from compelling the vendor to produce its business records. The vendor's compliance with the BAA protects the therapist's HIPAA interests in most circumstances; it does not protect against lawful compelled disclosure.

Five adversarial proceedings with specifically platform-shaped dimensions

1. Multi-party discovery in malpractice litigation

When a malpractice plaintiff sues a platform-based therapist, the plaintiff's litigation strategy can target all three independently subpoenable archives simultaneously: the platform's records, the therapist's own clinical documentation, and the cloud AI scribe vendor's verbatim archive. The value of this multi-target approach lies in the different content each archive holds.

The platform's records provide the administrative skeleton of the treatment relationship: session dates, session durations as billed, diagnosis codes submitted to insurance, appointment cancellation and rescheduling history. A plaintiff's expert witness uses this data to construct a timeline of the treatment relationship and to test whether the therapist's formal clinical notes accurately characterize the frequency and intensity of contact.

The therapist's own clinical records provide the formal documentation of clinical judgment: assessments, treatment plans, progress notes, discharge summary. These are the primary evidence of what the therapist believed was happening clinically.

The cloud AI scribe vendor's verbatim archive provides what neither of the other two archives contains: the therapist's verbatim dictated account of each session, including content that the formal progress note abstracted, simplified, or omitted. If the therapist dictated a post-session note acknowledging client expressions of hopelessness that the formal note characterized as "mood stable, no acute distress," the verbatim archive is the document that damages the defense case. Plaintiff's attorneys in jurisdictions that permit broad third-party discovery target all three archives independently, understanding that the divergence among them is often more useful than any single archive alone.

For context on how safety-related session content is specifically targeted in this type of litigation, see our post on safety planning documentation and cloud AI scribes.

2. Insurance carrier claim disputes through platform-mediated billing

When a practice-management platform like Grow Therapy or Headway handles insurance billing on behalf of therapists, the carrier's adjudication of claims introduces a specific adversarial pathway. Insurance carriers routinely audit claims for medical necessity, concurrent review, and retrospective review — requesting clinical records to verify that billed sessions correspond to documented clinical necessity.

In the platform billing context, the carrier's records request reaches two independently held archives: the platform's billing records (session counts billed, diagnosis codes, procedure codes, dates of service) and the therapist's clinical documentation (the progress notes that must support the billed claims). A discrepancy between the two — sessions billed that are undercharacterized in the clinical notes, or documented clinical content that doesn't support the billed diagnostic impression — is the carrier's basis for demanding repayment.

The cloud AI scribe vendor's records introduce a third independently discoverable archive in insurance disputes. If the carrier's repayment demand leads to arbitration or litigation, the carrier may subpoena the vendor's records as additional evidence of the clinical content of sessions — particularly if the therapist's formal notes are insufficient to support the billed claims and the carrier suspects that verbatim content would clarify the picture adversarially. For therapists who document through cloud AI scribes, the verbatim archive may resolve insurance disputes in their favor — or may complicate them significantly if the verbatim content diverges from the formal note in ways the therapist did not intend.

3. FTC Section 5 and state consumer protection enforcement targeting cloud AI scribes

The BetterHelp settlement established the FTC's Section 5 enforcement framework for health data deception. The next application of that framework is likely to be a cloud AI scribe vendor — not the therapy platform — whose privacy representations diverge from its actual data practices.

Scribe vendors typically represent in their privacy policies that session content is processed only to provide the transcription and note-generation service, is not used for model training without consent, is not shared with advertising platforms, and is subject to data retention limits after which records are deleted. If a vendor's actual data infrastructure includes training pipelines that ingest session content, advertising pixel deployments that pass metadata to ad platforms, or data retention practices that significantly exceed stated limits, the vendor faces FTC Section 5 exposure by the BetterHelp analysis.

State enforcement adds another layer. California's Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.) applies to individually identifiable health information regardless of HIPAA covered entity status — and explicitly covers any company that creates, maintains, or preserves medical information. A cloud AI scribe vendor operating in California, or serving California-licensed therapists, is subject to CMIA. CMIA violations carry a private right of action with nominal and actual damages, meaning individual therapy clients can bring claims against the vendor. Washington's My Health MY Data Act (enacted 2023, effective 2024) provides similar state-law health data protections that extend beyond HIPAA's covered entity framework.

For platform-based therapists, this means that selecting a cloud AI scribe vendor with opaque data practices creates exposure that runs through two channels: the vendor's own FTC/state enforcement exposure, and the therapist's independent liability for selecting a BA whose data practices violated state law protections for the therapist's clients.

4. Platform bankruptcy and the multiplication of record custodians

The venture-backed therapy platform ecosystem has produced significant investment activity and, in several cases, significant financial distress. When a therapy platform becomes insolvent, its records become assets of the bankruptcy estate. A bankruptcy trustee liquidating the estate's assets may transfer the platform's patient appointment records, billing data, session metadata, and diagnostic coding history to an acquiring entity — without individual therapists' consent and without individual patients' authorization, under HIPAA's business transfer provisions analyzed in our post on therapy platform acquisitions and data transfers.

For platform-based therapists, the bankruptcy of a platform creates a distinct problem: the platform's records of the therapist's clinical practice — session history, client roster metadata, billing patterns — transfer to a new entity that the therapist never chose and never vetted. The therapist's own clinical records remain under the therapist's control. The cloud AI scribe vendor's records remain under the vendor's control. But the platform's administrative records, which the therapist relied on as their BA's data stewardship, are now held by whoever the bankruptcy trustee transferred them to.

If litigation arises after the platform's bankruptcy — a malpractice claim, an insurance dispute, a licensing board complaint — the platform's records are in the hands of an entity that may have no interest in facilitating the therapist's defense and no relationship with the therapist's legal counsel. The multiplication of independently held record custodians that begins with adopting a cloud AI scribe is compounded by the platform's insolvency.

5. Platform contractor disputes and clinical documentation ownership

The legal status of therapists working through online therapy platforms has been contested terrain since the model's inception. Platforms characterize their therapists as independent contractors; state labor boards and tax authorities have sometimes reached different conclusions. The platform-versus-employee classification question is a periodic subject of investigation by the IRS, the Department of Labor, and state labor agencies.

When an independent contractor classification dispute proceeds to litigation or administrative adjudication, one dimension of the evidence produced involves the degree of control the platform exercised over the therapist's clinical work — session frequency requirements, therapeutic modality restrictions, documentation format requirements, mandatory use of platform-internal tools. The platform's own records and the therapist's clinical documentation (including tools the therapist used) become evidence of the degree-of-control analysis.

A cloud AI scribe adopted independently by the therapist may be offered as evidence that the therapist exercised independent professional judgment in their documentation workflow — or, if the platform's contractor agreement restricted the use of third-party tools with session content, as evidence that the therapist violated the contractor agreement. In either framing, the cloud AI scribe vendor's records may be sought as part of the discovery into what tools the therapist used, how the therapist documented sessions, and whether that documentation practice was within or outside the platform's control. The vendor becomes a third-party custodian in a labor dispute that has nothing to do with clinical care.

On-device processing in the platform context

The adversarial proceedings described above share a common structural element: they depend on a cloud AI scribe vendor having independently retained verbatim session content as its own business records. Remove that dependency and each proceeding changes.

With on-device processing, the therapist's post-session dictation or live documentation is processed locally — on the therapist's own licensed device — and produces a structured note output without any verbatim content reaching a cloud vendor's infrastructure. A subpoena directed at the scribe vendor returns no responsive records because the vendor holds no records.

This is equally true regardless of which platform model the therapist works through:

• In the BetterHelp/Talkspace model: the platform holds its own records; the therapist holds their formal clinical notes; no vendor holds a separately subpoenable verbatim archive. Malpractice discovery produces two archives instead of three.
• In the Grow Therapy/Headway model: the platform holds its administrative records; the therapist holds their formal clinical notes; no vendor holds an independent archive. Same result.

The FTC enforcement risk associated with cloud scribe vendor data practices also disappears: there is no vendor holding session content, so there is no vendor whose data practices about session content could be deceptive. California CMIA and Washington My Health MY Data Act exposure for the vendor is eliminated because the vendor never receives protected health information.

The platform contract restriction problem also changes: the therapist is not routing any session content through a third-party tool, so there is no third-party tool to analyze for platform contract compliance. The therapist's documentation remains entirely within the therapist's device and the therapist's own records management system.

This is the architectural guarantee that on-device processing provides in the platform context: not a contractual argument about which BA agreement covers which tool, but a structural elimination of the vendor's record-holding entirely. For the general analysis of how this applies across documentation contexts, see our post on whether an AI therapy note can be subpoenaed.

Practical implications for platform-based therapists

The therapy platform ecosystem has created documentation efficiency tools that therapists genuinely benefit from — but it has also layered additional legal complexity onto clinical documentation decisions that solo private-practice therapists on traditional practice models do not face. A platform-based therapist evaluating cloud AI scribes should work through several threshold questions:

• Do you have a BAA with your platform? If your platform handles PHI in connection with your clinical practice — and it does in both platform models — you should have a BAA with the platform as your BA. If you have not executed a BAA, or if the platform has not provided one, that is a HIPAA gap to close before layering on additional documentation tools.
• Does your platform contract restrict third-party documentation tools? Review your service agreement or independent contractor agreement for provisions about (a) use of third-party tools with session content, (b) confidentiality of session content generated in the platform environment, and (c) IP ownership of documentation you create in connection with platform client relationships. If your agreement restricts third-party tools, using a cloud AI scribe may violate that agreement even if the scribe is independently HIPAA-compliant.
• Do you have a BAA with your cloud AI scribe vendor? The therapist-as-CE analysis means you need a BAA with any cloud tool that processes your clients' PHI. This is independent of any BAA your platform has with its own tools.
• What are your cloud AI scribe vendor's actual data practices? Apply BetterHelp-settlement scrutiny: do the vendor's actual infrastructure practices match the privacy representations in its policy? Does the vendor use session content for model training? Does it deploy advertising pixels? What are its actual data retention periods? Representations in privacy policies that diverge from actual practice face FTC enforcement.
• Are you subject to CMIA, Washington My Health MY Data Act, or other state health data laws? HIPAA is a federal floor; state laws frequently impose stricter requirements. California and Washington therapists face state-law health data obligations that apply to cloud AI scribe vendors independent of HIPAA coverage.

Platform-based practice has real administrative advantages — particularly for credentialing, insurance billing, and client-finding. Those advantages do not carry over to documentation tool selection: the therapist remains individually accountable for clinical documentation decisions regardless of which platform they work through, and the platform's compliance infrastructure provides no shelter for documentation tools the therapist adopted independently.

Frequently asked questions